diff --git a/babel.spec b/babel.spec
index 32e7b23bc70fbaa96b568f46046b93a9c34100f5..b0110f2bad505b64c50e325b0d5b79532bd9c4de 100644
--- a/babel.spec
+++ b/babel.spec
@@ -1,15 +1,17 @@
 Name: babel
 Version: 2.8.0
-Release: 2
+Release: 3
 Summary: Tools for internationalizing and localizing Python applications
 License: BSD
 URL: http://babel.pocoo.org/
 Source0: https://files.pythonhosted.org/packages/source/B/Babel/Babel-%{version}.tar.gz
-Patch0000: babel-2.3.4-remove-pytz-version.patch
-Patch0001: Replace-usage-of-parser.suite-with-ast.parse.patch
-Patch0002: Introduce-invariant-that-_invalid_pofile-takes-unico.patch
-Patch0003: catalog.rst-Add-__iter__-to-Catalog-documentation.patch
-Patch0004: stop-using-deprecated-ElementTree-methods-getchildre.patch
+Patch1: babel-2.3.4-remove-pytz-version.patch
+Patch2: Replace-usage-of-parser.suite-with-ast.parse.patch
+Patch3: Introduce-invariant-that-_invalid_pofile-takes-unico.patch
+Patch4: catalog.rst-Add-__iter__-to-Catalog-documentation.patch
+Patch5: stop-using-deprecated-ElementTree-methods-getchildre.patch
+Patch6: backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
+Patch7: backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
 
 BuildArch: noarch
 
@@ -103,6 +105,9 @@ export TZ=Asia/Shanghai
 %doc built-docs/html/*
 
 %changelog
+* Tue May 11 2021 yangzhuangzhuang<yangzhuangzhuang1@huawei.com> - 2.8.0-3
+- Fix CVE-2021-20095
+
 * Sun Jun 28 2020 linwei<linwei54@huawei.com> - 2.8.0-2
 - sync some patches from community
 
diff --git a/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch b/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6988b71ef1f7f736cd4cf233d2a58fc7f6639eb3
--- /dev/null
+++ b/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
@@ -0,0 +1,79 @@
+From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
+From: Aarni Koskela <akx@iki.fi>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Subject: [PATCH] Run locale identifiers through `os.path.basename()`
+
+---
+ babel/localedata.py      |  2 ++
+ tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
++    name = os.path.basename(name)
+     if name in _cache:
+         return True
+     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+     :raise `IOError`: if no locale data file is found for the given locale
+                       identifer, or one of the locales it inherits from
+     """
++    name = os.path.basename(name)
+     _cache_lock.acquire()
+     try:
+         data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+ 
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+ 
+ 
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+     localedata.locale_identifiers.cache = None
+     assert localedata.locale_identifiers()
+     assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++    """
++    Test that locale identifiers are cleaned up to avoid directory traversal.
++    """
++    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
++    with open(no_exist_name, "wb") as f:
++        pickle.dump({}, f)
++
++    try:
++        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
++    except ValueError:
++        if sys.platform == "win32":
++            pytest.skip("unable to form relpath")
++        raise
++
++    assert not localedata.exists(name)
++    with pytest.raises(IOError):
++        localedata.load(name)
++    with pytest.raises(UnknownLocaleError):
++        Locale(name)
diff --git a/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch b/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fc9d84a5174c6a92d5ac43ee4ee29a99fe20575b
--- /dev/null
+++ b/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
@@ -0,0 +1,92 @@
+From 5caf717ceca4bd235552362b4fbff88983c75d8c Mon Sep 17 00:00:00 2001
+From: Aarni Koskela <akx@iki.fi>
+Date: Wed, 28 Apr 2021 11:47:42 +0300
+Subject: [PATCH] Disallow special filenames on Windows
+
+---
+ babel/localedata.py      | 24 +++++++++++++++++++++---
+ tests/test_localedata.py |  9 +++++++++
+ 2 files changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index 11085490..782b7afa 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -13,6 +13,8 @@
+ """
+ 
+ import os
++import re
++import sys
+ import threading
+ from itertools import chain
+ 
+@@ -22,6 +24,7 @@
+ _cache = {}
+ _cache_lock = threading.RLock()
+ _dirname = os.path.join(os.path.dirname(__file__), 'locale-data')
++_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
+ 
+ 
+ def normalize_locale(name):
+@@ -38,6 +41,22 @@ def normalize_locale(name):
+             return locale_id
+ 
+ 
++def resolve_locale_filename(name):
++    """
++    Resolve a locale identifier to a `.dat` path on disk.
++    """
++
++    # Clean up any possible relative paths.
++    name = os.path.basename(name)
++
++    # Ensure we're not left with one of the Windows reserved names.
++    if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
++        raise ValueError("Name %s is invalid on Windows" % name)
++
++    # Build the path.
++    return os.path.join(_dirname, '%s.dat' % name)
++
++
+ def exists(name):
+     """Check whether locale data is available for the given locale.
+ 
+@@ -47,10 +66,9 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
+-    name = os.path.basename(name)
+     if name in _cache:
+         return True
+-    file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
++    file_found = os.path.exists(resolve_locale_filename(name))
+     return True if file_found else bool(normalize_locale(name))
+ 
+ 
+@@ -121,7 +139,7 @@ def load(name, merge_inherited=True):
+                     else:
+                         parent = '_'.join(parts[:-1])
+                 data = load(parent).copy()
+-            filename = os.path.join(_dirname, '%s.dat' % name)
++            filename = resolve_locale_filename(name)
+             with open(filename, 'rb') as fileobj:
+                 if name != 'root' and merge_inherited:
+                     merge(data, pickle.load(fileobj))
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 9cb4282e..c852c1b6 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -159,3 +159,12 @@ def test_locale_name_cleanup():
+         localedata.load(name)
+     with pytest.raises(UnknownLocaleError):
+         Locale(name)
++
++
++@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
++def test_reserved_locale_names():
++    for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
++        with pytest.raises(ValueError):
++            localedata.load(name)
++        with pytest.raises(ValueError):
++            Locale(name)