diff --git a/SOURCES/CVE-2020-25649.patch b/SOURCES/CVE-2020-25649.patch
new file mode 100644
index 0000000..c85e941
--- /dev/null
+++ b/SOURCES/CVE-2020-25649.patch
@@ -0,0 +1,21 @@
+https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+index 78b1a00..121585e 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+@@ -36,6 +36,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
+         } catch(ParserConfigurationException pce) {
+             // not much point to do anything; could log but...
+         }
++
++        // [databind#2589] add two more settings just in case
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
+         DEFAULT_PARSER_FACTORY = parserFactory;
+     }
+ 
diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec
index 7361992..c88b11e 100644
--- a/SPECS/jackson-databind.spec
+++ b/SPECS/jackson-databind.spec
@@ -3,7 +3,7 @@
 
 Name:          %{?scl_prefix}jackson-databind
 Version:       2.7.6
-Release:       2.11%{?dist}
+Release:       2.12%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           http://wiki.fasterxml.com/JacksonHome
@@ -29,6 +29,7 @@ Patch17:       CVE-2020_10969-11113-10968-11111-11112.patch
 Patch18:       CVE-2020-11619.patch
 Patch19:       CVE-2020-11620.patch
 Patch20:       CVE-2020-24750.patch
+Patch21:       CVE-2020-25649.patch
 
 BuildRequires: %{?scl_prefix}maven-local
 BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:)
@@ -74,6 +75,7 @@ This package contains javadoc for %{pkg_name}.
 %patch18 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
 
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
@@ -112,6 +114,10 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
 %license LICENSE NOTICE
 
 %changelog
+* Thu Oct 15 2020 Marian Koncek <mkoncek@redhat.com> - 2.7.6-2.12
+- Fix security vulnerability
+- Resolves: CVE-2020-25649
+
 * Fri Sep 25 2020 Marian Koncek <mkoncek@redhat.com> - 2.7.6-2.11
 - Fix security vulnerabilities
 - Resolves: CVE-2020-24750