diff --git a/ruby-1.8.6-rexml-CVE-2008-3790.patch b/ruby-1.8.6-rexml-CVE-2008-3790.patch
new file mode 100644
index 0000000..2ce6e1f
--- /dev/null
+++ b/ruby-1.8.6-rexml-CVE-2008-3790.patch
@@ -0,0 +1,96 @@
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/document.rb	2007-11-04 13:50:15.000000000 +0900
++++ ruby-1.8.6-p287/lib/rexml/document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -32,6 +32,7 @@ module REXML
+ 	  # @param context if supplied, contains the context of the document;
+ 	  # this should be a Hash.
+ 		def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+ 			super()
+ 			@context = context
+ 			return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+ 			Parsers::StreamParser.new( source, listener ).parse
+ 		end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+ 		private
+ 		def build( source )
+       Parsers::TreeParser.new( source, self ).parse
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb	2007-07-28 11:46:08.000000000 +0900
++++ ruby-1.8.6-p287/lib/rexml/entity.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -73,6 +73,7 @@ module REXML
+ 		# all entities -- both %ent; and &ent; entities.  This differs from
+ 		# +value()+ in that +value+ only replaces %ent; entities.
+ 		def unnormalized
++      document.record_entity_expansion
+ 			v = value()
+ 			return nil if v.nil?
+ 			@unnormalized = Text::unnormalize(v, parent)
+diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb
+--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb	1970-01-01 09:00:00.000000000 +0900
++++ ruby-1.8.6-p287/test/rexml/test_document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -0,0 +1,42 @@
++require "rexml/document"
++require "test/unit"
++
++class REXML::TestDocument < Test::Unit::TestCase
++  def test_new
++    doc = REXML::Document.new(<<EOF)
++<?xml version="1.0" encoding="UTF-8"?>
++<message>Hello world!</message>
++EOF
++    assert_equal("Hello world!", doc.root.children.first.value)
++  end
++
++  XML_WITH_NESTED_ENTITY = <<EOF
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE member [
++  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
++  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
++  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
++  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
++  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
++  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
++  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
++]>
++<member>
++&a;
++</member>
++EOF
++
++  def test_entity_expansion_limit
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    assert_equal(101, doc.entity_expansion_count)
++  end
++end
diff --git a/ruby.spec b/ruby.spec
index 4de644d..2206c3b 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -12,7 +12,7 @@
 
 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	Ruby or GPLv2
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -34,6 +34,7 @@ Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
 Patch25:	ruby-1.8.6.111-gcc43.patch
+Patch26:	ruby-1.8.6-rexml-CVE-2008-3790.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -152,6 +153,7 @@ pushd %{name}-%{arcver}
 %patch23 -p1
 %endif
 %patch25 -p1
+%patch26 -p1
 popd
 
 %build
@@ -502,6 +504,9 @@ rm -rf tmp-ruby-docs
 %{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el
 
 %changelog
+* Wed Oct  8 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-2
+- CVE-2008-3790: DoS vulnerability in the REXML module.
+
 * Sat Aug 23 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-1
 - New upstream release.
 - Security fixes.