diff --git a/python-requests-dont-ascribe-cookies.patch b/python-requests-dont-ascribe-cookies.patch
new file mode 100644
index 0000000..dcabc25
--- /dev/null
+++ b/python-requests-dont-ascribe-cookies.patch
@@ -0,0 +1,22 @@
+From 3bd8afbff29e50b38f889b2f688785a669b9aafc Mon Sep 17 00:00:00 2001
+From: Cory Benfield <lukasaoz@gmail.com>
+Date: Sat, 14 Mar 2015 08:49:55 +0000
+Subject: [PATCH] Don't ascribe cookies to the target domain.
+
+---
+ requests/sessions.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 4f30696..9d5498c 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -171,7 +171,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
+             except KeyError:
+                 pass
+ 
+-            extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)
++            extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+             prepared_request._cookies.update(self.cookies)
+             prepared_request.prepare_cookies(prepared_request._cookies)
+ 
diff --git a/python-requests.spec b/python-requests.spec
index 6748af7..b5c2d9d 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -6,7 +6,7 @@
 
 Name:           python-requests
 Version:        2.5.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
 License:        ASL 2.0
@@ -19,6 +19,10 @@ Patch0:         python-requests-system-cert-bundle.patch
 # Remove an unnecessary reference to a bundled compat lib in urllib3
 Patch1:         python-requests-remove-nested-bundling-dep.patch
 
+# Backport fix for CVE-2015-2296
+# https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Patch2:         python-requests-dont-ascribe-cookies.patch
+
 BuildArch:      noarch
 BuildRequires:  python2-devel
 BuildRequires:  python-chardet
@@ -61,6 +65,8 @@ designed to make HTTP requests easy for developers.
 %patch0 -p1
 %patch1 -p1
 
+%patch2 -p1
+
 # Unbundle the certificate bundle from mozilla.
 rm -rf requests/cacert.pem
 
@@ -141,6 +147,9 @@ popd
 %endif
 
 %changelog
+* Mon Mar 16 2015 Ralph Bean <rbean@redhat.com> - 2.5.3-2
+- Backport fix for CVE-2015-2296.
+
 * Thu Feb 26 2015 Ralph Bean <rbean@redhat.com> - 2.5.3-1
 - new version