diff --git a/mantis-1.2.17-fix_LDAP_poisoning.patch b/mantis-1.2.17-fix_LDAP_poisoning.patch
new file mode 100644
index 0000000..d67c100
--- /dev/null
+++ b/mantis-1.2.17-fix_LDAP_poisoning.patch
@@ -0,0 +1,37 @@
+commit 215968fa8ff33e327f0600765a5caa24de392cbc
+Author: Paul Richards <paul@mantisforge.org>
+Date:   Sat Oct 12 22:58:43 2013 +0100
+
+    Strip null bytes out of GPC input strings
+    
+    Backporting commit fc02c46eea9d9e7cc472a7fc1801ea65d467db76 from master
+    branch to fix issue #17640
+    
+    Signed-off-by: Damien Regad <dregad@mantisbt.org>
+
+diff --git a/core/gpc_api.php b/core/gpc_api.php
+index 2daad98..58e0827 100644
+--- a/core/gpc_api.php
++++ b/core/gpc_api.php
+@@ -110,7 +110,7 @@ function gpc_get_string( $p_var_name, $p_default = null ) {
+ 		trigger_error( ERROR_GPC_ARRAY_UNEXPECTED, ERROR );
+ 	}
+ 
+-	return $t_result;
++	return str_replace( "\0","",$t_result );
+ }
+ 
+ /**
+@@ -255,7 +255,11 @@ function gpc_get_string_array( $p_var_name, $p_default = null ) {
+ 		trigger_error( ERROR_GPC_ARRAY_EXPECTED, ERROR );
+ 	}
+ 
+-	return $t_result;
++	$t_array = array();
++	foreach( $t_result as $key => $val ) {
++		$t_array[$key] = str_replace( "\0", "", $val );
++	}
++	return $t_array;
+ }
+ 
+ /**
diff --git a/mantis.spec b/mantis.spec
index 774db60..df38ece 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -6,7 +6,7 @@
 Summary:    Web-based issue tracking system
 Name:       mantis
 Version:    1.2.17
-Release:    2%{?dist}
+Release:    3%{?dist}
 License:    GPLv2+
 Group:      Applications/Internet
 URL:        http://www.mantisbt.org/
@@ -22,7 +22,7 @@ Patch2:     mantis-1.2.4-do_not_warn_on_admin_directory.patch
 Patch3:     mantis-1.2.12-use_systems_phpmailer.patch
 # set environment variable to find config_inc.php in /etc/mantis
 Patch4:     mantis-1.2.14-set_env_on_scripts.patch
-
+Patch5:     mantis-1.2.17-fix_LDAP_poisoning.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -69,6 +69,7 @@ This package contains configuration-files for Apache httpd 2.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 cp %{SOURCE1} ./doc/README.Fedora
 rm -rf packages docbook tests
@@ -153,6 +154,9 @@ rm -rf "${RPM_BUILD_ROOT}"
 
 
 %changelog
+* Fri Oct 03 2014 Gianluca Sforna <giallu@gmail.com> - 1.2.17-3
+- fix CVE-2014-6387 (#1141310)
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.17-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild