diff --git a/cve_2016-1494.diff b/cve_2016-1494.diff
new file mode 100644
index 0000000..dce6a99
--- /dev/null
+++ b/cve_2016-1494.diff
@@ -0,0 +1,103 @@
+# HG changeset patch
+# User Filippo Valsorda <hi@filippo.io>
+# Date 1450226563 0
+# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
+# Parent  2baab06c8b867b01ec82b02118d4872a931a0437
+Fix BB'06 attack in verify() by switching from parsing to comparison
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -22,10 +22,10 @@
+ At least 8 bytes of random padding is used when encrypting a message. This makes
+ these methods much more secure than the ones in the ``rsa`` module.
+ 
+-WARNING: this module leaks information when decryption or verification fails.
+-The exceptions that are raised contain the Python traceback information, which
+-can be used to deduce where in the process the failure occurred. DO NOT PASS
+-SUCH INFORMATION to your users.
++WARNING: this module leaks information when decryption fails. The exceptions
++that are raised contain the Python traceback information, which can be used to
++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
++to your users.
+ '''
+ 
+ import hashlib
+@@ -288,37 +288,23 @@
+     :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
+     :raise VerificationError: when the signature doesn't match the message.
+ 
+-    .. warning::
+-
+-        Never display the stack trace of a
+-        :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
+-        the code the exception occurred, and thus leaks information about the
+-        key. It's only a tiny bit of information, but every bit makes cracking
+-        the keys easier.
+-
+     '''
+     
+-    blocksize = common.byte_size(pub_key.n)
++    keylength = common.byte_size(pub_key.n)
+     encrypted = transform.bytes2int(signature)
+     decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
+-    clearsig = transform.int2bytes(decrypted, blocksize)
+-
+-    # If we can't find the signature  marker, verification failed.
+-    if clearsig[0:2] != b('\x00\x01'):
+-        raise VerificationError('Verification failed')
++    clearsig = transform.int2bytes(decrypted, keylength)
+     
+-    # Find the 00 separator between the padding and the payload
+-    try:
+-        sep_idx = clearsig.index(b('\x00'), 2)
+-    except ValueError:
+-        raise VerificationError('Verification failed')
+-    
+-    # Get the hash and the hash method
+-    (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
++    # Get the hash method
++    method_name = _find_method_hash(clearsig)
+     message_hash = _hash(message, method_name)
+ 
+-    # Compare the real hash to the hash in the signature
+-    if message_hash != signature_hash:
++    # Reconstruct the expected padded hash
++    cleartext = HASH_ASN1[method_name] + message_hash
++    expected = _pad_for_signing(cleartext, keylength)
++
++    # Compare with the signed one
++    if expected != clearsig:
+         raise VerificationError('Verification failed')
+ 
+     return True
+@@ -351,24 +337,20 @@
+     return hasher.digest()
+ 
+ 
+-def _find_method_hash(method_hash):
+-    '''Finds the hash method and the hash itself.
++def _find_method_hash(clearsig):
++    '''Finds the hash method.
+     
+-    :param method_hash: ASN1 code for the hash method concatenated with the
+-        hash itself.
++    :param clearsig: full padded ASN1 and hash.
+     
+-    :return: tuple (method, hash) where ``method`` is the used hash method, and
+-        ``hash`` is the hash itself.
++    :return: the used hash method.
+     
+     :raise VerificationFailed: when the hash method cannot be found
+ 
+     '''
+ 
+     for (hashname, asn1code) in HASH_ASN1.items():
+-        if not method_hash.startswith(asn1code):
+-            continue
+-        
+-        return (hashname, method_hash[len(asn1code):])
++        if asn1code in clearsig:
++            return hashname
+     
+     raise VerificationError('Verification failed')
diff --git a/python-rsa.changes b/python-rsa.changes
index 2c570d7..6ddca16 100644
--- a/python-rsa.changes
+++ b/python-rsa.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jan  5 18:39:56 UTC 2016 - rjschwei@suse.com
+
+- Fix CVE 2016-1494 (bsc#960680)
+  - Add patch cve_2016-1494.diff
+
 -------------------------------------------------------------------
 Tue Dec  1 15:02:09 UTC 2015 - rjschwei@suse.com
 
diff --git a/python-rsa.spec b/python-rsa.spec
index adbc0bc..bec9614 100644
--- a/python-rsa.spec
+++ b/python-rsa.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-rsa
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,6 +24,7 @@ Summary:        Pure-Python RSA Implementation
 License:        Apache-2.0
 Group:          Development/Languages/Python
 Source:         http://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz
+Patch0:         cve_2016-1494.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 BuildRequires:  python-pyasn1
@@ -55,6 +56,7 @@ sed -i "s/pyrsa-sign/pyrsa-sign-%{py_ver}/" setup.py
 sed -i "s/pyrsa-verify/pyrsa-verify-%{py_ver}/" setup.py
 sed -i "s/pyrsa-encrypt-bigfile =/pyrsa-encrypt-bigfile-%{py_ver} =/" setup.py
 sed -i "s/pyrsa-decrypt-bigfile =/pyrsa-decrypt-bigfile-%{py_ver} =/" setup.py
+%patch0 -p1
 
 %build
 python setup.py build