diff --git a/SOURCES/groovy-CVE-2015-3253-and-CVE-2016-6814.patch b/SOURCES/groovy-CVE-2015-3253-and-CVE-2016-6814.patch
new file mode 100644
index 0000000..5fa7673
--- /dev/null
+++ b/SOURCES/groovy-CVE-2015-3253-and-CVE-2016-6814.patch
@@ -0,0 +1,43 @@
+--- groovy-1.8.9/src/main/org/codehaus/groovy/runtime/MethodClosure.java~	2017-08-23 11:14:43.972873435 +0200
++++ groovy-1.8.9/src/main/org/codehaus/groovy/runtime/MethodClosure.java	2017-08-23 11:21:34.318169659 +0200
+@@ -18,6 +18,7 @@
+ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+ 
++import java.io.IOException;
+ import java.util.List;
+ 
+ 
+@@ -30,8 +31,10 @@
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+-    
++
+     public MethodClosure(Object owner, String method) {
+         super(owner);
+         this.method = method;
+@@ -59,6 +62,20 @@
+     protected Object doCall(Object arguments) {
+         return InvokerHelper.invokeMethod(getOwner(), method, arguments);
+     }
++
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
++    private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException {
++        if (ALLOW_RESOLVE) {
++            stream.defaultReadObject();
++        }
++        throw new UnsupportedOperationException();
++    }
+     
+     public Object getProperty(String property) {
+         if ("method".equals(property)) {
diff --git a/SPECS/groovy.spec b/SPECS/groovy.spec
index 8adfc86..06db746 100644
--- a/SPECS/groovy.spec
+++ b/SPECS/groovy.spec
@@ -8,7 +8,7 @@
 
 Name:           %{?scl_prefix}%{pkg_name}
 Version:        1.8.9
-Release:        7.18%{?dist}
+Release:        7.19%{?dist}
 Summary:        Dynamic language for the Java Platform
 
 # Some of the files are licensed under BSD and CPL terms, but the CPL has been superceded
@@ -25,6 +25,9 @@ Source5:        epl-v10.txt
 Source6:        http://www.apache.org/licenses/LICENSE-2.0.txt
 # http://jira.codehaus.org/browse/GROOVY-6085
 Patch0:         groovy-inner-interface-annotations.patch
+# https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+# https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
+Patch1:         groovy-CVE-2015-3253-and-CVE-2016-6814.patch
 BuildArch:      noarch
 
 BuildRequires:  %{?scl_prefix_java_common}ant
@@ -86,6 +89,7 @@ cp %{SOURCE4} %{SOURCE5} %{SOURCE6} .
 find \( -name *.jar -o -name *.class \) -delete
 
 %patch0 -p1
+%patch1 -p1
 %{?scl:EOF}
 
 %build
@@ -161,6 +165,10 @@ install -p -m644 pom.xml $RPM_BUILD_ROOT/%{_mavenpomdir}/JPP-%{pkg_name}.pom
 %doc LICENSE.txt LICENSE-2.0.txt NOTICE.txt cpl-v10.txt epl-v10.txt
 
 %changelog
+* Wed Aug 23 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.8.9-7.19
+- Fix remote code execution vulnerability
+- Resolves: CVE-2015-3253, CVE-2016-6814
+
 * Mon Feb 08 2016 Michal Srb <msrb@redhat.com> - 1.8.9-7.18
 - Fix BR on maven-local & co.