diff --git a/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch b/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
new file mode 100644
index 0000000..23e4ac8
--- /dev/null
+++ b/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
@@ -0,0 +1,80 @@
+From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
+From: John Dennis <jdennis@redhat.com>
+Date: Tue, 5 Mar 2019 10:15:48 +0100
+Subject: [PATCH] Modify am_handler setup to run before mod_proxy
+
+The way the ECP flow works is that when a client initiates the flow, the
+SP's response is HTTP 200, but not the requested content, but a signed XML
+document that contains the "samlp:AuthnRequest" element. The idea is that
+the ECP client would then determine the IDP and send the document to the
+IDP, get a samlp:Response and convey that to the SP to get access to the
+protected resource.
+
+Internally, the auth check which is normally done with am_check_uid() set to
+apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
+to authenticate the user. Then in the usual flow, the request reaches the
+ap_hook_handler which handles the request. There in the pipeline, mellon
+registers functions am_handler() which should run first (APR_HOOK_FIRST),
+determine that this request is an ECP one and return the ECP AuthnRequest
+document. But in case the proxy module is also in the picture, the proxy
+module "races" for who gets to be the first to handle the request in the
+pipeline and wins. Therefore, the request reaches the protected resource
+via mod_proxy and returns it.
+
+This fix modifies the ap_hook_handler() call to explicitly run before
+handlers from mod_proxy.c
+
+To reproduce the bug:
+0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
+   guess). In the example below, my SAML SP is saml.federation.test
+1) Set a Location protected by mellon that proxies requests to another
+   URL. For example:
+
+    ProxyPass         /sp-proxy  http://app.federation.test/example_app/
+    <Location /sp-proxy>
+        AuthType Mellon
+        MellonEnable auth
+        Require valid-user
+    </Location>
+
+2) call:
+ curl -L -H "Accept: application/vnd.paos+xml" \
+         -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
+          http://saml.federation.test/sp-proxy
+
+Before the patch, you would see whatever is served from the proxied
+page. With the patch, you should get back a XML document with a
+samlp:AuthnRequest.
+---
+ mod_auth_mellon.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
+index 74bd328..5330f48 100644
+--- a/mod_auth_mellon.c
++++ b/mod_auth_mellon.c
+@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
+ 
+ static void register_hooks(apr_pool_t *p)
+ {
++    /* Our handler needs to run before mod_proxy so that it can properly
++     * return ECP AuthnRequest messages when running as a reverse proxy.
++     * See: https://github.com/Uninett/mod_auth_mellon/pull/196
++     */
++    static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
++
+     ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
+@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
+      * Therefore this hook must run before any handler that may check
+      * r->handler and decide that it is the only handler for this URL.
+      */
+-    ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
++    ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
+ 
+ #ifdef ENABLE_DIAGNOSTICS
+     ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
+-- 
+2.19.2
+
diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec
index 6869ef0..a8de5b0 100644
--- a/SPECS/mod_auth_mellon.spec
+++ b/SPECS/mod_auth_mellon.spec
@@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.14.0
-Release: 3%{?dist}
+Release: 3%{?dist}.2
 Group: System Environment/Daemons
 Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Source1: auth_mellon.conf
@@ -22,6 +22,8 @@ Requires: httpd-mmn = %{_httpd_mmn}
 Requires: lasso >= 2.5.1
 Url: https://github.com/UNINETT/mod_auth_mellon
 
+Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
+
 # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
 # I could not get asciidoc to render properly so instead I generated
 # mellon_user_guide.html on Fedora using asciidoctor and included
@@ -35,6 +37,7 @@ received in assertions generated by a IdP server.
 
 %prep
 %setup -q -n %{name}-%{version}
+%patch1 -p1
 
 %build
 export APXS=%{_httpd_apxs}
@@ -105,6 +108,10 @@ in the doc directory for instructions on using the diagnostics build.
 %dir /run/%{name}/
 
 %changelog
+* Tue Apr 16 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-3.2
+- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication
+                           bypass in ECP flow [rhel-8.0.0.z]
+
 * Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
 - Rebuild with fixed binutils