diff --git a/0001-Disallow-EventData-deserialization-by-default.patch b/0001-Disallow-EventData-deserialization-by-default.patch
new file mode 100644
index 0000000..f77a14e
--- /dev/null
+++ b/0001-Disallow-EventData-deserialization-by-default.patch
@@ -0,0 +1,44 @@
+From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Mon, 19 Mar 2018 16:01:57 +0100
+Subject: [PATCH] Disallow EventData deserialization by default
+
+---
+ .../src/main/java/org/slf4j/ext/EventData.java      | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+index dc5b502..fa5c125 100644
+--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
++++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+@@ -76,12 +76,21 @@ public class EventData implements Serializable {
+      */
+     @SuppressWarnings("unchecked")
+     public EventData(String xml) {
+-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+-        try {
+-            XMLDecoder decoder = new XMLDecoder(bais);
+-            this.eventData = (Map<String, Object>) decoder.readObject();
+-        } catch (Exception e) {
+-            throw new EventException("Error decoding " + xml, e);
++        if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
++            ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
++            try {
++                XMLDecoder decoder = new XMLDecoder(bais);
++                this.eventData = (Map<String, Object>) decoder.readObject();
++            } catch (Exception e) {
++                throw new EventException("Error decoding " + xml, e);
++            }
++        } else {
++            throw new UnsupportedOperationException(
++                    "Constructing EventData from XML is vulnerable to remote " +
++                    "excution and is not allowed by default. If you're " +
++                    "completely sure the source data is trusted, you can enable " +
++                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
++                    "JVM property to 1");
+         }
+     }
+ 
+-- 
+2.14.3
+
diff --git a/slf4j.spec b/slf4j.spec
index fb07ce2..c16bcea 100644
--- a/slf4j.spec
+++ b/slf4j.spec
@@ -30,7 +30,7 @@
 
 Name:           slf4j
 Version:        1.7.25
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          0
 Summary:        Simple Logging Facade for Java
 # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
@@ -38,6 +38,7 @@ License:        MIT and ASL 2.0
 URL:            http://www.slf4j.org/
 Source0:        http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
 Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
+Patch0:         0001-Disallow-EventData-deserialization-by-default.patch
 BuildArch:      noarch
 
 BuildRequires:  maven-local
@@ -124,6 +125,7 @@ SLF4J Source JARs.
 
 %prep
 %setup -q
+%patch0 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE
 
@@ -212,6 +214,10 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
 %{_defaultdocdir}/%{name}-manual
 
 %changelog
+* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
+- Disallow EventData deserialization by default (CVE-2018-8088)
+- Resolves rhbz#1549928
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:1.7.25-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild