diff --git a/SOURCES/properly-handle-default-ports-in-auth-stripping.patch b/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
new file mode 100644
index 0000000..f99d3ca
--- /dev/null
+++ b/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
@@ -0,0 +1,67 @@
+diff --git a/requests/sessions.py b/requests/sessions.py
+index a448bd8..d73d700 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -19,7 +19,7 @@ from .cookies import (
+ from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
+ from .hooks import default_hooks, dispatch_hook
+ from ._internal_utils import to_native_string
+-from .utils import to_key_val_list, default_headers
++from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
+ from .exceptions import (
+     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
+ 
+@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
+         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
+                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
+             return False
++
++        # Handle default port usage corresponding to scheme.
++        changed_port = old_parsed.port != new_parsed.port
++        changed_scheme = old_parsed.scheme != new_parsed.scheme
++        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
++        if (not changed_scheme and old_parsed.port in default_port
++                and new_parsed.port in default_port):
++            return False
++
+         # Standard case: root URI must match
+-        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
++        return changed_port or changed_scheme
+ 
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+diff --git a/requests/utils.py b/requests/utils.py
+index 0ce7fe1..04145c8 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
++DEFAULT_PORTS = {'http': 80, 'https': 443}
++
+ 
+ if sys.platform == 'win32':
+     # provide a proxy_bypass version on Windows without DNS lookups
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index f46561e..f99fdaf 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -1611,6 +1611,17 @@ class TestRequests:
+         s = requests.Session()
+         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
+ 
++    @pytest.mark.parametrize(
++        'old_uri, new_uri', (
++            ('https://example.com:443/foo', 'https://example.com/bar'),
++            ('http://example.com:80/foo', 'http://example.com/bar'),
++            ('https://example.com/foo', 'https://example.com:443/bar'),
++            ('http://example.com/foo', 'http://example.com:80/bar')
++        ))
++    def test_should_strip_auth_default_port(self, old_uri, new_uri):
++        s = requests.Session()
++        assert not s.should_strip_auth(old_uri, new_uri)
++
+     def test_manual_redirect_with_partial_body_read(self, httpbin):
+         s = requests.Session()
+         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
diff --git a/SPECS/python-requests.spec b/SPECS/python-requests.spec
index 7dfe5ed..dfad8a0 100644
--- a/SPECS/python-requests.spec
+++ b/SPECS/python-requests.spec
@@ -3,7 +3,7 @@
 
 Name:           python-requests
 Version:        2.20.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
 License:        ASL 2.0
@@ -31,6 +31,12 @@ Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
 #   build-time package tests
 Patch5:         Skip-all-tests-needing-httpbin.patch
 
+# Properly handle default ports when stripping the authorization header.
+# This fixes a regression introduced with fixing CVE-2018-18074.
+# Fixed upstream: https://github.com/psf/requests/pull/4851
+# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762422
+Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+
 BuildArch:      noarch
 
 %description
@@ -142,6 +148,10 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
 
 
 %changelog
+* Fri Nov 1 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-3
+- Properly handle default ports when stripping the authorization header
+Resolves: rhbz#1762422
+
 * Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2
 - Bumping due to problems with modular RPM upgrade path
 - Resolves: rhbz#1695587