diff --git a/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch b/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch
new file mode 100644
index 0000000..ebc20ca
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch
@@ -0,0 +1,177 @@
+From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 27 May 2020 10:38:56 +0200
+Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370
+
+There is a non-optimal behavior of file probe. It happens when file path
+is specified using a variable with 2 values with `operation="equals"`
+and `var_check="all"`. The probe recurses into a file system tree even
+if it's obvious that it won't find any match. If one of values is a big
+tree (for example `/`) it eventually runs out of memory and crashes. The
+OVAL doesn't make sense because it's impossible that a single file would
+have 2 different paths. But despite that it's a valid OVAL document.
+The test is expected to fail because the bug hasn't been fixed.
+---
+ tests/probes/file/CMakeLists.txt              |  1 +
+ .../test_probes_file_multiple_file_paths.sh   | 39 +++++++++++++++++
+ .../test_probes_file_multiple_file_paths.xml  | 42 +++++++++++++++++++
+ 3 files changed, 82 insertions(+)
+ create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh
+ create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml
+
+diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt
+index 12718603f..35b4c1169 100644
+--- a/tests/probes/file/CMakeLists.txt
++++ b/tests/probes/file/CMakeLists.txt
+@@ -1,3 +1,4 @@
+ if(ENABLE_PROBES_UNIX)
+ 	add_oscap_test("test_probes_file.sh")
++	add_oscap_test("test_probes_file_multiple_file_paths.sh")
+ endif()
+diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh
+new file mode 100755
+index 000000000..1cececbb0
+--- /dev/null
++++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh
+@@ -0,0 +1,39 @@
++#!/bin/bash
++
++set -e -o pipefail
++
++. $builddir/tests/test_common.sh
++
++probecheck "file" || exit 255
++which strace || exit 255
++
++function check_strace_output {
++	strace_log="$1"
++	grep -q "/tmp/numbers/1" $strace_log && return 1
++	grep -q "/tmp/numbers/1/2" $strace_log && return 1
++	grep -q "/tmp/numbers/1/2/3" $strace_log && return 1
++	grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1
++	grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1
++	grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1
++	grep -q "/tmp/letters/a" $strace_log && return 1
++	grep -q "/tmp/letters/a/b" $strace_log && return 1
++	grep -q "/tmp/letters/a/b/c" $strace_log && return 1
++	grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1
++	grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1
++	grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1
++	return 0
++}
++
++rm -rf /tmp/numbers
++mkdir -p /tmp/numbers/1/2/3/4/5/6
++rm -rf /tmp/letters
++mkdir -p /tmp/letters/a/b/c/d/e/f
++strace_log=$(mktemp)
++strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml"
++ret=0
++check_strace_output $strace_log || ret=$?
++rm -f $strace_log
++rm -f results.xml
++rm -rf /tmp/numbers
++rm -rf /tmp/letters
++exit $ret
+diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml
+new file mode 100644
+index 000000000..893a3fe97
+--- /dev/null
++++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml
+@@ -0,0 +1,42 @@
++<?xml version="1.0"?>
++<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
++  <generator>
++    <oval:schema_version>5.10</oval:schema_version>
++    <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
++  </generator>
++
++  <definitions>
++    <definition class="compliance" version="1" id="oval:x:def:1">
++      <metadata>
++        <title>Specify a file path using variable with two values</title>
++        <description>x</description>
++        <affected family="unix">
++          <platform>multi_platform_all</platform>
++        </affected>
++      </metadata>
++          <criteria operator="AND">
++            <criterion comment="Check multiple paths" test_ref="oval:x:tst:1"/>
++          </criteria>
++    </definition>
++  </definitions>
++
++  <tests>
++        <file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:tst:1" version="1" comment="Verify all paths exist" check_existence="all_exist" check="all">
++          <object object_ref="oval:x:obj:1"/>
++        </file_test>
++  </tests>
++
++  <objects>
++        <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:obj:1" version="1" comment="uses var_check=all together with operation=equals">
++          <path datatype="string" var_ref="oval:x:var:1" var_check="all" operation="equals"/>
++          <filename xsi:nil="true" datatype="string"/>
++        </file_object>
++  </objects>
++
++  <variables>
++        <constant_variable datatype="string" comment="2 file paths" version="1" id="oval:x:var:1">
++            <value>/tmp/numbers</value>
++            <value>/tmp/letters</value>
++        </constant_variable>
++  </variables>
++</oval_definitions>
+
+From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 2 Jun 2020 15:11:37 +0200
+Subject: [PATCH 2/3] Add strace to the list of test dependencies
+
+---
+ docs/developer/developer.adoc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
+index 823a1504e..0f01ace74 100644
+--- a/docs/developer/developer.adoc
++++ b/docs/developer/developer.adoc
+@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do
+ that you need to have these additional packages installed:
+ 
+ ----
+-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build
++wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace
+ ----
+ 
+ On Ubuntu 18.04, also install:
+
+From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 17 Jun 2020 11:00:02 +0200
+Subject: [PATCH 3/3] Terminate matching to prevent recursion
+
+Fixes: RHBZ#1686370
+---
+ src/OVAL/probes/oval_fts.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
+index 696997942..2b7314c38 100644
+--- a/src/OVAL/probes/oval_fts.c
++++ b/src/OVAL/probes/oval_fts.c
+@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts)
+ 
+ 		if (ores == OVAL_RESULT_TRUE)
+ 			break;
++		if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) {
++			/* At this point the comparison result isn't OVAL_RESULT_TRUE. Since
++			we passed the exact path (from filepath or path elements) to
++			fts_open() we surely know that we can't find other items that would
++			be equal. Therefore we can terminate the matching. This can happen
++			if the filepath or path element references a variable that has
++			multiple different values. */
++			return NULL;
++		}
+ 	} /* for (;;) */
+ 
+ 	/*
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index f397b89..7288d8c 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,12 +1,14 @@
 Name:           openscap
 Version:        1.3.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch1:         openscap-1.3.4-fix-environmentvariable58-regression.patch
+Patch2:         openscap-1.3.4-fix-no-more-recursion.patch
+
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -127,6 +129,7 @@ for developing applications that use %{name}-engine-sce.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 mkdir build
 
 %build
@@ -214,6 +217,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Thu Jun 25 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-2
+- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)
+
 * Mon May 04 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-1
 - Upgrade to the latest upstream release (rhbz#1829761)
 - Added a Python script that can be used for CLI tailoring (autotailor)
@@ -722,4 +728,3 @@ rm -rf $RPM_BUILD_ROOT
 
 * Thu Jan 15 2009 Tomas Heinrich <theinric@redhat.com> 0.1.1-1
 - Initial rpm
-