diff --git a/expat-2.4.8.tar.xz b/expat-2.4.8.tar.xz
deleted file mode 100644
index 084c54b..0000000
--- a/expat-2.4.8.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f79b8f904b749e3e0d20afeadecf8249c55b2e32d4ebb089ae378df479dcaf25
-size 454428
diff --git a/expat-2.4.8.tar.xz.asc b/expat-2.4.8.tar.xz.asc
deleted file mode 100644
index d682797..0000000
--- a/expat-2.4.8.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmJCJoAACgkQliYqz/vT
-rsaachAApv1aIwl4PW6CCbTk+ePL5Ted6jJPvPCv9WiBTvHSA6KzEV7TVcVikBOe
-Ew6Ayjn336MxCfJeQN9CeMBUQ3ZTOIHYn5PYUXDNtYVaAHpe11nSl0tDu/QBYgJQ
-HrezUGlODYOH0o1yN33D2JIEav7Qek8pq7QZ/EznrhLkpnTcABkh8zMNJPKhV9tA
-do+wfVeNP7pwxRGRDRujVMoSRp8PAEPEz3mxwEd057KTn4iLjQIovJr/u28KSX06
-RsS5TqaqDJY/ag2qCE1TXwAegvWGl0LA+KxtCTWFpJ2y2DalqZlXJO3Nym17Btny
-SAYfWhl3EoqaaA/b659HF0Jtjivf/V2fvX61/KO3Np9yuQBognYMs/YgPcKTjgXc
-Ic0BgAmcLAehtKg3fb3GQXjV7096sECfXtUOE0NOsbcUJ1TRIFbe/3nANaUm87LY
-vG4/fRwJ/AEyFGbFlmd7VBwWxFDFIoBkIHseR2mI4uNw5SfJD9+x8Z7brrAG5jk9
-kEeTQWBs+YoN5ftBgDYkza16PoiIs7DK0yxl8BWo1/7WCwYd6NE2lfBp9YdKaLwO
-CmtVRsAxA+lElJ6jFQ0rJekMlvqUzU9hRvbZHv6tGYa+JYekEXZEpEB8bsZSlIQH
-++5DEkB8txjy/FxeOBdv7p2aZR91f0ecypLwiezUuQUMGVaBN5c=
-=2Oww
------END PGP SIGNATURE-----
diff --git a/expat-2.4.9.tar.xz b/expat-2.4.9.tar.xz
new file mode 100644
index 0000000..f899838
--- /dev/null
+++ b/expat-2.4.9.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6e8c0728fe5c7cd3f93a6acce43046c5e4736c7b4b68e032e9350daa0efc0354
+size 459284
diff --git a/expat-2.4.9.tar.xz.asc b/expat-2.4.9.tar.xz.asc
new file mode 100644
index 0000000..104376f
--- /dev/null
+++ b/expat-2.4.9.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmMp1wEACgkQliYqz/vT
+rsaXDxAAqRARLP+yOmmhEyTA88yGemIPQnZ+7dYiOLBCxIlTOTwxGAIRHZqiJnG/
+yZte1IE80b7RVGsoEo+bumRBio8RB1B+kLmfWU/KmKsGKoarTGXj9KjCwybDLwo5
+VFEbYLfsVc6BdrXeTs3gwYM11e95p+y5HQiIBOYr6dXkgzg+NRyfj0o7hjg8gbhN
+fDES6MgWhtZQyIvBLGCoU9juFYefvrshmvSh4q2wzzfpw9COH6zOcmh0rqtHsvRT
+GR1YwQGl0v+vlFcRBpLIadw3/0mjjrl1gBcmdqL7wIsFVajMcV50sk6C5kSlKYe4
+37tKo2Kc8Ci687m9wfS5fdBN/oj11LG24xwBeJILrZbUxwE6lX071uy81qqv9NiJ
+RrbupIfXJXas/h16/2HdwkI4yWt+AoVmiZAYApF1xXyfiLHiOEyzQ2wSwYTb3GH0
+OaWLsUk6RWPDK1a/MNHIgX5PFDC5LH5/MlNS59MscvOQHkdrvOIjNw7pg93Zh2jY
+wLWdxDqiZUMGj3Q8f0iRksl4lAkg+xRT7mCBqRMXxZs6/iq7cgRaMBRqwyLHZOUB
+/9w97mLHM+hHLzCDMCGj4kcanPhWaNtdiPNyhxGT+pMAc7czNVxIALCuzX6ntwfn
+9Fr1aJJ5B5tUMGXohqL4ltHt75gSL+LgxRojwJSSLIN24WSXJJk=
+=7F5I
+-----END PGP SIGNATURE-----
diff --git a/expat.changes b/expat.changes
index 9f8ee72..ff3b826 100644
--- a/expat.changes
+++ b/expat.changes
@@ -1,3 +1,55 @@
+-------------------------------------------------------------------
+Tue Sep 20 15:54:12 UTC 2022 - David Anes <david.anes@suse.com>
+
+- update to 2.4.9: (bsc#1203438)
+  * Security fixes:
+    - CVE-2022-40674 -- Heap use-after-free vulnerability in
+      function doContent. Expected impact is denial of service
+      or potentially arbitrary code execution.
