diff --git a/scponly-4.6-CVE-2007-6415.patch b/scponly-4.6-CVE-2007-6415.patch
new file mode 100644
index 0000000..b4075d4
--- /dev/null
+++ b/scponly-4.6-CVE-2007-6415.patch
@@ -0,0 +1,29 @@
+diff -pruN scponly-4.6.orig/helper.c scponly-4.6/helper.c
+--- scponly-4.6.orig/helper.c	2006-01-31 23:04:16.000000000 +0100
++++ scponly-4.6/helper.c	2008-02-13 20:11:58.000000000 +0100
+@@ -181,10 +181,10 @@ int check_dangerous_args(char **av)
+ 				 */
+ 				opterr=cmdarg->strict;
+ 				while ((ch = getopt(ac, av, cmdarg->opts)) != -1)
+-					if (ch == cmdarg->badarg[0])
++					if (strchr(cmdarg->badarg, ch) || (cmdarg->strict && ch == '?'))
+ 					{
+-						syslog(LOG_ERR, "option %s is not permitted for use with %s (arg was %s)(%s))", 
+-							cmdarg->badarg, cmdarg->name, optarg, logstamp());
++						syslog(LOG_ERR, "option -%c is not permitted for use with %s (arg was %s)(%s))", 
++							ch, cmdarg->name, optarg, logstamp());
+ 						return 1;
+ 					}
+ #elif
+diff -pruN scponly-4.6.orig/scponly.c scponly-4.6/scponly.c
+--- scponly-4.6.orig/scponly.c	2006-01-31 00:09:40.000000000 +0100
++++ scponly-4.6/scponly.c	2008-02-13 20:11:58.000000000 +0100
+@@ -92,7 +92,7 @@ cmd_arg_t dangerous_args[] =
+ 	 * program name		use getopt?		strict optlist?	optname			optlist
+ 	 */
+ #ifdef ENABLE_SCP2
+-	{ PROG_SCP, 		1, 				1,				"S",			"dfl:prtvBCc:i:P:q1246S:o:F:" },
++	{ PROG_SCP, 		1, 				1,				"SoF",			"dfl:prtvBCc:i:P:q1246S:o:F:" },
+ #endif
+ #ifdef RSYNC_COMPAT
+ 	{ PROG_RSYNC, 		1, 				0,				"e",			"e:" },
diff --git a/scponly.spec b/scponly.spec
index bac505b..19ad9d8 100644
--- a/scponly.spec
+++ b/scponly.spec
@@ -1,12 +1,13 @@
 Summary: Restricted shell for ssh based file services
 Name: scponly
 Version: 4.6
-Release: 6%{?dist}
+Release: 10%{?dist}
 License: BSD
 Group: Applications/Internet
 URL: http://sublimation.org/scponly/
 Source: http://sublimation.org/scponly/scponly-%{version}.tgz
 Patch0: scponly-install.patch
+Patch1: scponly-4.6-CVE-2007-6415.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 
 
 # Checks only for location of binaries
@@ -24,10 +25,12 @@ as a wrapper to the "tried and true" ssh suite of applications.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1 -b .CVE-2007-6415
 
 %build
-%configure --enable-scp-compat --enable-rsync-compat --enable-winscp-compat \
-	--enable-chrooted-binary
+%configure --enable-scp-compat --enable-winscp-compat --enable-chrooted-binary
+#--enable-rsync-compat
+
 %{__make} %{?_smp_mflags} \
 	OPTS="%{optflags}"
 
@@ -55,6 +58,19 @@ make install DESTDIR=%{buildroot}
 %config(noreplace) %{_sysconfdir}/scponly/*
 
 %changelog
+* Wed Feb 13 2008 Tomas Hoger <thoger@redhat.com> - 4.6-10
+- Add patch to prevent restriction bypass using OpenSSH's scp options -F
+  and -o (CVE-2007-6415, #426072)
+
+* Mon Feb 11 2008 Warren Togami <wtogami@redhat.com> - 4.6-9
+- rebuild with gcc-4.3
+
+* Tue Dec 11 2007 Toshio Kuratomi <a.badger@gmail.com> - 4.6-8
+- Disable rsync support due to security concerns: RH BZ#418201
+
+* Tue Aug 21 2007 Warren Togami <wtogami@redhat.com> - 4.6-7
+- rebuild
+
 * Fri Sep 15 2006 Warren Togami <wtogami@redhat.com> - 4.6-6
 - rebuild for FC6