diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-8138.patch b/SOURCES/ntp-4.2.6p5-cve-2015-8138.patch
new file mode 100644
index 0000000..e8d9b91
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-8138.patch
@@ -0,0 +1,12 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.orig ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.orig	2015-11-06 10:48:42.672684827 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-11-06 13:03:14.284092484 +0100
+@@ -1069,7 +1069,7 @@ receive(
+ 	 * the packet is not bogus in symmetric interleaved mode.
+ 	 */
+ 	} else if (peer->flip == 0) {
+-		if (!L_ISEQU(&p_org, &peer->aorg)) {
++		if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) {
+ 			peer->bogusorg++;
+ 			peer->flash |= TEST2;	/* bogus */
+ 			if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 04711a3..d188f6e 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
 Summary: The NTP daemon and utilities
 Name: ntp
 Version: 4.2.6p5
-Release: 22%{?dist}
+Release: 22%{?dist}.1
 # primary license (COPYRIGHT) : MIT
 # ElectricFence/ (not used) : GPLv2
 # kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -133,6 +133,8 @@ Patch42: ntp-4.2.6p5-dscp.patch
 Patch43: ntp-4.2.6p5-cve-2015-7704.patch
 # allow only one step larger than panic threshold with -g
 Patch44: ntp-4.2.6p5-cve-2015-5300.patch
+# ntpbz #2945
+Patch45: ntp-4.2.6p5-cve-2015-8138.patch
 
 # handle unknown clock types
 Patch50: ntpstat-0.2-clksrc.patch
@@ -214,7 +216,7 @@ This package contains NTP documentation in HTML format.
 # pool.ntp.org vendor zone which will be used in ntp.conf
 %if 0%{!?vendorzone:1}
 %{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
 %endif
 
 %prep
@@ -265,6 +267,7 @@ This package contains NTP documentation in HTML format.
 %patch42 -p1 -b .dscp
 %patch43 -p1 -b .cve-2015-7704
 %patch44 -p1 -b .cve-2015-5300
+%patch45 -p1 -b .cve-2015-8138
 
 # ntpstat patches
 %patch50 -p1 -b .clksrc
@@ -482,8 +485,8 @@ popd
 %{ntpdocdir}/html
 
 %changelog
-* Thu Nov 19 2015 CentOS Sources <bugs@centos.org> - 4.2.6p5-22.el7.centos
-- rebrand vendorzone
+* Wed Jan 20 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22.el7_2.1
+- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)
 
 * Fri Oct 16 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22
 - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)