diff --git a/SOURCES/squid-3.5.20-tunnel-sigsegv.patch b/SOURCES/squid-3.5.20-tunnel-sigsegv.patch
new file mode 100644
index 0000000..198ec77
--- /dev/null
+++ b/SOURCES/squid-3.5.20-tunnel-sigsegv.patch
@@ -0,0 +1,14 @@
+diff -up ./src/tunnel.cc.orig ./src/tunnel.cc
+--- ./src/tunnel.cc.orig	2016-07-01 13:37:50.000000000 +0200
++++ ./src/tunnel.cc	2016-07-15 16:25:07.132823875 +0200
+@@ -475,7 +475,9 @@ TunnelStateData::handleConnectResponse(c
+     *status_ptr = rep.sline.status();
+ 
+     // we need to relay the 401/407 responses when login=PASS(THRU)
+-    const char *pwd = server.conn->getPeer()->login;
++    CachePeer *peer = server.conn->getPeer();
++    const char *pwd = (peer) ? peer->login : NULL;
++
+     const bool relay = pwd && (strcmp(pwd, "PASS") != 0 || strcmp(pwd, "PASSTHRU") != 0) &&
+                        (*status_ptr == Http::scProxyAuthenticationRequired ||
+                         *status_ptr == Http::scUnauthorized);
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 45576a9..83d7ae2 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
 
 Name:     squid
 Version:  3.5.20
-Release:  2%{?dist}.2
+Release:  2%{?dist}.3
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -41,6 +41,8 @@ Patch208: squid-3.5.10-ssl-helper.patch
 Patch209: squid-3.5.20-conf-casecmp.patch
 # http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_11.patch
 Patch210: squid-CVE-2016-10002.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1404817
+Patch211: squid-3.5.20-tunnel-sigsegv.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -118,6 +120,7 @@ migration and script which prepares squid for downgrade operation.
 %patch208 -p1 -b .ssl-helper
 %patch209 -p1 -b .conf-casecmp
 %patch210 -p0 -b .CVE-2016-10002
+%patch211 -p1 -b .tunnel-sigsegv
 
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@@ -343,6 +346,10 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Thu Mar 02 2017 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-2.3
+- Resolves: #1428378 - SIGSEV in TunnelStateData::handleConnectResponse()
+  during squid reconfigure and restart
+
 * Fri Jan 13 2017 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-2.2
 - Resolves: #1412735 - CVE-2016-10002 squid: Information disclosure in HTTP
   request processing