diff --git a/python/.md5sum b/python/.md5sum
index 827b1afbb..2522becf5 100644
--- a/python/.md5sum
+++ b/python/.md5sum
@@ -1,2 +1,3 @@
+ff653e9e002ca0e3d4a828988e52edd3  CVE-2018-1000030.patch
 1f6db41ad91d9eb0a6f0c769b8613c5b  Python-2.7.14.tar.xz
 387d5f6d00d2be01ecb87216cac0f88c  pyconfig.h
diff --git a/python/.signature b/python/.signature
index 79f65e271..660b6eece 100644
--- a/python/.signature
+++ b/python/.signature
@@ -1,6 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/epCMlUlFvQyaIBzosMEyP+lGSzf7nv8h9yrdisRjDKb2xLBIKFHVun/04RwTZIvn0CBZvxCeIfrt5e8O4HPwQQ=
-SHA256 (Pkgfile) = 1fb4bf0238ad36a48a801d2d37d04e2c9650697dff1939f2781dc74f72058491
+RWSE3ohX2g5d/boQipBgLcfxZlqFZR09X30s/Z5MGSa539QoTYA6+7gBtc/kPgMKpF6e8opocX6wAQjcf9trsFzX4XMdoJaRFwY=
+SHA256 (Pkgfile) = 68fdadc03201267d440d69f8cd2e02a028887cf0b274d02ca17c52095aa8c663
 SHA256 (.footprint) = cad0b763c2deaad518b7c81ea32fbbe025df03c1548002336ef818ca9f4cf7ce
 SHA256 (Python-2.7.14.tar.xz) = 71ffb26e09e78650e424929b2b457b9c912ac216576e6bd9e7d204ed03296a66
+SHA256 (CVE-2018-1000030.patch) = f7ff89ad24d529532b4dfa6bd601d8f7368c3ae3950dae539ecc11e5e09b3ecb
 SHA256 (pyconfig.h) = 081426cb9524c2e156a71bb035c25a67e44d389afc6f7e091bcf86a7f4e2002f
diff --git a/python/Pkgfile b/python/Pkgfile
index 3645f5e98..3120ef84a 100644
--- a/python/Pkgfile
+++ b/python/Pkgfile
@@ -5,12 +5,17 @@
 
 name=python
 version=2.7.14
-release=1
+release=2
 source=(http://www.python.org/ftp/$name/$version/Python-$version.tar.xz \
+        CVE-2018-1000030.patch
         pyconfig.h)
 
 build () {
     cd Python-$version
+   
+    # fix for CVE-2018-1000030
+    # see https://bugs.python.org/issue31530
+    patch -p1 -i $SRC/CVE-2018-1000030.patch
 
     # set OPT to the python default without -O3
     # our CFLAGS are used as well