diff --git a/CVE-2020-8625.patch b/CVE-2020-8625.patch
new file mode 100644
index 0000000000000000000000000000000000000000..454d17ef9d76564c09c2b0cf9d9a3a498c3feb74
--- /dev/null
+++ b/CVE-2020-8625.patch
@@ -0,0 +1,13 @@
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index dea108bad05..13cf15d7404 100644
+--- a/lib/dns/spnego.c
++++ b/lib/dns/spnego.c
+@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ 		return (ASN1_OVERRUN);
+ 	}
+ 
+-	data->components = malloc(len * sizeof(*data->components));
++	data->components = malloc((len + 1) * sizeof(*data->components));
+ 	if (data->components == NULL) {
+ 		return (ENOMEM);
+ 	}
diff --git a/bind.spec b/bind.spec
index b16a1592e4d9d824830635f1868a776e611af8c5..8ac5f5b3e6af16533257607f82528a412d10bcf4 100644
--- a/bind.spec
+++ b/bind.spec
@@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        4
+Release:        5
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@@ -160,6 +160,7 @@ Patch191: CVE-2020-8622.patch
 Patch192: CVE-2020-8623.patch
 Patch193: CVE-2020-8624.patch
 Patch194: Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead_of_gettimeofda.patch
+Patch195: CVE-2020-8625.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -363,6 +364,7 @@ are used for building ISC DHCP.
 %patch192 -p1
 %patch193 -p1
 %patch194 -p1
+%patch195 -p1
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
@@ -1148,6 +1150,12 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Thu Feb 18 2021 liulong <liulong20@huawei.com> - 9.11.21-5
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2020-8625
+
 * Wed Jan 13 2021 gaihuiying <gaihuiying1@huawei.com> - 9.11.21-4
 - Type:requirement
 - ID:NA