diff --git a/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch b/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch
new file mode 100644
index 0000000..8d375b4
--- /dev/null
+++ b/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch
@@ -0,0 +1,114 @@
+Index: ChangeLog
+===================================================================
+--- ChangeLog	(revision 48161)
++++ ChangeLog	(revision 48162)
+@@ -1,3 +1,9 @@
++Mon Oct 27 20:21:05 2014  NAKAMURA Usaku  <usa@ruby-lang.org>
++
++	* lib/rexml/entity.rb: keep the entity size within the limitation.
++	  reported by Willis Vandevanter <will@silentrobots.com> and
++	  patched by nahi.
++
+ Sun Jul 13 22:52:43 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+ 
+ 	* pack.c (encodes): fix buffer overrun by tail_lf.  Thanks to
+Index: lib/rexml/entity.rb
+===================================================================
+--- lib/rexml/entity.rb	(revision 48161)
++++ lib/rexml/entity.rb	(revision 48162)
+@@ -138,8 +138,14 @@
+         matches = @value.scan(PEREFERENCE_RE)
+         rv = @value.clone
+         if @parent
++          sum = 0
+           matches.each do |entity_reference|
+             entity_value = @parent.entity( entity_reference[0] )
++            if sum + entity_value.bytesize > Document.entity_expansion_text_limit
++              raise "entity expansion has grown too large"
++            else
++              sum += entity_value.bytesize
++            end
+             rv.gsub!( /%#{entity_reference.join};/um, entity_value )
+           end
+         end
+Index: test/rexml/test_document.rb
+===================================================================
+--- test/rexml/test_document.rb	(revision 48161)
++++ test/rexml/test_document.rb	(revision 48162)
+@@ -47,6 +47,20 @@
+ </member>
+ EOF
+ 
++    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
++<!DOCTYPE root [
++  <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
++  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
++  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
++  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
++  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
++  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
++  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
++  <!ENTITY test "test %g;">
++]>
++<cd></cd>
++EOF
++
+   XML_WITH_4_ENTITY_EXPANSION = <<EOF
+ <?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE member [
+@@ -85,6 +99,19 @@
+     REXML::Document.entity_expansion_limit = 10000
+   end
+ 
++  def test_entity_expansion_limit_for_parameter_entity
++    assert_raise(REXML::ParseException) do
++      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    assert_raise(REXML::ParseException) do
++      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
++    end
++  ensure
++    REXML::Document.entity_expansion_limit = 10000
++  end
++
+   def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
+     tag = "<b>...</b>"
+     message = "こんにちは、世界！" # Hello world! in Japanese
+Index: test/rexml/test_entity.rb
+===================================================================
+--- test/rexml/test_entity.rb	(revision 0)
++++ test/rexml/test_entity.rb	(revision 48162)
+@@ -122,6 +122,22 @@
+     end
+   end
+ 
++  def test_entity_string_limit_for_parameter_entity
++    template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
++    len      = 5120 # 5k per entity
++    template.sub!(/\^/, "B" * len)
++
++    # 10k is OK
++    entities = '%a;' * 2 # 5k entity * 2 = 10k
++    REXML::Document.new(template.sub(/\$/, entities))
++
++    # above 10k explodes
++    entities = '%a;' * 3 # 5k entity * 2 = 15k
++    assert_raises(REXML::ParseException) do
++      REXML::Document.new(template.sub(/\$/, entities))
++    end
++  end
++
+   def test_raw
+     source = '<!DOCTYPE foo [
+ <!ENTITY ent "replace">
+Index: .
+===================================================================
+--- .	(revision 48161)
++++ .	(revision 48162)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /trunk:r48161
diff --git a/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch b/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch
new file mode 100644
index 0000000..9687888
--- /dev/null
+++ b/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch
@@ -0,0 +1,131 @@
+Index: ChangeLog
+===================================================================
+--- ChangeLog	(revision 48402)
++++ ChangeLog	(revision 48403)
+@@ -1,3 +1,8 @@
++Thu Nov 13 22:31:50 2014  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
++
++	* lib/rexml/document.rb: add REXML::Document#document.
++	  reported by Tomas Hoger <thoger@redhat.com> and patched by nahi.
