diff --git a/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
new file mode 100644
index 0000000..d87b68a
--- /dev/null
+++ b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec
index 2a8e970..9f7dff0 100644
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@@ -21,7 +21,7 @@
 %endif
 
 
-%global release 112
+%global release 113
 
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 
@@ -266,6 +266,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch
 # https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
 # https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
 Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch
+# Tests not included, this Ruby release does not include the specific
+# test file to patch.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
 
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -686,6 +690,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch47 -p1
 %patch48 -p1
 %patch49 -p1
+%patch50 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1250,6 +1255,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
 
 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-113
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68515
+
 * Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
 - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
   (CVE-2023-36617)