diff --git a/SOURCES/006-CVE-2020-13379.patch b/SOURCES/006-CVE-2020-13379.patch
new file mode 100644
index 0000000..f0b152c
--- /dev/null
+++ b/SOURCES/006-CVE-2020-13379.patch
@@ -0,0 +1,39 @@
+diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
+--- a/pkg/api/avatar/avatar.go
++++ b/pkg/api/avatar/avatar.go
+@@ -17,14 +17,15 @@ import (
+ 	"net/http"
+ 	"net/url"
+ 	"path/filepath"
++	"regexp"
+ 	"strconv"
+ 	"strings"
+ 	"sync"
+ 	"time"
+ 
+ 	"github.com/grafana/grafana/pkg/infra/log"
++	"github.com/grafana/grafana/pkg/models"
+ 	"github.com/grafana/grafana/pkg/setting"
+-	"gopkg.in/macaron.v1"
+ 
+ 	gocache "github.com/patrickmn/go-cache"
+ )
+@@ -97,9 +98,15 @@ type CacheServer struct {
+ 	cache    *gocache.Cache
+ }
+ 
+-func (this *CacheServer) Handler(ctx *macaron.Context) {
+-	urlPath := ctx.Req.URL.Path
+-	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
++var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
++
++func (this *CacheServer) Handler(ctx *models.ReqContext) {
++	hash := ctx.Params("hash")
++
++	if len(hash) != 32 || !validMD5.MatchString(hash) {
++		ctx.JsonApiErr(404, "Avatar not found", nil)
++		return
++	}
+ 
+ 	var avatar *Avatar
+ 
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index fb9200c..7ab86fc 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -22,7 +22,7 @@ end}
 
 Name:             grafana
 Version:          6.3.6
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -43,6 +43,9 @@ Patch3:           003-new-files.patch
 Patch4:           004-xerrors.patch
 Patch5:           005-mute-shellcheck-grafana-cli.patch
 
+# Patch for CVE-2020-13379
+Patch6:           006-CVE-2020-13379.patch
+
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
 
@@ -409,6 +412,7 @@ The Grafana stackdriver datasource.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@@ -440,13 +444,13 @@ cd %{_builddir}/src/github.com/grafana/grafana
 echo _builddir=%{_builddir} archbindir=%{archbindir}
 [ ! -d %{archbindir} ] && mkdir -p %{archbindir}
 export GOPATH=%{_builddir}:%{gopath}
-# export GO111MODULE=off
 %if 0%{?fedora} >= 31
 # native fedora golang build but without modules (no grafana support yet)
 go build -mod=vendor -o %{archbindir}/grafana-cli ./pkg/cmd/grafana-cli
 go build -mod=vendor -o %{archbindir}/grafana-server ./pkg/cmd/grafana-server
 %else
 # use the grafana build.go script.
+export GO111MODULE=off
 go run build.go build
 %endif
 
@@ -633,6 +637,9 @@ go test ./pkg/...
 
 
 %changelog
+* Wed Jun 17 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.3.6-2
+- fix CVE-2020-13379
+
 * Wed Nov 20 2019 Mark Goodwin <mgoodwin@redhat.com> 6.3.6-1
 - add weak depenency on grafana-pcp
 - add patch to mute shellcheck SC1090 for grafana-cli