diff --git a/SOURCES/expat-2.5.0-CVE-2024-45490.patch b/SOURCES/expat-2.5.0-CVE-2024-45490.patch
new file mode 100644
index 0000000..044f6c5
--- /dev/null
+++ b/SOURCES/expat-2.5.0-CVE-2024-45490.patch
@@ -0,0 +1,129 @@
+commit 05d87eb116ddde35bfa4e4c1d2ec7bcbda38c09b
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Sep 11 13:48:58 2024 +0200
+
+    Fix CVE-2024-45490
+    
+    https://github.com/libexpat/libexpat/pull/890
+
+diff --git a/expat/doc/reference.html b/expat/doc/reference.html
+index a10f3cb..d618bd8 100644
+--- a/expat/doc/reference.html
++++ b/expat/doc/reference.html
+@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
+ that are part of the document is indicated by <code>len</code>. This means
+ that <code>s</code> doesn't have to be null terminated. It also means that
+ if <code>len</code> is larger than the number of bytes in the block of
+-memory that <code>s</code> points at, then a memory fault is likely. The
++memory that <code>s</code> points at, then a memory fault is likely.
++Negative values for <code>len</code> are rejected since Expat 2.2.1.
++The
+ <code>isFinal</code> parameter informs the parser that this is the last
+ piece of the document. Frequently, the last piece is empty (i.e.
+ <code>len</code> is zero.)
+@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p,
+                 int isFinal);
+ </pre>
+ <div class="fcndef">
++<p>
+ This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
+ except in this case Expat provides the buffer.  By obtaining the
+ buffer from Expat with the <code><a href= "#XML_GetBuffer"
+ >XML_GetBuffer</a></code> function, the application can avoid double
+ copying of the input.
++</p>
++
++<p>
++Negative values for <code>len</code> are rejected since Expat 2.6.3.
++</p>
+ </div>
+ 
+ <h4 id="XML_GetBuffer">XML_GetBuffer</h4>
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 0896b16..f54e258 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -1998,6 +1998,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 93adc45..ed88f9f 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3856,6 +3856,57 @@ START_TEST(test_empty_parse) {
+ }
+ END_TEST
+ 
++/* Test XML_Parse for len < 0 */
++START_TEST(test_negative_len_parse) {
++  const char *const doc = "<root/>";
++  for (int isFinal = 0; isFinal < 2; isFinal++) {
++    XML_Parser parser = XML_ParserCreate(NULL);
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
++      fail("There was not supposed to be any initial parse error.");
++
++    const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
++
++    if (status != XML_STATUS_ERROR)
++      fail("Negative len was expected to fail the parse but did not.");
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
++      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
++/* Test XML_ParseBuffer for len < 0 */
++START_TEST(test_negative_len_parse_buffer) {
++  const char *const doc = "<root/>";
++  for (int isFinal = 0; isFinal < 2; isFinal++) {
++    XML_Parser parser = XML_ParserCreate(NULL);
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
++      fail("There was not supposed to be any initial parse error.");
++
++    void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
++
++    if (buffer == NULL)
++      fail("XML_GetBuffer failed.");
++
++    memcpy(buffer, doc, strlen(doc));
++
++    const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
++
++    if (status != XML_STATUS_ERROR)
++      fail("Negative len was expected to fail the parse but did not.");
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
++      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ /* Test odd corners of the XML_GetBuffer interface */
+ static enum XML_Status
+ get_feature(enum XML_FeatureEnum feature_id, long *presult) {
+@@ -12937,6 +12988,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
+   tcase_add_test(tc_basic, test_empty_parse);
++  tcase_add_test(tc_basic, test_negative_len_parse);
++  tcase_add_test(tc_basic, test_negative_len_parse_buffer);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
+ #if defined(XML_CONTEXT_BYTES)
diff --git a/SOURCES/expat-2.5.0-CVE-2024-45491.patch b/SOURCES/expat-2.5.0-CVE-2024-45491.patch
new file mode 100644
index 0000000..0f69dd7
--- /dev/null
+++ b/SOURCES/expat-2.5.0-CVE-2024-45491.patch
@@ -0,0 +1,31 @@
+From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 91682c188..e2327bdcf 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts
+           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {
diff --git a/SOURCES/expat-2.5.0-CVE-2024-45492.patch b/SOURCES/expat-2.5.0-CVE-2024-45492.patch
new file mode 100644
index 0000000..8950cdf
--- /dev/null
+++ b/SOURCES/expat-2.5.0-CVE-2024-45492.patch
@@ -0,0 +1,30 @@
+From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 91682c188..f737575ea 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+ 
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index beb71b8..468dcb0 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 2%{?dist}
+Release: 2%{?dist}.1
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -13,6 +13,12 @@ BuildRequires: make
 Patch0: expat-2.5.0-CVE-2023-52425.patch
 # https://issues.redhat.com/browse/RHEL-28700
 Patch1: expat-2.5.0-CVE-2024-28757.patch
+# https://issues.redhat.com/browse/RHEL-56763
+Patch2: expat-2.5.0-CVE-2024-45490.patch
+# https://issues.redhat.com/browse/RHEL-57497
+Patch3: expat-2.5.0-CVE-2024-45491.patch
+# https://issues.redhat.com/browse/RHEL-57510
+Patch4: expat-2.5.0-CVE-2024-45492.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -43,6 +49,9 @@ Install it if you need to link statically with expat.
 pushd ..
 %patch0 -p1 -b .CVE-2023-52425
 %patch1 -p1 -b .CVE-2024-28757
+%patch2 -p1 -b .CVE-2024-45490
+%patch3 -p1 -b .CVE-2024-45491
+%patch4 -p1 -b .CVE-2024-45492
 popd
 
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@@ -91,6 +100,15 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
+* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2.1
+- Fix multiple CVEs
+- Fix CVE-2024-45492 integer overflow
+- Fix CVE-2024-45491 Integer Overflow or Wraparound
+- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
+- Resolves: RHEL-57510
+- Resolves: RHEL-57497
+- Resolves: RHEL-56763
+
 * Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
 - Fix parsing of large tokens
 - Reject direct parameter entity recursion