diff --git a/SOURCES/net-snmp-5.8-sec-memory-leak.patch b/SOURCES/net-snmp-5.8-sec-memory-leak.patch
new file mode 100644
index 0000000..2d5a986
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-sec-memory-leak.patch
@@ -0,0 +1,84 @@
+diff -urNp a/agent/snmp_agent.c b/agent/snmp_agent.c
+--- a/agent/snmp_agent.c 2020-06-11 10:20:31.646339191 +0200
++++ b/agent/snmp_agent.c 2020-06-11 10:23:41.178056889 +0200
+@@ -1605,12 +1605,6 @@ free_agent_snmp_session(netsnmp_agent_se
+ DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p freed\n",
+ asp, asp->reqinfo));
+
+- /* Clean up securityStateRef here to prevent a double free */
+- if (asp->orig_pdu && asp->orig_pdu->securityStateRef)
+- snmp_free_securityStateRef(asp->orig_pdu);
+- if (asp->pdu && asp->pdu->securityStateRef)
+- snmp_free_securityStateRef(asp->pdu);
+-
+ if (asp->orig_pdu)
+ snmp_free_pdu(asp->orig_pdu);
+ if (asp->pdu)
+diff -urNp a/include/net-snmp/pdu_api.h b/include/net-snmp/pdu_api.h
+--- a/include/net-snmp/pdu_api.h 2020-06-11 10:20:31.631339058 +0200
++++ b/include/net-snmp/pdu_api.h 2020-06-11 10:24:17.261390028 +0200
+@@ -19,8 +19,6 @@ NETSNMP_IMPORT
+ netsnmp_pdu *snmp_fix_pdu( netsnmp_pdu *pdu, int idx);
+ NETSNMP_IMPORT
+ void snmp_free_pdu( netsnmp_pdu *pdu);
+-NETSNMP_IMPORT
+-void snmp_free_securityStateRef( netsnmp_pdu *pdu);
+
+ #ifdef __cplusplus
+ }
+diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c
+--- a/snmplib/snmp_api.c 2020-06-11 10:20:31.695339627 +0200
++++ b/snmplib/snmp_api.c 2020-06-11 10:33:55.510891945 +0200
+@@ -4034,17 +4034,6 @@ free_securityStateRef(netsnmp_pdu* pdu)
+ pdu->securityStateRef = NULL;
+ }
+
+-/*
+- * This function is here to provide a separate call to
+- * free the securityStateRef memory. This is needed to prevent
+- * a double free if this memory is freed in snmp_free_pdu.
+- */
+-void
+-snmp_free_securityStateRef(netsnmp_pdu* pdu)
+-{
+- free_securityStateRef(pdu);
+-}
+-
+ #define ERROR_STAT_LENGTH 11
+
+ int
+@@ -5473,6 +5462,8 @@ snmp_free_pdu(netsnmp_pdu *pdu)
+ if (!pdu)
+ return;
+
++ free_securityStateRef(pdu);
++
+ /*
+ * If the command field is empty, that probably indicates
+ * that this PDU structure has already been freed.
+@@ -5647,12 +5638,6 @@ _sess_process_packet_parse_pdu(void *ses
+ }
+
+ if (ret != SNMP_ERR_NOERROR) {
+- /*
+- * Call the security model to free any securityStateRef supplied w/ msg.
+- */
+- if (pdu->securityStateRef != NULL) {
+- free_securityStateRef(pdu);
+- }
+ snmp_free_pdu(pdu);
+ return NULL;
+ }
+@@ -5826,12 +5811,6 @@ _sess_process_packet_handle_pdu(void *se
+ }
+ }
+
+- /*
+- * Call USM to free any securityStateRef supplied with the message.
+- */
+- if (pdu->securityStateRef && pdu->command == SNMP_MSG_TRAP2)
+- free_securityStateRef(pdu);
+-
+ if (!handled) {
+ if (sp->flags & SNMP_FLAGS_SHARED_SOCKET)
+ return -2;
diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec
index 39ed00a..c5fc5df 100644
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@@ -10,7 +10,7 @@
Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp
Version: 5.8
-Release: 14%{?dist}
+Release: 14%{?dist}.1
Epoch: 1
License: BSD
@@ -46,6 +46,7 @@ Patch17: net-snmp-5.8-trapsink.patch
Patch18: net-snmp-5.8-flood-messages.patch
Patch19: net-snmp-5.8-v3-forward.patch
Patch20: net-snmp-5.8-sec-counter.patch
+Patch21: net-snmp-5.8-sec-memory-leak.patch
# Modern RPM API means at least EL6
Patch101: net-snmp-5.8-modern-rpm-api.patch
@@ -191,6 +192,7 @@ rm -r python
%patch18 -p1 -b .flood-messages
%patch19 -p1 -b .v3-forward
%patch20 -p1 -b .sec-counter
+%patch21 -p1 -b .sec-memory-leak
%patch101 -p1 -b .modern-rpm-api
@@ -444,6 +446,9 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
%{_libdir}/libnetsnmptrapd*.so.%{soname}*
%changelog
+* Mon Jun 15 2020 Josef Ridky <jridky@redhat.com> -1:5.8-14.1
+- add missing part of memory leak patch (#1839736)
+
* Mon Mar 16 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-14
- fix double free or corruption error when freeing security context (#1809077)
- remove deprecated CFLAG