diff --git a/shadow-4.8.1-salt_c_use_dev_urandom.patch b/shadow-4.8.1-salt_c_use_dev_urandom.patch
new file mode 100644
index 0000000..ba37b77
--- /dev/null
+++ b/shadow-4.8.1-salt_c_use_dev_urandom.patch
@@ -0,0 +1,114 @@
+From bc8257cf73328e450511b13cbd35e1994feccb30 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Wed, 23 Jun 2021 16:06:47 +0200
+Subject: [PATCH] libmisc/salt.c: Obtain random bytes from /dev/urandom.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Using the random() function to obtain pseudo-random bytes
+for generating salt strings is considered to be dangerous.
+See CWE-327.
+
+We really should use a more reliable source for obtaining
+pseudo-random bytes like /dev/urandom.
+
+Fixes #376.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+---
+ libmisc/salt.c | 45 ++++++++++++++++++++++++---------------------
+ 1 file changed, 24 insertions(+), 21 deletions(-)
+
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index e17093fc..af9f011f 100644
+--- a/libmisc/salt.c
++++ b/libmisc/salt.c
+@@ -11,11 +11,10 @@
+ 
+ #ident "$Id$"
+ 
+-#include <sys/time.h>
+-#include <string.h>
+-#include <stdlib.h>
+-#include <stdio.h>
+ #include <assert.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
+ #include "prototypes.h"
+ #include "defines.h"
+ #include "getdef.h"
+@@ -74,7 +73,7 @@
+ #define GENSALT_SETTING_SIZE 100
+ 
+ /* local function prototypes */
+-static void seedRNG (void);
++static long read_random_bytes (void);
+ static /*@observer@*/const char *gensalt (size_t salt_size);
+ #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
+ static long shadow_random (long min, long max);
+@@ -125,23 +124,27 @@ static /*@observer@*/char *l64a (long value)
+ }
+ #endif /* !HAVE_L64A */
+ 
+-static void seedRNG (void)
++/* Read sizeof (long) random bytes from /dev/urandom. */
++static long read_random_bytes (void)
+ {
+-	struct timeval tv;
+-	static int seeded = 0;
++	long randval = 0;
++	FILE *f = fopen ("/dev/urandom", "r");
+ 
+-	if (0 == seeded) {
+-		(void) gettimeofday (&tv, NULL);
+-		srandom (tv.tv_sec ^ tv.tv_usec ^ getpid ());
+-		seeded = 1;
++	if (fread (&randval, sizeof (randval), 1, f) != sizeof (randval))
++	{
++		fprintf (shadow_logfd,
++			 _("Unable to read from /dev/urandom.\n"));
++
++		fclose(f);
++		exit (1);
+ 	}
++
++	fclose(f);
++
++	return randval;
+ }
+ 
+ #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
+-/* It is not clear what is the maximum value of random().
+- * We assume 2^31-1.*/
+-#define RANDOM_MAX 0x7FFFFFFF
+-
+ /*
+  * Return a random number between min and max (both included).
+  *
+@@ -151,8 +154,9 @@ static long shadow_random (long min, long max)
+ {
+ 	double drand;
+ 	long ret;
+-	seedRNG ();
+-	drand = (double) (max - min + 1) * random () / RANDOM_MAX;
++
++	drand = (double) (read_random_bytes () & RAND_MAX) / (double) RAND_MAX;
++	drand *= (double) (max - min + 1);
+ 	/* On systems were this is not random() range is lower, we favor
+ 	 * higher numbers of salt. */
+ 	ret = (long) (max + 1 - drand);
+@@ -354,10 +358,9 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 
+ 	assert (salt_size >= MIN_SALT_SIZE &&
+ 	        salt_size <= MAX_SALT_SIZE);
+-	seedRNG ();
+-	strcat (salt, l64a (random()));
++	strcat (salt, l64a (read_random_bytes ()));
+ 	do {
+-		strcat (salt, l64a (random()));
++		strcat (salt, l64a (read_random_bytes ()));
+ 	} while (strlen (salt) < salt_size);
+ 
+ 	salt[salt_size] = '\0';
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 5145b38..a5badbb 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -112,6 +112,8 @@ Patch61: shadow-4.8.1-fix_bcrypt_prefix.patch
 Patch62: shadow-4.8.1-salt_c_sanitize_code.patch
 # https://github.com/shadow-maint/shadow/commit/dbf230e4cf823dd6b6a3bad6d29dfad4f0ffa8fc
 Patch63: shadow-4.8.1-salt_c_comments.patch
+# https://github.com/shadow-maint/shadow/commit/bc8257cf73328e450511b13cbd35e1994feccb30
+Patch64: shadow-4.8.1-salt_c_use_dev_urandom.patch
 
 License: BSD and GPLv2+
 BuildRequires: make
@@ -200,6 +202,7 @@ Development files for shadow-utils-subid.
 %patch61 -p1 -b .bcrypt_prefix
 %patch62 -p1 -b .sanitize_code
 %patch63 -p1 -b .comments
+%patch64 -p1 -b .use_dev_urandom
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -373,6 +376,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 - Add a patch to fix the used prefix for the bcrypt hash method
 - Add a patch to cleanup the code in libmisc/salt.c
 - Add a patch adding some clarifying comments in libmisc/salt.c
+- Add a patch to obtain random bytes from /dev/urandom
 
 * Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
 - Covscan fixes