diff --git a/pkgs/servers/ldap/389/default.nix b/pkgs/servers/ldap/389/default.nix
index 8d719bec4f5e..6ba60ff17726 100644
--- a/pkgs/servers/ldap/389/default.nix
+++ b/pkgs/servers/ldap/389/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchurl, pkgconfig, perl, pam, nspr, nss, openldap, db, cyrus_sasl
-, svrcore, icu, net_snmp, kerberos, pcre, perlPackages
+{ stdenv, fetchurl, fetchpatch, pkgconfig, perl, pam, nspr, nss, openldap
+, db, cyrus_sasl, svrcore, icu, net_snmp, kerberos, pcre, perlPackages
 }:
 let
   version = "1.3.5.4";
@@ -19,7 +19,15 @@ stdenv.mkDerivation rec {
 
   # TODO: Fix bin/ds-logpipe.py, bin/logconv, bin/cl-dump
 
-  patches = [ ./perl-path.patch ];
+  patches = [ ./perl-path.patch
+    # https://fedorahosted.org/389/ticket/48354
+    (fetchpatch {
+      name = "389-ds-base-CVE-2016-5416.patch";
+      url = "https://fedorahosted.org/389/changeset/3c2cd48b7d2cb0579f7de6d460bcd0c9bb1157bd/?format=diff&new=3c2cd48b7d2cb0579f7de6d460bcd0c9bb1157bd";
+      addPrefixes = true;
+      sha256 = "1kv3a3di1cihkaf8xdbb5mzvhm4c3frx8rc5mji8xgjyj9ni6xja";
+    })
+  ];
 
   preConfigure = ''
     # Create perl paths for library imports in perl scripts