diff --git a/bind.spec b/bind.spec
index 7eff806..aca8cf6 100644
--- a/bind.spec
+++ b/bind.spec
@@ -3,6 +3,7 @@
 #
 
 %define PATCHVER P1
+%define _default_patch_fuzz 2
 
 %{?!SDB:        %define SDB         1}
 %{?!LIBBIND:    %define LIBBIND	    1}
@@ -20,7 +21,7 @@ Summary: 	The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name: 		bind
 License: 	ISC
 Version: 	9.5.0
-Release: 	28.%{PATCHVER}%{?dist}
+Release: 	28.1.%{PATCHVER}%{?dist}
 Epoch:   	32
 Url: 		http://www.isc.org/products/BIND/
 Buildroot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -62,6 +63,7 @@ Patch72:	bind-9.5-dlz-64bit.patch
 Patch80:	bind-9.5-edns.patch
 Patch88:	bind-9.5-recv-race.patch
 Patch89:	bind95-rh450995.patch
+Patch90:	bind95-rh457175.patch
 
 # SDB patches
 Patch11: 	bind-9.3.2b2-sdbsrc.patch
@@ -187,7 +189,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %setup -q -n %{name}-%{version}-%{PATCHVER}
 
 # Common patches
-%patch -p1 -b .varrun
+%patch0 -p1 -b .varrun
 %patch1 -p1 -b .key
 %patch5 -p1 -b .nonexec
 %patch6 -p1 -b .nsl
@@ -251,6 +253,7 @@ cp -fp contrib/dbus/{dbus_mgr.h,dbus_service.h} bin/named/include/named
 %patch85 -p1 -b .libidn3
 %patch88 -p1 -b .recv-race
 %patch89 -p1 -b .rh450995
+%patch90 -p1 -b .rh457175
 :;
 
 
@@ -280,6 +283,7 @@ export LDFLAGS=-lefence
 	--enable-threads \
 	--enable-ipv6 \
 	--with-pic \
+	--disable-static \
 %if %{LIBBIND}
 	--enable-libbind \
 %endif
@@ -407,7 +411,7 @@ for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.int
   echo '@ in soa localhost. root 1 3H 15M 1W 1D
   ns localhost.' > sample/var/named/$f; 
 done
-/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.248 2008/07/08 22:14:21 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\
+/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.249 2008/07/31 14:40:05 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\
  *\
  * NOTE: you only need to create this file if it is to\
  * differ from the following default contents:
@@ -666,6 +670,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sbindir}/bind-chroot-admin
 
 %changelog
+* Thu Jul 31 2008 Adam Tkac <atkac redhat com> 32:9.5.0-28.1.P1
+- IP acls weren't merged correctly (#457175)
+
 * Tue Jul 08 2008 Adam Tkac <atkac redhat com> 32:9.5.0-28.P1
 - 9.5.0-P1 release (CVE-2008-1447)
 
diff --git a/bind95-rh457175.patch b/bind95-rh457175.patch
new file mode 100644
index 0000000..2ecd01e
--- /dev/null
+++ b/bind95-rh457175.patch
@@ -0,0 +1,25 @@
+diff -up bind-9.5.0-P1/lib/dns/iptable.c.rh457175 bind-9.5.0-P1/lib/dns/iptable.c
+--- bind-9.5.0-P1/lib/dns/iptable.c.rh457175	2008-01-21 22:02:24.000000000 +0100
++++ bind-9.5.0-P1/lib/dns/iptable.c	2008-07-31 16:10:46.000000000 +0200
+@@ -117,16 +117,17 @@ dns_iptable_merge(dns_iptable_t *tab, dn
+ 			if (node->data[0] &&
+ 			    *(isc_boolean_t *) node->data[0] == ISC_TRUE)
+ 				new_node->data[0] = &dns_iptable_neg;
+-			else
+-				new_node->data[0] = node->data[0];
+ 
+ 			if (node->data[1] &&
+ 			    *(isc_boolean_t *) node->data[1] == ISC_TRUE)
+ 				new_node->data[1] = &dns_iptable_neg;
+-			else
+-				new_node->data[1] = node->data[0];
+ 		}
+ 
++		if (new_node->data[0] == NULL)
++			new_node->data[0] = node->data[0];
++		if (new_node->data[1] == NULL)
++			new_node->data[1] = node->data[1];
++
+ 		if (node->node_num[0] > max_node)
+ 			max_node = node->node_num[0];
+ 		if (node->node_num[1] > max_node)