diff --git a/bash-4.4-heredoc-cloexec.patch b/bash-4.4-heredoc-cloexec.patch
new file mode 100644
index 0000000..47fcb5d
--- /dev/null
+++ b/bash-4.4-heredoc-cloexec.patch
@@ -0,0 +1,13 @@
+diff --git a/redir.c b/redir.c
+index 25488ea..1858b0b 100644
+--- a/redir.c
++++ b/redir.c
+@@ -469,6 +469,8 @@ here_document_to_fd (redirectee, ri)
+       return (fd);
+     }
+ 
++  SET_CLOSE_ON_EXEC (fd);
++
+   errno = r = 0;		/* XXX */
+   /* write_here_document returns 0 on success, errno on failure. */
+   if (redirectee->word)
diff --git a/bash.spec b/bash.spec
index 0bef0c8..39ac152 100644
--- a/bash.spec
+++ b/bash.spec
@@ -8,7 +8,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
 Source0: ftp://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz
@@ -78,6 +78,10 @@ Patch126: bash-4.3-memleak-lc_all.patch
 # this patch disables it
 Patch127: bash-4.4-no-loadable-builtins.patch
 
+# 1413676 - Bash leaks heredoc fd to child processes
+# This should be dropped while rebasing to bash-4.5
+Patch128: bash-4.4-heredoc-cloexec.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -294,6 +298,10 @@ end
 %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Wed Apr 26 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.4.12-3
+- Fix heredoc file descriptor leak
+  Resolves: #1413676
+
 * Tue Apr 18 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.4.12-2
 - Document 'bashbug' for reporting bugs
   Resolves: #1255886