diff --git a/bind-9.9.4-CVE-2014-0591.patch b/bind-9.9.4-CVE-2014-0591.patch
new file mode 100644
index 0000000..ba225b1
--- /dev/null
+++ b/bind-9.9.4-CVE-2014-0591.patch
@@ -0,0 +1,53 @@
+diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c
+--- bind-9.9.4-P1/bin/named/query.c	2013-10-16 01:04:32.000000000 +0200
++++ bind-9.9.4-P2/bin/named/query.c	2013-12-20 01:28:28.000000000 +0100
+@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname
+ 	dns_fixedname_t fixed;
+ 	dns_hash_t hash;
+ 	dns_name_t name;
+-	int order;
+-	unsigned int count;
++	unsigned int skip = 0, labels;
+ 	dns_rdata_nsec3_t nsec3;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_boolean_t optout;
+@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname
+ 
+ 	dns_name_init(&name, NULL);
+ 	dns_name_clone(qname, &name);
++	labels = dns_name_countlabels(&name);
+ 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+ 	dns_clientinfo_init(&ci, client);
+ 
+@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname
+ 		dns_rdata_reset(&rdata);
+ 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+ 		if (found != NULL && optout &&
+-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
+-					 &count) == dns_namereln_subdomain) {
++		    dns_name_issubdomain(&name, dns_db_origin(db)))
++		{
+ 			dns_rdataset_disassociate(rdataset);
+ 			if (dns_rdataset_isassociated(sigrdataset))
+ 				dns_rdataset_disassociate(sigrdataset);
+-			count = dns_name_countlabels(&name) - 1;
+-			dns_name_getlabelsequence(&name, 1, count, &name);
++			skip++;
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  &name);
+ 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+ 				      "looking for closest provable encloser");
+@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname
+ 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+ 			      "expected covering NSEC3, got an exact match");
+-	if (found != NULL)
++	if (found == qname) {
++		if (skip != 0U)
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  found);
++	} else if (found != NULL)
+ 		dns_name_copy(&name, found, NULL);
+ 	return;
+ }
diff --git a/bind.spec b/bind.spec
index de951c4..1c230bf 100644
--- a/bind.spec
+++ b/bind.spec
@@ -26,7 +26,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.3
-Release:  13.%{?PATCHVER}%{?dist}
+Release:  14.%{?PATCHVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -88,6 +88,7 @@ Patch139:bind99-ISC-Bugs-34738.patch
 Patch140:bind99-ISC-Bugs-34870-v3.patch
 # upstream applied patch for [ISC-Bugs #35073]
 Patch141:bind99-ISC-Bugs-35073.patch
+Patch142:bind-9.9.4-CVE-2014-0591.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -290,6 +291,7 @@ popd
 %patch139 -p1 -b .journal
 %patch140 -p1 -b .send_buffer
 %patch141 -p1 -b .leak_35073
+%patch142 -p1 -b .CVE-2014-0591
 
 %if %{SDB}
 %patch101 -p1 -b .old-api
@@ -799,6 +801,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Tue Jan 14 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.3-14.P2
+- Fix CVE-2014-0591
+
 * Thu Nov 28 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-13.P2
 - Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687)