diff --git a/batik-CVE-2015-0250.patch b/batik-CVE-2015-0250.patch
new file mode 100644
index 0000000..b198890
--- /dev/null
+++ b/batik-CVE-2015-0250.patch
@@ -0,0 +1,54 @@
+--- xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java	2015/03/05 12:42:03	1664334
++++ xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java	2015/03/05 12:53:44	1664335
+@@ -30,26 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+ 
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+ 
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.DocumentType;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+ 
+ /**
+  * This class contains methods for creating Document instances
+@@ -399,6 +399,16 @@
+     static SAXParserFactory saxFactory;
+     static {
+         saxFactory = SAXParserFactory.newInstance();
++        try {
++            saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++        } catch (SAXNotRecognizedException e) {
++            e.printStackTrace();
++        } catch (SAXNotSupportedException e) {
++            e.printStackTrace();
++        } catch (ParserConfigurationException e) {
++            e.printStackTrace();
++        }
+     }
+ 
+     /**
diff --git a/batik.spec b/batik.spec
index 6e28fca..7bd3e71 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,6 +1,6 @@
 Name:           batik
 Version:        1.8
-Release:        0.17.svn1230816%{?dist}
+Release:        0.18.svn1230816%{?dist}
 Summary:        Scalable Vector Graphics for Java
 License:        ASL 2.0 and W3C
 URL:            http://xml.apache.org/batik/
@@ -36,6 +36,7 @@ Patch2:         %{name}-script-remove-js.patch
 # also make maxmem a bit higher. we seem to need more...
 # https://issues.apache.org/jira/browse/BATIK-1065
 Patch3:         %{name}-javadoc-task-failonerror-and-oom.patch
+Patch4:         %{name}-CVE-2015-0250.patch
 
 BuildArch:      noarch
 
@@ -168,6 +169,7 @@ done
 %patch2
 
 %patch3
+%patch4 -p3
 
 %build
 export CLASSPATH=$(build-classpath xml-commons-apis xml-commons-apis-ext js rhino xalan-j2 xalan-j2-serializer xerces-j2)
@@ -324,6 +326,10 @@ chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/contrib/charts/convert.sh
 
 
 %changelog
+* Thu May 21 2015 Michal Srb <msrb@redhat.com> - 1.8-0.18.svn1230816
+- Disable external xml entities
+- Resolves: CVE-2015-0250
+
 * Mon Jan 12 2015 Alexander Kurtakov <akurtako@redhat.com> 1.8-0.17.svn1230816
 - Add obsoletes in batik-css to ease updates.