diff --git a/dhcp-4.1.1-P1-CVE-2012-3955.patch b/dhcp-4.1.1-P1-CVE-2012-3955.patch
new file mode 100644
index 0000000..49fe5ee
--- /dev/null
+++ b/dhcp-4.1.1-P1-CVE-2012-3955.patch
@@ -0,0 +1,121 @@
+diff -rup dhcp-4.1-ESV-R6/server/dhcpv6.c dhcp-4.1-ESV-R7/server/dhcpv6.c
+--- dhcp-4.1-ESV-R6/server/dhcpv6.c	2012-07-13 08:11:52.000000000 +0200
++++ dhcp-4.1-ESV-R7/server/dhcpv6.c	2012-08-23 20:23:54.000000000 +0200
+@@ -1830,9 +1830,6 @@ reply_process_ia_na(struct reply_state *
+ 			ia_reference(&tmp->ia, reply->ia, MDL);
+ 
+ 			/* Commit 'hard' bindings. */
+-			tmp->hard_lifetime_end_time =
+-				tmp->soft_lifetime_end_time;
+-			tmp->soft_lifetime_end_time = 0;
+ 			renew_lease6(tmp->ipv6_pool, tmp);
+ 			schedule_lease_timeout(tmp->ipv6_pool);
+ 
+@@ -2489,9 +2486,6 @@ reply_process_ia_ta(struct reply_state *
+ 			ia_reference(&tmp->ia, reply->ia, MDL);
+ 
+ 			/* Commit 'hard' bindings. */
+-			tmp->hard_lifetime_end_time =
+-				tmp->soft_lifetime_end_time;
+-			tmp->soft_lifetime_end_time = 0;
+ 			renew_lease6(tmp->ipv6_pool, tmp);
+ 			schedule_lease_timeout(tmp->ipv6_pool);
+ 
+@@ -3359,9 +3353,6 @@ reply_process_ia_pd(struct reply_state *
+ 			ia_reference(&tmp->ia, reply->ia, MDL);
+ 
+ 			/* Commit 'hard' bindings. */
+-			tmp->hard_lifetime_end_time =
+-				tmp->soft_lifetime_end_time;
+-			tmp->soft_lifetime_end_time = 0;
+ 			renew_lease6(tmp->ipv6_pool, tmp);
+ 			schedule_lease_timeout(tmp->ipv6_pool);
+ 		}
+diff -rup dhcp-4.1-ESV-R6/server/mdb6.c dhcp-4.1-ESV-R7/server/mdb6.c
+--- dhcp-4.1-ESV-R6/server/mdb6.c	2012-07-13 08:11:52.000000000 +0200
++++ dhcp-4.1-ESV-R7/server/mdb6.c	2012-08-23 20:23:54.000000000 +0200
+@@ -375,6 +378,8 @@ void
+ ia_remove_iasubopt(struct ia_xx *ia, struct iasubopt *iasubopt,
+ 		   const char *file, int line) {
+ 	int i, j;
++        if (ia == NULL || iasubopt == NULL)
++            return;
+ 
+ 	for (i=0; i<ia->num_iasubopt; i++) {
+ 		if (ia->iasubopt[i] == iasubopt) {
+@@ -1234,29 +1239,49 @@ move_lease_to_active(struct ipv6_pool *p
+ 	return insert_result;
+ }
+ 
+-/*
+- * Renew an lease in the pool.
++/*!
++ * \brief Renew a lease in the pool.
++ *
++ * The hard_lifetime_end_time of the lease should be set to
++ * the current expiration time.
++ * The soft_lifetime_end_time of the lease should be set to
++ * the desired expiration time.
++ *
++ * This routine will compare the two and call the correct
++ * heap routine to move the lease.  If the lease is active
++ * and the new expiration time is greater (the normal case)
++ * then we call isc_heap_decreased() as a larger time is a
++ * lower priority.  If the new expiration time is less then
++ * we call isc_heap_increased().
++ *
++ * If the lease is abandoned then it will be on the active list
++ * and we will always call isc_heap_increased() as the previous
++ * expiration would have been all 1s (as close as we can get
++ * to infinite).
++ *
++ * If the lease is moving to active we call that routine
++ * which will move it from the inactive list to the active list.
+  *
+- * To do this, first set the new hard_lifetime_end_time for the resource,
+- * and then invoke renew_lease6() on it.
++ * \param pool a pool the lease belongs to
++ * \param lease the lease to be renewed
+  *
+- * WARNING: lease times must only be extended, never reduced!!!
++ * \return result of the renew operation (ISC_R_SUCCESS if successful,
++           ISC_R_NOMEMORY when run out of memory)
+  */
+ isc_result_t
+ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
+-	/*
+-	 * If we're already active, then we can just move our expiration
+-	 * time down the heap. 
+-	 *
+-	 * If we're abandoned then we are already on the active list
+-	 * but we need to retag the lease and move our expiration
+-	 * from infinite to the current value
+-	 *
+-	 * Otherwise, we have to move from the inactive heap to the 
+-	 * active heap.
+-	 */
++	time_t old_end_time = lease->hard_lifetime_end_time;
++	lease->hard_lifetime_end_time = lease->soft_lifetime_end_time;
++	lease->soft_lifetime_end_time = 0;
++
+ 	if (lease->state == FTS_ACTIVE) {
+-		isc_heap_decreased(pool->active_timeouts, lease->heap_index);
++		if (old_end_time <= lease->hard_lifetime_end_time) {
++			isc_heap_decreased(pool->active_timeouts,
++					   lease->heap_index);
++		} else {
++			isc_heap_increased(pool->active_timeouts,
++					   lease->heap_index);
++		}
+ 		return ISC_R_SUCCESS;
+ 	} else if (lease->state == FTS_ABANDONED) {
+ 		char tmp_addr[INET6_ADDRSTRLEN];
+@@ -1382,7 +1407,7 @@ release_lease6(struct ipv6_pool *pool, s
+  * Create a prefix by hashing the input, and using that for
+  * the part subject to allocation.
+  */
+-static void
++void
+ build_prefix6(struct in6_addr *pref, 
+ 	      const struct in6_addr *net_start_pref,
+ 	      int pool_bits, int pref_bits,
diff --git a/dhcp.spec b/dhcp.spec
index 69288a1..5b8cb63 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -5,7 +5,7 @@ Summary:	The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/c
 Name:		dhcp
 Epoch:		3
 Version:	4.2.1
-Release:	%mkrel 0.%{pver}.2
+Release:	%mkrel 0.%{pver}.3
 License:	Distributable
 Group:		System/Servers
 URL:		https://www.isc.org/software/dhcp
@@ -31,6 +31,7 @@ Patch7:		dhcp-4.1.1-prevent_wireless_deassociation.patch
 # redhat bug #587070
 Patch9:		dhcp-4.1.1-useless-wait.patch
 Patch10:	dhcp-4.2.1-P1-CVE-2011-2748,2749.diff
+Patch11:	dhcp-4.1.1-P1-CVE-2012-3955.patch
 BuildRequires:	perl groff-for-man
 BuildRequires:	openldap-devel
 Provides:	dhcpd
@@ -339,6 +340,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Wed Sep 19 2012 Kuzma Kazygashev <kuzma.kazygashev@rosalab.ru>
+- Security fix for CVE-2012-3955
+
 * Thu Aug 18 2011 Oden Eriksson <oeriksson@mandriva.com> 3:4.2.1-0.P1.2mdv2011.0
 + Revision: 695144
 - actually use the correct friggin patch...