diff --git a/SOURCES/subversion-1.7.14-CVE-2017-9800.patch b/SOURCES/subversion-1.7.14-CVE-2017-9800.patch
new file mode 100644
index 0000000..d8894cf
--- /dev/null
+++ b/SOURCES/subversion-1.7.14-CVE-2017-9800.patch
@@ -0,0 +1,104 @@
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c	(revision 1803926)
++++ subversion/libsvn_ra_svn/client.c	(working copy)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+ 
+ #include "svn_private_config.h"
+ 
+@@ -395,7 +396,7 @@
+        * versions have it too. If the user is using some other ssh
+        * implementation that doesn't accept it, they can override it
+        * in the [tunnels] section of the config. */
+-      val = "$SVN_SSH ssh -q";
++      val = "$SVN_SSH ssh -q --";
+     }
+ 
+   if (!val || !*val)
+@@ -435,7 +436,7 @@
+     ;
+   *argv = apr_palloc(pool, (n + 4) * sizeof(char *));
+   memcpy((void *) *argv, cmd_argv, n * sizeof(char *));
+-  (*argv)[n++] = svn_path_uri_decode(hostinfo, pool);
++  (*argv)[n++] = hostinfo;
+   (*argv)[n++] = "svnserve";
+   (*argv)[n++] = "-t";
+   (*argv)[n] = NULL;
+@@ -716,7 +717,33 @@
+ }
+ 
+ 
++/* A simple whitelist to ensure the following are valid:
++ *   user@server
++ *   [::1]:22
++ *   server-name
++ *   server_name
++ *   127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++  const char *p = hostinfo;
+ 
++  if (p[0] == '-')
++    return FALSE;
++
++  while (*p)
++    {
++      if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++        return FALSE;
++
++      ++p;
++    }
++
++  return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+                                 const char **corrected_url,
+                                 const char *url,
+@@ -740,8 +767,17 @@
+   parse_tunnel(url, &tunnel, pool);
+ 
+   if (tunnel)
+-    SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+-                              pool));
++    {
++      const char *decoded_hostinfo;
++
++      decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, pool);
++      if (!is_valid_hostinfo(decoded_hostinfo))
++        return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++                                 uri.hostinfo);
++
++      SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++                                config, pool));
++    }
+   else
+     tunnel_argv = NULL;
+ 
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c	(revision 1803926)
++++ subversion/libsvn_subr/config_file.c	(working copy)
+@@ -1134,12 +1134,12 @@
+         "### passed to the tunnel agent as <user>@<hostname>.)  If the"      NL
+         "### built-in ssh scheme were not predefined, it could be defined"   NL
+         "### as:"                                                            NL
+-        "# ssh = $SVN_SSH ssh -q"                                            NL
++        "# ssh = $SVN_SSH ssh -q --"                                         NL
+         "### If you wanted to define a new 'rsh' scheme, to be used with"    NL
+         "### 'svn+rsh:' URLs, you could do so as follows:"                   NL
+-        "# rsh = rsh"                                                        NL
++        "# rsh = rsh --"                                                     NL
+         "### Or, if you wanted to specify a full path and arguments:"        NL
+-        "# rsh = /path/to/rsh -l myusername"                                 NL
++        "# rsh = /path/to/rsh -l myusername --"                              NL
+         "### On Windows, if you are specifying a full path to a command,"    NL
+         "### use a forward slash (/) or a paired backslash (\\\\) as the"    NL
+         "### path separator.  A single backslash will be treated as an"      NL
diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec
index 856d87f..3c72e08 100644
--- a/SPECS/subversion.spec
+++ b/SPECS/subversion.spec
@@ -22,7 +22,7 @@
 Summary: A Modern Concurrent Version Control System
 Name: subversion
 Version: 1.7.14
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: ASL 2.0
 Group: Development/Tools
 URL: http://subversion.apache.org/
@@ -51,6 +51,7 @@ Patch16: subversion-1.7.14-CVE-2015-0248.patch
 Patch17: subversion-1.7.14-CVE-2015-0251.patch
 Patch18: subversion-1.7.14-CVE-2015-3184.patch
 Patch19: subversion-1.7.14-CVE-2015-3187.patch
+Patch20: subversion-1.7.14-CVE-2017-9800.patch
 BuildRequires: autoconf, libtool, python, python-devel, texinfo, which
 BuildRequires: libdb-devel, swig >= 1.3.24, gettext
 BuildRequires: apr-devel >= 1.3.0, apr-util-devel >= 1.3.0
@@ -200,6 +201,7 @@ This package includes supplementary tools for use with Subversion.
 %patch17 -p1 -b .cve0251
 %patch18 -p1 -b .cve3184
 %patch19 -p1 -b .cve3187
+%patch20 -p0 -b .cve9800
 
 %build
 # Regenerate the buildsystem, so that:
@@ -497,6 +499,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Wed Aug  9 2017 Joe Orton <jorton@redhat.com> - 1.7.14-11
+- add security fix for CVE-2017-9800
+
 * Wed Aug 12 2015 Joe Orton <jorton@redhat.com> - 1.7.14-10
 - add security fixes for CVE-2015-0248, CVE-2015-0251, CVE-2015-3184,
   CVE-2015-3187