diff --git a/SOURCES/xerces-j2-CVE-2013-4002.patch b/SOURCES/xerces-j2-CVE-2013-4002.patch
new file mode 100644
index 0000000..a2f5516
--- /dev/null
+++ b/SOURCES/xerces-j2-CVE-2013-4002.patch
@@ -0,0 +1,47 @@
+--- src/org/apache/xerces/impl/XMLScanner.java	2013/07/03 18:25:06	1499505
++++ src/org/apache/xerces/impl/XMLScanner.java	2013/07/03 18:29:43	1499506
+@@ -542,7 +542,7 @@
+         // document is until we scan the encoding declaration
+         // you cannot reliably read any characters outside
+         // of the ASCII range here. -- mrglavas
+-        String name = fEntityScanner.scanName();
++        String name = scanPseudoAttributeName();
+         XMLEntityManager.print(fEntityManager.getCurrentEntity());
+         if (name == null) {
+             reportFatalError("PseudoAttrNameExpected", null);
+@@ -599,6 +599,35 @@
+     } // scanPseudoAttribute(XMLString):String
+     
+     /**
++     * Scans the name of a pseudo attribute. The only legal names
++     * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
++     * 
++     * @return the name of the pseudo attribute or <code>null</code>
++     * if a legal pseudo attribute name could not be scanned.
++     */
++    private String scanPseudoAttributeName() throws IOException, XNIException {
++        final int ch = fEntityScanner.peekChar();
++        switch (ch) {
++            case 'v':
++                if (fEntityScanner.skipString(fVersionSymbol)) {
++                    return fVersionSymbol;
++                }
++                break;
++            case 'e':
++                if (fEntityScanner.skipString(fEncodingSymbol)) {
++                    return fEncodingSymbol;
++                }
++                break;
++            case 's':
++                if (fEntityScanner.skipString(fStandaloneSymbol)) {
++                    return fStandaloneSymbol;
++                }
++                break;
++        }
++        return null;
++    } // scanPseudoAttributeName()
++    
++    /**
+      * Scans a processing instruction.
+      * <p>
+      * <pre>
diff --git a/SPECS/xerces-j2.spec b/SPECS/xerces-j2.spec
index d249f8a..1c23bc6 100644
--- a/SPECS/xerces-j2.spec
+++ b/SPECS/xerces-j2.spec
@@ -4,7 +4,7 @@
 
 Name:          xerces-j2
 Version:       2.11.0
-Release:       16%{?dist}
+Release:       17%{?dist}
 Summary:       Java XML parser
 Group:         Development/Libraries
 License:       ASL 2.0
@@ -31,6 +31,10 @@ Patch0:        %{name}-build.patch
 # Patch the manifest so that it includes OSGi stuff
 Patch1:        %{name}-manifest.patch
 
+# Fix XML parsing bug (JAXP, 8017298)
+# Backported from upstream commit http://svn.apache.org/viewvc?view=revision&revision=1499506
+Patch2:        %{name}-CVE-2013-4002.patch
+
 BuildArch:     noarch
 
 BuildRequires: java-devel >= 1:1.6.0
@@ -113,6 +117,7 @@ Requires:       %{name} = %{version}-%{release}
 %setup -q -n xerces-%{cvs_version}
 %patch0 -p0 -b .orig
 %patch1 -p0 -b .orig
+%patch2 -p0 -b .orig
 
 # Copy the custom ant tasks into place
 mkdir -p tools/org/apache/xerces/util
@@ -216,6 +221,10 @@ update-alternatives --install %{_javadir}/jaxp_parser_impl.jar \
 %{_datadir}/%{name}
 
 %changelog
+* Thu Sep 11 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.11.0-17
+- Fix XML parsing bug (JAXP, 8017298)
+- Resolves: CVE-2013-4002
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.11.0-16
 - Mass rebuild 2013-12-27