diff --git a/0010-curl-7.47.1-CVE-2016-5420.patch b/0010-curl-7.47.1-CVE-2016-5420.patch
index 320d71b..c3d3795 100644
--- a/0010-curl-7.47.1-CVE-2016-5420.patch
+++ b/0010-curl-7.47.1-CVE-2016-5420.patch
@@ -1,7 +1,7 @@
 From 871472d6249864f8e91031045833349032caca74 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Sun, 31 Jul 2016 00:51:48 +0200
-Subject: [PATCH] TLS: only reuse connections with the same client cert
+Subject: [PATCH 1/2] TLS: only reuse connections with the same client cert
 
 CVE-2016-5420
 Bug: https://curl.haxx.se/docs/adv_20160803B.html
@@ -27,3 +27,49 @@ index 879918b..08e2405 100644
 -- 
 2.5.5
 
+
+From 2430e5ed89222f09e6042c9da89472a4e54b0af7 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 22 Aug 2016 10:24:35 +0200
+Subject: [PATCH 2/2] nss: refuse previously loaded certificate from file
+
+... when we are not asked to use a certificate from file
+
+Upstream-commit: 7700fcba64bf5806de28f6c1c7da3b4f0b38567d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 722ea88..35fa50d 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1005,10 +1005,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
+   struct SessionHandle *data = connssl->data;
+   const char *nickname = connssl->client_nickname;
++  static const char pem_slotname[] = "PEM Token #1";
+ 
+   if(connssl->obj_clicert) {
+     /* use the cert/key provided by PEM reader */
+-    static const char pem_slotname[] = "PEM Token #1";
+     SECItem cert_der = { 0, NULL, 0 };
+     void *proto_win = SSL_RevealPinArg(sock);
+     struct CERTCertificateStr *cert;
+@@ -1070,6 +1070,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+   if(NULL == nickname)
+     nickname = "[unknown]";
+ 
++  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
++    failf(data, "NSS: refusing previously loaded certificate from file: %s",
++          nickname);
++    return SECFailure;
++  }
++
+   if(NULL == *pRetKey) {
+     failf(data, "NSS: private key not found for certificate: %s", nickname);
+     return SECFailure;
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index e4f728d..b6765c9 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.43.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -276,6 +276,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-9
+- fix incorrect use of a previously loaded certificate from file
+  (related to CVE-2016-5420)
+
 * Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-8
 - fix re-using connections with wrong client cert (CVE-2016-5420)
 - fix TLS session resumption client cert bypass (CVE-2016-5419)