diff --git a/fix-CVE-2020-11501-zeroed-random.patch b/fix-CVE-2020-11501-zeroed-random.patch
new file mode 100644
index 0000000000000000000000000000000000000000..822fcec430a8351168384459d6ab8bd1effcc403
--- /dev/null
+++ b/fix-CVE-2020-11501-zeroed-random.patch
@@ -0,0 +1,32 @@
+From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
+Date: Fri, 27 Mar 2020 17:17:57 +0100
+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
+hello verify request", which failed to "De Morgan" properly.
+
+Signed-off-by: Stefan Bühler <stbuehler@web.de>
+---
+ lib/handshake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 1e6164c..5c8f33a 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_session_t session, int again)
+ 		/* Generate random data 
+ 		 */
+ 		if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+-		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
++		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ 			ret = _gnutls_gen_client_random(session);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+-- 
+1.8.3.1
+
diff --git a/gnutls.spec b/gnutls.spec
index ce8b92c7ffee86dd68b59da0469b4472e87873db..44a36ba3e4577e6b8e5347491aa422e1b321e4be 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,13 +1,14 @@
 Name: gnutls
 Version: 3.6.9
-Release: 5
+Release: 5.h1
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
 URL: https://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
-Patch9000: fix-ipv6-handshake-failed.patch
+Patch0: fix-ipv6-handshake-failed.patch
+Patch1: fix-CVE-2020-11501-zeroed-random.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -194,6 +195,9 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Wed Apr 22 2020 Anakin Zhang <nbztx@126.com> - 3.6.9-5.h1
+- fix CVE-2020-11501
+
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.6.9-5
 - Type:bugfix
 - Id:NA