++
+ Mon Oct 27 20:21:05 2014  NAKAMURA Usaku  <usa@ruby-lang.org>
+ 
+ 	* lib/rexml/entity.rb: keep the entity size within the limitation.
+Index: lib/rexml/document.rb
+===================================================================
+--- lib/rexml/document.rb	(revision 48402)
++++ lib/rexml/document.rb	(revision 48403)
+@@ -278,6 +278,10 @@
+       end
+     end
+ 
++    def document
++      self
++    end
++
+     private
+     def build( source )
+       Parsers::TreeParser.new( source, self ).parse
+Index: lib/rexml/entity.rb
+===================================================================
+--- lib/rexml/entity.rb	(revision 48402)
++++ lib/rexml/entity.rb	(revision 48403)
+@@ -157,6 +157,7 @@
+ 
+   # This is a set of entity constants -- the ones defined in the XML
+   # specification.  These are +gt+, +lt+, +amp+, +quot+ and +apos+.
++  # CAUTION: these entities does not have parent and document
+   module EntityConst
+     # +>+
+     GT = Entity.new( 'gt', '>' )
+Index: test/rexml/test_document.rb
+===================================================================
+--- test/rexml/test_document.rb	(revision 48402)
++++ test/rexml/test_document.rb	(revision 48403)
+@@ -47,6 +47,22 @@
+ </member>
+ EOF
+ 
++    XML_WITH_NESTED_EMPTY_ENTITY = <<EOF
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE member [
++  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
++  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
++  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
++  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
++  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
++  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
++  <!ENTITY g "">
++]>
++<member>
++&a;
++</member>
++EOF
++
+     XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+ <!DOCTYPE root [
+   <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+@@ -60,6 +76,19 @@
+ ]>
+ <cd></cd>
+ EOF
++    XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = <<EOF
++<!DOCTYPE root [
++  <!ENTITY % a "">
++  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
++  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
++  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
++  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
++  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
++  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
++  <!ENTITY test "test %g;">
++]>
++<cd></cd>
++EOF
+ 
+   XML_WITH_4_ENTITY_EXPANSION = <<EOF
+ <?xml version="1.0" encoding="UTF-8"?>
+@@ -87,6 +116,18 @@
+     end
+     assert_equal(101, doc.entity_expansion_count)
+ 
++    doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    assert_equal(101, doc.entity_expansion_count)
++
+     REXML::Document.entity_expansion_limit = 4
+     doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
+     assert_equal("\na\na a\n<\n", doc.root.children.first.value)
+@@ -95,6 +136,15 @@
+     assert_raise(RuntimeError) do
+       doc.root.children.first.value
+     end
++
++    assert_raise(REXML::ParseException) do
++      REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    assert_raise(REXML::ParseException) do
++      REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
++    end
+   ensure
+     REXML::Document.entity_expansion_limit = 10000
+   end
+Index: .
+===================================================================
+--- .	(revision 48402)
++++ .	(revision 48403)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /trunk:r48402
diff --git a/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch b/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch
new file mode 100644
index 0000000..03b8e39
--- /dev/null
+++ b/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch
@@ -0,0 +1,81 @@
+Index: ChangeLog
+===================================================================
+--- ChangeLog	(revision 46805)
++++ ChangeLog	(revision 46806)
+@@ -1,3 +1,8 @@
++Sun Jul 13 22:52:43 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
++
++	* pack.c (encodes): fix buffer overrun by tail_lf.  Thanks to
++	  Mamoru Tasaka and Tomas Hoger.  [ruby-core:63604] [Bug #10019]
++
+ Fri Jan  3 10:43:57 2014  Aman Gupta <ruby@tmm1.net>
+ 
+ 	* test/net/imap/cacert.pem: generate new CA cert, since the last one
+Index: pack.c
