diff --git a/.gitignore b/.gitignore
index e8e5b0d..7453b23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ xstream-distribution-1.3.1-src.zip
 /xstream-distribution-1.4.6-src.zip
 /xstream-distribution-1.4.7-src.zip
 /xstream-distribution-1.4.8-src.zip
+/xstream-distribution-1.4.9-src.zip
diff --git a/sources b/sources
index 12325ac..60eac12 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 94b452e5b45812b9994d304b532e2dc9  xstream-distribution-1.4.8-src.zip
+834424a0bbe68791ec5b71489011081e  xstream-distribution-1.4.9-src.zip
diff --git a/xstream.spec b/xstream.spec
index c9d4807..7024833 100644
--- a/xstream.spec
+++ b/xstream.spec
@@ -31,12 +31,12 @@
 #
 
 Name:           xstream
-Version:        1.4.8
-Release:        4%{?dist}
+Version:        1.4.9
+Release:        1%{?dist}
 Summary:        Java XML serialization library
 License:        BSD
 URL:            http://xstream.codehaus.org/
-Source0:        https://nexus.codehaus.org/content/repositories/releases/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+Source0:        http://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
 BuildRequires: java-devel
 
 BuildRequires:  maven-local
@@ -129,6 +129,12 @@ find . -name "*.jar" -print -delete
 %pom_xpath_remove "pom:project/pom:build/pom:extensions"
 # Require org.codehaus.xsite:xsite-maven-plugin
 %pom_disable_module xstream-distribution
+
+# missing artifacts:
+#  org.openjdk.jmh:jmh-core:jar:1.11.1
+#  org.openjdk.jmh:jmh-generator-annprocess:jar:1.11.1
+%pom_disable_module xstream-jmh
+
 %pom_remove_plugin :xsite-maven-plugin
 %pom_remove_plugin :jxr-maven-plugin
 # Unwanted
@@ -146,6 +152,9 @@ find . -name "*.jar" -print -delete
 
 %pom_remove_plugin :maven-javadoc-plugin xstream
 
+# provided by JDK
+%pom_remove_dep javax.activation:activation xstream
+
 %pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream-hibernate
 %pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "<scope>test</scope>" xstream-hibernate
 %pom_remove_plugin :maven-dependency-plugin xstream-hibernate
@@ -177,6 +186,10 @@ find . -name "*.jar" -print -delete
 %doc LICENSE.txt
 
 %changelog
+* Wed Mar 30 2016 Michal Srb <msrb@redhat.com> - 1.4.9-1
+- Update to 1.4.9
+- Resolves: CVE-2016-3674
+
 * Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.8-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild