diff --git a/.gitignore b/.gitignore
index e8e5b0d..7453b23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ xstream-distribution-1.3.1-src.zip
/xstream-distribution-1.4.6-src.zip
/xstream-distribution-1.4.7-src.zip
/xstream-distribution-1.4.8-src.zip
+/xstream-distribution-1.4.9-src.zip
diff --git a/sources b/sources
index 12325ac..60eac12 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
94b452e5b45812b9994d304b532e2dc9 xstream-distribution-1.4.8-src.zip
+834424a0bbe68791ec5b71489011081e xstream-distribution-1.4.9-src.zip
diff --git a/xstream.spec b/xstream.spec
index c9d4807..7024833 100644
--- a/xstream.spec
+++ b/xstream.spec
@@ -31,12 +31,12 @@
#
Name: xstream
-Version: 1.4.8
-Release: 4%{?dist}
+Version: 1.4.9
+Release: 1%{?dist}
Summary: Java XML serialization library
License: BSD
URL: http://xstream.codehaus.org/
-Source0: https://nexus.codehaus.org/content/repositories/releases/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+Source0: http://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
BuildRequires: java-devel
BuildRequires: maven-local
@@ -129,6 +129,12 @@ find . -name "*.jar" -print -delete
%pom_xpath_remove "pom:project/pom:build/pom:extensions"
# Require org.codehaus.xsite:xsite-maven-plugin
%pom_disable_module xstream-distribution
+
+# missing artifacts:
+# org.openjdk.jmh:jmh-core:jar:1.11.1
+# org.openjdk.jmh:jmh-generator-annprocess:jar:1.11.1
+%pom_disable_module xstream-jmh
+
%pom_remove_plugin :xsite-maven-plugin
%pom_remove_plugin :jxr-maven-plugin
# Unwanted
@@ -146,6 +152,9 @@ find . -name "*.jar" -print -delete
%pom_remove_plugin :maven-javadoc-plugin xstream
+# provided by JDK
+%pom_remove_dep javax.activation:activation xstream
+
%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "test" xstream-hibernate
%pom_remove_plugin :maven-dependency-plugin xstream-hibernate
@@ -177,6 +186,10 @@ find . -name "*.jar" -print -delete
%doc LICENSE.txt
%changelog
+* Wed Mar 30 2016 Michal Srb - 1.4.9-1
+- Update to 1.4.9
+- Resolves: CVE-2016-3674
+
* Fri Feb 05 2016 Fedora Release Engineering - 1.4.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild