diff --git a/python-tornado-removed-custom-match_hostname.patch b/python-tornado-removed-custom-match_hostname.patch
new file mode 100644
index 0000000..aff87c5
--- /dev/null
+++ b/python-tornado-removed-custom-match_hostname.patch
@@ -0,0 +1,91 @@
+From 57adfad39e65a9aeea559de79207cd18db4a21b8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 9 Oct 2013 11:50:42 -0400
+Subject: [PATCH] Removed custom match_hostname().
+
+The custom match_hostname() has been removed and replaced with
+backports.ssl_match_hostname().
+---
+ tornado/simple_httpclient.py | 59 +-------------------------------------------
+ 1 file changed, 1 insertion(+), 58 deletions(-)
+
+diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
+index 457fabc..38284b6 100644
+--- a/tornado/simple_httpclient.py
++++ b/tornado/simple_httpclient.py
+@@ -6,6 +6,7 @@ from tornado.httputil import HTTPHeaders
+ from tornado.iostream import IOStream, SSLIOStream
+ from tornado import stack_context
+ from tornado.util import b
++from backports.ssl_match_hostname import match_hostname
+ 
+ import base64
+ import collections
+@@ -445,64 +446,6 @@ class _HTTPConnection(object):
+         self.stream.read_until(b("\r\n"), self._on_chunk_length)
+ 
+ 
+-# match_hostname was added to the standard library ssl module in python 3.2.
+-# The following code was backported for older releases and copied from
+-# https://bitbucket.org/brandon/backports.ssl_match_hostname
+-class CertificateError(ValueError):
+-    pass
+-
+-def _dnsname_to_pat(dn):
+-    pats = []
+-    for frag in dn.split(r'.'):
+-        if frag == '*':
+-            # When '*' is a fragment by itself, it matches a non-empty dotless
+-            # fragment.
+-            pats.append('[^.]+')
+-        else:
+-            # Otherwise, '*' matches any dotless fragment.
+-            frag = re.escape(frag)
+-            pats.append(frag.replace(r'\*', '[^.]*'))
+-    return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
+-
+-def match_hostname(cert, hostname):
+-    """Verify that *cert* (in decoded format as returned by
+-    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules
+-    are mostly followed, but IP addresses are not accepted for *hostname*.
+-
+-    CertificateError is raised on failure. On success, the function
+-    returns nothing.
+-    """
+-    if not cert:
+-        raise ValueError("empty or no certificate")
+-    dnsnames = []
+-    san = cert.get('subjectAltName', ())
+-    for key, value in san:
+-        if key == 'DNS':
+-            if _dnsname_to_pat(value).match(hostname):
+-                return
+-            dnsnames.append(value)
+-    if not san:
+-        # The subject is only checked when subjectAltName is empty
+-        for sub in cert.get('subject', ()):
+-            for key, value in sub:
+-                # XXX according to RFC 2818, the most specific Common Name
+-                # must be used.
+-                if key == 'commonName':
+-                    if _dnsname_to_pat(value).match(hostname):
+-                        return
+-                    dnsnames.append(value)
+-    if len(dnsnames) > 1:
+-        raise CertificateError("hostname %r "
+-            "doesn't match either of %s"
+-            % (hostname, ', '.join(map(repr, dnsnames))))
+-    elif len(dnsnames) == 1:
+-        raise CertificateError("hostname %r "
+-            "doesn't match %r"
+-            % (hostname, dnsnames[0]))
+-    else:
+-        raise CertificateError("no appropriate commonName or "
+-            "subjectAltName fields were found")
+-
+ if __name__ == "__main__":
+     AsyncHTTPClient.configure(SimpleAsyncHTTPClient)
+     main()
+-- 
+1.8.3.1
+
diff --git a/python-tornado.spec b/python-tornado.spec
index 62facf1..9f9828b 100644
--- a/python-tornado.spec
+++ b/python-tornado.spec
@@ -1,4 +1,4 @@
-%if 0%{?fedora} > 12 || 0%{?rhel} > 6
+%if 0%{?fedora} > 12
 %global with_python3 1
 %else
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib())")}
@@ -8,19 +8,22 @@
 
 Name:           python-%{pkgname}
 Version:        2.2.1
-Release:        1%{?dist}
+Release:        7%{?dist}
 Summary:        Scalable, non-blocking web server and tools
 
 Group:          Development/Libraries
 License:        ASL 2.0
 URL:            http://www.tornadoweb.org
 Source0:        http://github.com/downloads/facebook/%{pkgname}/%{pkgname}-%{version}.tar.gz
-BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+# Fix for  CVE-2013-2098 CVE-2013-2099
+# https://bugzilla.redhat.com/show_bug.cgi?id=966270
+Patch0:         python-tornado-removed-custom-match_hostname.patch
 BuildArch:      noarch
 
 BuildRequires:  python-devel
+BuildRequires:  python-backports-ssl_match_hostname
+Requires:       python-backports-ssl_match_hostname
 Requires:       python-pycurl
-Requires:       python-simplejson
 %if 0%{?with_python3}
 BuildRequires:  python-tools
 BuildRequires:  python3-setuptools
@@ -72,6 +75,7 @@ server and and tools. This package contains some example applications.
 
 %prep 
 %setup -q -n %{pkgname}-%{version}
+%patch0 -p1
 
 # remove shebang from files
 %{__sed} -i.orig -e '/^#!\//, 1d' *py tornado/*.py tornado/*/*.py
@@ -94,8 +98,6 @@ python setup.py build
 
 
 %install
-rm -rf %{buildroot}
-
 %if 0%{?with_python3}
 pushd %{py3dir}
     PATH=$PATH:%{buildroot}%{python3_sitelib}/%{pkgname}
@@ -107,9 +109,6 @@ PATH=$PATH:%{buildroot}%{python_sitelib}/%{pkgname}
 python setup.py install --root=%{buildroot}
 
 
-%clean
-rm -rf %{buildroot}
-
 %check
 %if "%{dist}" != ".el6"
     %if 0%{?with_python3}
@@ -121,31 +120,47 @@ rm -rf %{buildroot}
 %endif
 
 %files
-%defattr(-,root,root,-)
 %doc README PKG-INFO
 
 %{python_sitelib}/%{pkgname}/
 %{python_sitelib}/%{pkgname}-%{version}-*.egg-info
 
 %files doc
-%defattr(-,root,root,-)
 %doc demos
 
 %if 0%{?with_python3}
 %files -n python3-tornado
-%defattr(-,root,root,-)
 %doc README PKG-INFO
 
 %{python3_sitelib}/%{pkgname}/
 %{python3_sitelib}/%{pkgname}-%{version}-*.egg-info
 
 %files -n python3-tornado-doc
-%defattr(-,root,root,-)
 %doc demos
 %endif
 
 
 %changelog
+* Fri Dec 5 2014 Orion Poplawski <orion@cora.nwra.com> - 2.2.1-7
+- Add patch to fix CVE-2013-2098 CVE-2013-2099 (bug #96627)
+- Drop requires python-simplejson, not needed for modern python
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 14 2013 Thomas Spura <tomspur@fedoraproject.org> - 2.2.1-5
+- remove rhel conditional for with_python3:
+  https://fedorahosted.org/fpc/ticket/200
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sat Aug 04 2012 David Malcolm <dmalcolm@redhat.com> - 2.2.1-3
+- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
 * Sun May 20 2012 Thomas Spura <tomspur@fedoraproject.org> - 2.2.1-1
 - update to upstream release 2.2.1 (fixes CVE-2012-2374)
 - fix typo for epel6 macro bug #822972 (Florian La Roche)