diff --git a/bash-4.3-cve-2016-0634.patch b/bash-4.3-cve-2016-0634.patch
new file mode 100644
index 0000000..e71931a
--- /dev/null
+++ b/bash-4.3-cve-2016-0634.patch
@@ -0,0 +1,105 @@
+From f9dc7ff03a5b63d20ce473c1172e29b736dbea28 Mon Sep 17 00:00:00 2001
+From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
+Date: Wed, 21 Sep 2016 16:51:08 +0200
+Subject: [PATCH] CVE-2016-0634: upstream patch imported
+
+---
+ parse.y | 20 ++++++++++++++++----
+ y.tab.c | 20 ++++++++++++++++----
+ 2 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/parse.y b/parse.y
+index 0a7fcaa..5676ad7 100644
+--- a/parse.y
++++ b/parse.y
+@@ -5252,7 +5252,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -5400,7 +5400,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -5490,9 +5494,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
+diff --git a/y.tab.c b/y.tab.c
+index 793daf6..726d0de 100644
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7540,7 +7540,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -7688,7 +7688,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -7778,9 +7782,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
+-- 
+2.7.4
+
diff --git a/bash.spec b/bash.spec
index e481378..594f412 100644
--- a/bash.spec
+++ b/bash.spec
@@ -8,7 +8,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@@ -143,6 +143,10 @@ Patch139: bash-4.3-old-memleak.patch
 #1336800 - Fixes a race condition while expanding tilda
 Patch140: bash-tilda-race-condition.patch
 
+#1377614 - security fix for CVE-2016-0634 (arbitrary code execution via malicious hostname)
+# NOTE: This fix is already included in bash-4.4.
+Patch141: bash-4.3-cve-2016-0634.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -245,6 +249,7 @@ This package contains documentation files for %{name}.
 %patch138 -p1 -b .lc_all
 %patch139 -p1 -b .oldleak
 %patch140 -p1 -b .tilda_expansion
+%patch141 -p1 -b .cve-2016-0634
 
 echo %{version} > _distribution
 echo %{release} > _patchlevel
@@ -446,6 +451,10 @@ end
 %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Wed Sep 21 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 4.3.42-6
+- CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname
+  Resolves: #1377614
+
 * Tue May 17 2016 Siteshwar Vashisht <svashisht@redhat.com> - 4.3.42-5
 - Do not set terminate_immediately and interrupt_immediately while expanding tilda
   Resolves: #1336800