diff --git a/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch b/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch
new file mode 100644
index 0000000..ec7b1b6
--- /dev/null
+++ b/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch
@@ -0,0 +1,30 @@
+From 7046d670d3803d484b7af490e529dc4619145cc2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 11 Feb 2016 13:52:20 +0100
+Subject: [PATCH] diffie_hellman_sha256: convert bytes to bits
+
+As otherwise we get far too small numbers.
+
+CVE-2016-0787
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/kex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index 5649248..f12797c 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session,
+         memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
+ 
+         /* Generate x and e */
+-        _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
++        _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
+         _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
+                             exchange_state->ctx);
+ 
+-- 
+2.5.0
+
diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec
index ffb962b..38ccb0a 100644
--- a/SPECS/libssh2.spec
+++ b/SPECS/libssh2.spec
@@ -12,7 +12,7 @@
 
 Name:		libssh2
 Version:	1.4.3
-Release:	10%{?dist}
+Release:	10%{?dist}.1
 Summary:	A library implementing the SSH2 protocol
 Group:		System Environment/Libraries
 License:	BSD
@@ -32,6 +32,7 @@ Patch10:	0010-Set-default-window-size-to-2MB.patch
 Patch11:	0011-channel_receive_window_adjust-store-windows-size-alw.patch
 Patch12:	0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch
 Patch13:	0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch
+Patch101:	0101-libssh2-1.4.3-CVE-2016-0787.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildRequires:	openssl-devel
 BuildRequires:	zlib-devel
@@ -110,6 +111,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
 # check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782)
 %patch13 -p1
 
+# use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
+%patch101 -p1
+
 # Make sshd transition appropriately if building in an SELinux environment
 %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
 chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || :
@@ -176,6 +180,9 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
+* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-10.el7_2.1
+- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
+
 * Mon Jun 01 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-10
 - check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782)