diff --git a/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch b/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch
new file mode 100644
index 0000000..8022457
--- /dev/null
+++ b/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch
@@ -0,0 +1,46 @@
+From 9d4e3462f17d135b5c928e2419a17bd444c3f2b4 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Mon, 19 Mar 2018 16:01:57 +0100
+Subject: [PATCH] Disallow EventData deserialization by default
+
+---
+ .../src/main/java/org/slf4j/ext/EventData.java     | 23 +++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+index 4478e52..535c5c0 100644
+--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
++++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+@@ -76,13 +76,22 @@ public class EventData implements Serializable {
+    */
+   @SuppressWarnings("unchecked")
+   public EventData(String xml) {
+-    ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+-    try {
+-      XMLDecoder decoder = new XMLDecoder(bais);
+-      this.eventData = (Map<String, Object>) decoder.readObject();
+-    } catch (Exception e) {
+-      throw new EventException("Error decoding " + xml, e);
+-    }
++      if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
++          ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
++          try {
++              XMLDecoder decoder = new XMLDecoder(bais);
++              this.eventData = (Map<String, Object>) decoder.readObject();
++          } catch (Exception e) {
++              throw new EventException("Error decoding " + xml, e);
++          }
++      } else {
++          throw new UnsupportedOperationException(
++                  "Constructing EventData from XML is vulnerable to remote " +
++                  "excution and is not allowed by default. If you're " +
++                  "completely sure the source data is trusted, you can enable " +
++                  "it by setting org.slf4j.ext.allowInsecureDeserialization " +
++                  "JVM property to 1");
++      }
+   }
+ 
+   /**
+-- 
+2.14.3
+
diff --git a/SPECS/slf4j.spec b/SPECS/slf4j.spec
index 384338b..8ea7fb3 100644
--- a/SPECS/slf4j.spec
+++ b/SPECS/slf4j.spec
@@ -30,7 +30,7 @@
 
 Name:           slf4j
 Version:        1.7.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          0
 Summary:        Simple Logging Facade for Java
 Group:          Development/Libraries
@@ -39,6 +39,7 @@ License:        MIT and ASL 2.0
 URL:            http://www.slf4j.org/
 Source0:        http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
 Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
+Patch0:         0001-Disallow-EventData-deserialization-by-default.patch
 BuildArch:      noarch
 
 BuildRequires:  jpackage-utils >= 0:1.7.5
@@ -92,6 +93,7 @@ This package provides documentation for %{name}.
 
 %prep
 %setup -q
+%patch0 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE
 
@@ -149,6 +151,9 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual-%{version}
 %doc LICENSE.txt APACHE-LICENSE
 
 %changelog
+* Tue Mar 20 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.4-4
+- Disallow EventData deserialization by default (CVE-2018-8088)
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 01.7.4-3
 - Mass rebuild 2013-12-27