diff --git a/bash.spec b/bash.spec
index 4a54f9c..a8dcc9d 100644
--- a/bash.spec
+++ b/bash.spec
@@ -1,5 +1,5 @@
 #% define beta_tag rc2
-%define patchleveltag .22
+%define patchleveltag .25
 %define baseversion 4.3
 %bcond_without tests
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
@@ -7,7 +7,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 3%{?dist}
+Release: 1%{?dist}
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@@ -43,6 +43,9 @@ Patch019: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-019
 Patch020: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-020
 Patch021: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-021
 Patch022: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-022
+Patch023: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-023
+Patch024: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-024
+Patch025: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
 
 # Other patches
 Patch101: bash-2.02-security.patch
@@ -94,15 +97,12 @@ Patch127: bash-4.2-trap.patch
 Patch128: bash-4.3-man-ulimit.patch
 
 # A series of patches emitted by upstream since 4.3-18
-Patch129: bash-4.3-array-element.patch
 Patch131: bash-4.3-parse-time-keyword.patch
 Patch134: bash-4.3-pathexp-globignore-delim.patch
 
 # 1102815 - fix double echoes in vi visual mode
 Patch135: bash-4.3-noecho.patch
 
-Patch136: bash-4.3-cve-2014-6271.patch
-
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -151,6 +151,9 @@ This package contains documentation files for %{name}.
 %patch020 -p0 -b .020
 %patch021 -p0 -b .021
 %patch022 -p0 -b .022
+%patch023 -p0 -b .023
+%patch024 -p0 -b .024
+%patch025 -p0 -b .025
 
 # Other patches
 %patch101 -p1 -b .security
@@ -178,11 +181,9 @@ This package contains documentation files for %{name}.
 %patch123 -p1
 %patch125 -p1 -b .size_type
 %patch128 -p1 -b .ulimit
-%patch129 -p1 -b .element
 %patch131 -p0 -b .keyword
 %patch134 -p0 -b .delim
 %patch135 -p1 -b .noecho
-%patch136 -p0 -b .6271
 
 echo %{version} > _distribution
 echo %{release} > _patchlevel
@@ -378,6 +379,9 @@ end
 %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.25-1
+- Patchlevel 25
+
 * Wed Sep 24 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.22-3
 - Inhibit code injection - patch by Stephane Chazelas
 
diff --git a/bash43-023 b/bash43-023
new file mode 100644
index 0000000..d1e4e9d
--- /dev/null
+++ b/bash43-023
@@ -0,0 +1,104 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-023
+
+Bug-Reported-by:	Tim Friske <me@timfriske.com>
+Bug-Reference-ID:	<CAM1RzOcOR9zzC2i+aeES6LtbHNHoOV+0pZEYPrqxv_QAii-RXA@mail.gmail.com>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-06/msg00056.html
+
+Bug-Description:
+
+Bash does not correctly parse process substitution constructs that contain
+unbalanced parentheses as part of the contained command.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/subst.h	2014-01-11 21:02:27.000000000 -0500
+--- subst.h	2014-07-20 17:25:01.000000000 -0400
+***************
+*** 83,87 ****
+     Start extracting at (SINDEX) as if we had just seen "<(".
+     Make (SINDEX) get the position just after the matching ")". */
+! extern char *extract_process_subst __P((char *, char *, int *));
+  #endif /* PROCESS_SUBSTITUTION */
+  
+--- 83,87 ----
+     Start extracting at (SINDEX) as if we had just seen "<(".
+     Make (SINDEX) get the position just after the matching ")". */
+! extern char *extract_process_subst __P((char *, char *, int *, int));
+  #endif /* PROCESS_SUBSTITUTION */
+  
+*** ../bash-4.3-patched/subst.c	2014-05-15 08:26:45.000000000 -0400
+--- subst.c	2014-07-20 17:26:44.000000000 -0400
+***************
+*** 1193,1202 ****
+     Make (SINDEX) get the position of the matching ")". */ /*))*/
+  char *
+! extract_process_subst (string, starter, sindex)
+       char *string;
+       char *starter;
+       int *sindex;
+  {
+    return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
+  }
+  #endif /* PROCESS_SUBSTITUTION */
+--- 1193,1208 ----
+     Make (SINDEX) get the position of the matching ")". */ /*))*/
+  char *
+! extract_process_subst (string, starter, sindex, xflags)
+       char *string;
+       char *starter;
+       int *sindex;
++      int xflags;
+  {
++ #if 0
+    return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
++ #else
++   xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0);
++   return (xparse_dolparen (string, string+*sindex, sindex, xflags));
++ #endif
+  }
+  #endif /* PROCESS_SUBSTITUTION */
+***************
+*** 1786,1790 ****
+  	  if (string[si] == '\0')
+  	    CQ_RETURN(si);
+! 	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si);
+  	  free (temp);		/* no SX_ALLOC here */
+  	  i = si;
+--- 1792,1796 ----
+  	  if (string[si] == '\0')
+  	    CQ_RETURN(si);
+! 	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0);
+  	  free (temp);		/* no SX_ALLOC here */
+  	  i = si;
+***************
+*** 8250,8254 ****
+  	      t_index = sindex + 1; /* skip past both '<' and LPAREN */
+  
+! 	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/
+  	    sindex = t_index;
+  
+--- 8256,8260 ----
+  	      t_index = sindex + 1; /* skip past both '<' and LPAREN */
+  
+! 	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/
+  	    sindex = t_index;
+  
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 22
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 23
+  
+  #endif /* _PATCHLEVEL_H_ */
diff --git a/bash43-024 b/bash43-024
new file mode 100644
index 0000000..a24b8fb
--- /dev/null
+++ b/bash43-024
@@ -0,0 +1,54 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-024
+
+Bug-Reported-by:	Corentin Peuvrel <cpeuvrel@pom-monitoring.com>
+Bug-Reference-ID:	<53CE9E5D.6050203@pom-monitoring.com>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-07/msg00021.html
+
+Bug-Description:
+
+Indirect variable references do not work correctly if the reference
+variable expands to an array reference using a subscript other than 0
+(e.g., foo='bar[1]' ; echo ${!foo}).
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/subst.c	2014-06-03 09:32:44.000000000 -0400
+--- subst.c	2014-07-23 09:58:19.000000000 -0400
+***************
+*** 7375,7379 ****
+  
+    if (want_indir)
+!     tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+    else
+      tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
+--- 7445,7455 ----
+  
+    if (want_indir)
+!     {
+!       tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+!       /* Turn off the W_ARRAYIND flag because there is no way for this function
+! 	 to return the index we're supposed to be using. */
+!       if (tdesc && tdesc->flags)
+! 	tdesc->flags &= ~W_ARRAYIND;
+!     }
+    else
+      tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 23
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 24
+  
+  #endif /* _PATCHLEVEL_H_ */
diff --git a/bash-4.3-cve-2014-6271.patch b/bash43-025
similarity index 79%
rename from bash-4.3-cve-2014-6271.patch
rename to bash43-025
index 7859d40..721aca0 100644
--- a/bash-4.3-cve-2014-6271.patch
+++ b/bash43-025
@@ -1,3 +1,20 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-025
+
+Bug-Reported-by:	Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
 *** ../bash-4.3-patched/builtins/common.h	2013-07-08 16:54:47.000000000 -0400
 --- builtins/common.h	2014-09-12 14:25:47.000000000 -0400
 ***************
@@ -89,3 +106,18 @@
 !       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
   	{
   	  temp = nameref_cell (var);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 24
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 25
+  
+  #endif /* _PATCHLEVEL_H_ */