+  * Bug fixes:
+    - MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
+    - docs: Fix documentation on effect of switch XML_DTD on
+      symbol visibility in doc/reference.html
+  * Other changes:
+    - MinGW: Make fix-xmltest-log.sh drop more Wine bug output
+    - Autotools: Sync CMake templates with CMake 3.22
+    - CMake: Migrate from use of CMAKE_*_POSTFIX to
+      dedicated variables EXPAT_*_POSTFIX to stop affecting
+      other projects
+    - Windows|CMake: Add missing -DXML_STATIC to test runners
+      and fuzzers
+    - Windows|CMake: Render .def file from a template to fix
+      linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
+    - MinGW|CMake: Apply MSVC .def file when linking
+    - MinGW|CMake: Sync library name with GNU Autotools,
+      i.e. produce libexpat-1.dll rather than libexpat.dll
+      by default.  Filename libexpat.dll.a is unaffected.
+    - MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
+      toolchain file "cmake/mingw-toolchain.cmake" to avoid
+      error "windres: Command not found" on e.g. Ubuntu 20.04
+    - CMake: Unify inconsistent use of set() and option() in
+      context of public build time options to take need for
+      set(.. FORCE) in projects using Expat by means of
+      add_subdirectory(..) off Expat's users' shoulders
+    - Stop exporting API symbols when building a static library
+    - Resolve use of deprecated "fgrep" by "grep -F"
+    - CMake: Make documentation on variables a bit more consistent
+    - CMake: Drop leading whitespace from a #cmakedefine line in
+      file expat_config.h.cmake
+    - xmlwf: Fix harmless variable mix-up in function nsattcmp
+    - Address Cppcheck warnings
+    - Address Clang 15 compiler warnings
+    - Version info bumped from 9:8:8 to 9:9:8;
+      see https://verbump.de/ for what these numbers do
+  * Infrastructure:
+    - CI: Windows: Start covering MSVC 2022
+    - CI: macOS: Migrate off deprecated macOS 10.15
+    - CI: Linux: Make migration off deprecated Ubuntu 18.04 work
+    - CI: Upgrade Clang from 14 to 15
+    - apply-clang-format.sh: Add support for BSD find
+    - coverage.sh: Exclude MinGW headers
+    - coverage.sh: Fix name collision for -funsigned-char   
+
 -------------------------------------------------------------------
 Tue Mar 29 05:26:59 UTC 2022 - David Anes <david.anes@suse.com>
 
diff --git a/expat.spec b/expat.spec
index 57564d0..62b716d 100644
--- a/expat.spec
+++ b/expat.spec
@@ -16,9 +16,9 @@
 #
 
 
-%global unversion 2_4_8
+%global unversion 2_4_9
 Name:           expat
-Version:        2.4.8
+Version:        2.4.9
 Release:        0
 Summary:        XML Parser Toolkit
 License:        MIT