diff --git a/ruby.spec b/ruby.spec
index c37580b51fb3507c0f9501efa007f7dee72f4fcb..8096d49b53fa376d5815b5712338a532f62b7c7d 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -22,7 +22,7 @@
 %endif
 
 
-%global release 112
+%global release 113
 
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{anolis_release}%{?dist}}
 
@@ -267,6 +267,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch
 # https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
 # https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
 Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch
+# Tests not included, this Ruby release does not include the specific
+# test file to patch.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
 
 
 # Begin: Anolis OS customized
@@ -700,6 +704,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch47 -p1
 %patch48 -p1
 %patch49 -p1
+%patch50 -p1
 %patch1000 -p1
 %patch1001 -p1
 %patch1002 -p1
@@ -1267,13 +1272,17 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
 
 %changelog
-* Mon Jul 15 2024 Weitao Zhou <zhouwt@linux.alibaba.com> - 2.5.9-112.0.1
+* Fri Dec 06 2024 Weitao Zhou <zhouwt@linux.alibaba.com> - 2.5.9-113.0.1
 - Fix FTBFS due to glibc 2.31.9000 implementing lchmod(2), compatible with glibc2.28 also
   * Patch: ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch
   * Patch: ruby-2.8.0-Moved-not-implemented-method-tests.patch
 - Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add.
   * Patch: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch
 
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-113
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68515
+
 * Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
 - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
   (CVE-2023-36617)
diff --git a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d87b68a185fbcff904675f5f36dd72ced46714c8
--- /dev/null
+++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0