diff --git a/ntp-4.2.6p5-cve-2017-6464.patch b/ntp-4.2.6p5-cve-2017-6464.patch
new file mode 100644
index 0000000..6725c83
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2017-6464.patch
@@ -0,0 +1,86 @@
+2017-02-12 09:49:29+01:00, perlinger@ntp.org
+  [Sec 3389] NTP-01-016: Denial of Service via Malformed Config
+
+diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config.c
+--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464	2017-03-22 12:54:11.257454635 +0100
++++ ntp-4.2.6p5/ntpd/ntp_config.c	2017-03-22 12:57:06.919024166 +0100
+@@ -311,6 +311,9 @@ void ntpd_set_tod_using(const char *);
+ static u_int32 get_pfxmatch(const char **, struct masks *);
+ static u_int32 get_match(const char *, struct masks *);
+ static u_int32 get_logmask(const char *);
++static int/*BOOL*/ is_refclk_addr(const struct address_node * addr);
++
++
+ static int getnetnum(const char *num,sockaddr_u *addr, int complain,
+ 		     enum gnn_type a_type);
+ static int get_multiple_netnums(const char *num, sockaddr_u *addr,
+@@ -1342,7 +1344,10 @@ create_peer_node(
+ 			break;
+ 
+ 		case T_Ttl:
+-			if (my_node->ttl >= MAX_TTL) {
++			if (is_refclk_addr(addr)) {
++				msyslog(LOG_ERR, "'ttl' does not apply for refclocks");
++				errflag = 1;
++			} else if (option->value.i < 0 || option->value.i >= MAX_TTL) {
+ 				msyslog(LOG_ERR, "ttl: invalid argument");
+ 				errflag = 1;
+ 			}
+@@ -1351,7 +1355,12 @@ create_peer_node(
+ 			break;
+ 
+ 		case T_Mode:
+-			my_node->ttl = option->value.i;
++			if (is_refclk_addr(addr)) {
++				my_node->ttl = option->value.i;
++			} else {
++				msyslog(LOG_ERR, "'mode' does not apply for network peers");
++				errflag = 1;
++			}
+ 			break;
+ 
+		case T_Key:
+@@ -2674,6 +2685,16 @@ apply_enable_disable(
+ 	}
+ }
+ 
++/* Hack to disambiguate 'server' statements for refclocks and network peers.
++ * Please note the qualification 'hack'. It's just that.
++ */
++static int/*BOOL*/
++is_refclk_addr(
++	const struct address_node * addr
++	)
++{
++	return addr && addr->address && !strncmp(addr->address, "127.127.", 8);
++}
+ 
+ static void
+ config_system_opts(
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464	2017-03-22 12:54:11.270454677 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c	2017-03-22 12:54:11.279454706 +0100
+@@ -3017,8 +3017,9 @@ peer_xmit(
+ 			}
+ 		}
+ 		peer->t21_bytes = sendlen;
+-		sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
+-		    &xpkt, sendlen);
++		sendpkt(&peer->srcadr, peer->dstadr,
++			sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
++			&xpkt, sendlen);
+ 		peer->sent++;
+ 		peer->throttle += (1 << peer->minpoll) - 2;
+ 
+@@ -3330,8 +3331,9 @@ peer_xmit(
+ 		exit (-1);
+ 	}
+ 	peer->t21_bytes = sendlen;
+-	sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,
+-	    sendlen);
++	sendpkt(&peer->srcadr, peer->dstadr,
++		sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
++		&xpkt, sendlen);
+ 	peer->sent++;
+ 	peer->throttle += (1 << peer->minpoll) - 2;
+ 
diff --git a/ntp.spec b/ntp.spec
index 5561199..495e850 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -209,6 +209,8 @@ Patch79: ntp-4.2.6p5-cve-2017-6458.patch
 Patch80: ntp-4.2.6p5-cve-2017-6462.patch
 # ntpbz #3387
 Patch81: ntp-4.2.6p5-cve-2017-6463.patch
+# ntpbz #3389
+Patch82: ntp-4.2.6p5-cve-2017-6464.patch
 
 # handle unknown clock types
 Patch100: ntpstat-0.2-clksrc.patch
@@ -389,6 +391,7 @@ This package contains NTP documentation in HTML format.
 %patch79 -p1 -b .cve-2017-6458
 %patch80 -p1 -b .cve-2017-6462
 %patch81 -p1 -b .cve-2017-6463
+%patch82 -p1 -b .cve-2017-6464
 
 # ntpstat patches
 %patch100 -p1 -b .clksrc