diff --git a/python-kdcproxy.spec b/python-kdcproxy.spec
index 7b50a1900409f64cb067d89519fbe937030418b1..13c2328a1f36b970c4eb8a569cff7332e1f1512f 100644
--- a/python-kdcproxy.spec
+++ b/python-kdcproxy.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 %global realname kdcproxy
 
 Name:           python-%{realname}
@@ -56,6 +56,13 @@ minimal configuration.
 %{python3_sitelib}/%{realname}-%{version}-*.egg-info
 
 %changelog
+* Mon Apr 05 2025 RPM Team - 1.0.0-4
+- Sync upstream changes from commit 1773f28eeea72ec6efcd433d3b66595c44d1253f
+- Mitigate SSRF vulnerability (CVE-2025-59088) by restricting DNS discovery to declared realms only
+- Add support for wildcard realm sections (e.g., [*EXAMPLE.COM]) for hierarchical domain proxying
+- Introduce dns_realm_discovery option to control unsafe DNS lookup behavior
+- Log warning on non-standard KDC ports discovered via DNS; add silence_port_warn to suppress
+
 * Tue Mar 26 2024 Zhao Hang <wb-zh951434@alibaba-inc.com> - 1.0.0-3
 - Rebuild with python3.11