diff --git a/graphviz-2.40.1-CVE-2019-11023.patch b/graphviz-2.40.1-CVE-2019-11023.patch
index bb4aa16..abda75f 100644
--- a/graphviz-2.40.1-CVE-2019-11023.patch
+++ b/graphviz-2.40.1-CVE-2019-11023.patch
@@ -62,3 +62,16 @@ index 7b8214b..0910d99 100644
  	}
  	popString(&ud->elements);
  	Current_class = TAG_GRAPH;
+diff --git a/lib/cgraph/obj.c b/lib/cgraph/obj.c
+index 7b1c8c1..709774e 100644
+--- a/lib/cgraph/obj.c
++++ b/lib/cgraph/obj.c
+@@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack)
+ 
+ Agraph_t *agroot(void* obj)
+ {
++    // fixes CVE-2019-11023 by moving the problem to the caller :-)
++    if (obj == 0) return NILgraph;
+     switch (AGTYPE(obj)) {
+     case AGINEDGE:
+     case AGOUTEDGE:
diff --git a/graphviz.spec b/graphviz.spec
index 279bfc7..5f6518d 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -61,7 +61,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.40.1
-Release:		38%{?dist}
+Release:		39%{?dist}
 License:		EPL
 URL:			http://www.graphviz.org/
 # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371
@@ -604,6 +604,10 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*
 
 %changelog
+* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-39
+- Updated CVE-2019-11023 patch
+  Related: CVE-2019-11023
+
 * Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-38
 - Fixed null pointer dereference in function agroot()
   Resolves: CVE-2019-11023