+===================================================================
+--- pack.c	(revision 46805)
++++ pack.c	(revision 46806)
+@@ -1063,7 +1063,8 @@
+ static void
+ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
+ {
+-    char buff[4096];
++    enum {buff_size = 4096, encoded_unit = 4};
++    char buff[buff_size + 1];	/* +1 for tail_lf */
+     long i = 0;
+     const char *trans = type == 'u' ? uu_table : b64_table;
+     char padding;
+@@ -1076,7 +1077,7 @@
+ 	padding = '=';
+     }
+     while (len >= 3) {
+-        while (len >= 3 && sizeof(buff)-i >= 4) {
++        while (len >= 3 && buff_size-i >= encoded_unit) {
+             buff[i++] = trans[077 & (*s >> 2)];
+             buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
+             buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
+@@ -1084,7 +1085,7 @@
+             s += 3;
+             len -= 3;
+         }
+-        if (sizeof(buff)-i < 4) {
++        if (buff_size-i < encoded_unit) {
+             rb_str_buf_cat(str, buff, i);
+             i = 0;
+         }
+@@ -1104,6 +1105,7 @@
+     }
+     if (tail_lf) buff[i++] = '\n';
+     rb_str_buf_cat(str, buff, i);
++    if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
+ }
+ 
+ static const char hex_table[] = "0123456789ABCDEF";
+Index: test/ruby/test_pack.rb
+===================================================================
+--- test/ruby/test_pack.rb	(revision 46805)
++++ test/ruby/test_pack.rb	(revision 46806)
+@@ -536,6 +536,14 @@
+     assert_equal(["\377"], "/w==\n".unpack("m"))
+     assert_equal(["\377\377"], "//8=\n".unpack("m"))
+     assert_equal(["\377\377\377"], "////\n".unpack("m"))
++
++    bug10019 = '[ruby-core:63604] [Bug #10019]'
++    size = ((4096-4)/4*3+1)
++    assert_separately(%W[- #{size} #{bug10019}], <<-'end;')
++      size = ARGV.shift.to_i
++      bug = ARGV.shift
++      assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug)
++    end;
+   end
+ 
+   def test_pack_unpack_m0
+Index: .
+===================================================================
+--- .	(revision 46805)
++++ .	(revision 46806)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /trunk:r46778
diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec
index 7cf3acd..2a4ed6a 100644
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@@ -30,7 +30,7 @@
 %global ruby_archive %{ruby_archive}-p%{patch_level}
 %endif
 
-%global release 23
+%global release 24
 
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 
@@ -177,6 +177,15 @@ Patch26: rubygems-2.1.0-Use-File.join-instead-of-manual-path-creation.patch
 # Fix test_class_build_unconventional(TestGemExtExtConfBuilder) test error.
 # https://github.com/rubygems/rubygems/commit/40ce9bfd4917f8d8aa023c92073ec5e9da898f71
 Patch27: rubygems-2.1.0-Fix-test-failure-when-ruby-is-not-yet-installed.patch
+# CVE-2014-4975: Fix off-by-one stack-based buffer overflow in the encodes() function
+# https://bugs.ruby-lang.org/issues/10019
+Patch28: ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch
+# CVE-2014-8080: Fix REXML billion laughs attack via parameter entity expansion.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1157709
+Patch29: ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch
+# CVE-2014-8090: REXML incomplete fix for CVE-2014-8080.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1159927
+Patch30: ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch
 
 # make sure we always use scl gdbm
 %if 0%{?scl_gdbm}
@@ -463,6 +472,9 @@ Tcl/Tk interface for the object-oriented scripting language Ruby.
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28
+%patch29
+%patch30
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -963,6 +975,16 @@ make test-all TESTS="%{SOURCE8}"
 %{ruby_libdir}/tkextlib
 
 %changelog
+* Fri Nov 14 2014 Vít Ondruch <vondruch@redhat.com> - 2.0.0.353-24
+- Fix off-by-one stack-based buffer overflow in the encodes() function
+  (CVE-2014-4975).
+  Related: rhbz#1164005
+- Fix REXML billion laughs attack via parameter entity expansion
+  (CVE-2014-8080).
+  Related: rhbz#1164005
+- REXML incomplete fix for CVE-2014-8080 (CVE-2014-8090).
+  Related: rhbz#1164005
+
 * Fri Feb 28 2014 Vít Ondruch <vondruch@redhat.com> - 2.0.0.353-23
 - Explicitly depend on libyaml, to workaround issues with scl prefixed libyam.
   Resolves: rhbz#1071347