diff --git a/SOURCES/sudo-1.8.6p7-closefrom-override-fix.patch b/SOURCES/sudo-1.8.6p7-closefrom-override-fix.patch
new file mode 100644
index 0000000..73fc84c
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-closefrom-override-fix.patch
@@ -0,0 +1,38 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.c.closefrom-override-fix sudo-1.8.6p7/plugins/sudoers/sudoers.c
+--- sudo-1.8.6p7/plugins/sudoers/sudoers.c.closefrom-override-fix	2016-02-15 10:31:11.694164366 +0100
++++ sudo-1.8.6p7/plugins/sudoers/sudoers.c	2016-02-15 10:33:47.711362062 +0100
+@@ -336,15 +336,6 @@ sudoers_policy_main(int argc, char * con
+         goto bad;
+     }    
+ 
+-    /* Check for -C overriding def_closefrom. */
+-    if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
+-	if (!def_closefrom_override) {
+-	    warningx(_("you are not permitted to use the -C option"));
+-	    goto bad;
+-	}
+-	def_closefrom = user_closefrom;
+-    }
+-
+     set_perms(PERM_INITIAL);
+ 
+     /* Environment variables specified on the command line. */
+@@ -374,8 +365,17 @@ sudoers_policy_main(int argc, char * con
+     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
+ 	def_preserve_groups = true;
+ 
+-    /* Find command in path */
++    /* Find command in path and apply per-command Defaults. */
+     cmnd_status = set_cmnd();
++ 
++    /* Check for -C overriding def_closefrom. */
++    if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
++	if (!def_closefrom_override) {
++	    warningx(_("you are not permitted to use the -C option"));
++	    goto bad;
++	}
++	def_closefrom = user_closefrom;
++    } 
+ 
+ #ifdef HAVE_SETLOCALE
+     if (!setlocale(LC_ALL, def_sudoers_locale)) {
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index e651d1c..9efa9d9 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.6p7
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -116,6 +116,8 @@ Patch41: sudo-1.8.6p7-legacy-group-processing.patch
 Patch42: sudo-1.8.6p7-newbase64decoder.patch
 # 1183818 - [RFE] store checksum alongside the command being permitted
 Patch43: sudo-1.8.6p7-digestmessagesfix.patch
+# 1308495 - closefrom_override sudo option not working
+Patch44: sudo-1.8.6p7-closefrom-override-fix.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -183,6 +185,7 @@ plugins that use %{name}.
 %patch41 -p1 -b .legacy-group-processing
 %patch42 -p1 -b .newbase64decoder
 %patch43 -p1 -b .digestmessagesfix
+%patch44 -p1 -b .closefrom-override-fix
 
 %build
 autoreconf -I m4 -fv --install
@@ -304,6 +307,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Wed Feb 17 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17
+- fixed bug in closefrom_override defaults option
+  Resolves: rhbz#1308495
+
 * Tue Sep  1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-16
 - RHEL 7.2 erratum
   - show the digest type in warning messages