diff --git a/CVE-2023-27371.patch b/CVE-2023-27371.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b4c409d8a7e253b036786e85c81f30a1393ba77f
--- /dev/null
+++ b/CVE-2023-27371.patch
@@ -0,0 +1,81 @@
+From 6d6846e20bfdf4b3eb1b592c97520a532f724238 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: [PATCH] fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ ChangeLog                      | 14 +++++++++-----
+ src/microhttpd/postprocessor.c |  2 +-
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2292219c1..5d50c60c7 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++Sun Feb 26 05:49:30 PM CET 2023
++    Fix potential DoS vector in MHD_PostProcessor discovered
++    by Gynvael Coldwind and Dejan Alvadzijevic. -CG
++
+ Sun 26 Dec 2021 20:30:00 MSK
+     Releasing GNU libmicrohttpd 0.9.75 -EG
+ 
+@@ -23,7 +27,7 @@ December 2021
+     Some code improvements for new test test_client_put_stop.
+     Added special log message if thread creation failed due to system limits.
+     Fully restructured new_connection_process_() to correctly handle errors,
+-    fixed missing decrement of number of daemon connections if any error 
++    fixed missing decrement of number of daemon connections if any error
+     encountered, fixed app notification of connection termination when app has
+     not been notified about connection start, fixed (highly unlikely) reset of
+     the list of connections if reached daemon's connections limit.
+@@ -67,7 +71,7 @@ November 2021
+     for testing of MHD.
+     Renamed 'early_response' connection flag to 'discard_request' and reworked
+     handling of connection's flags.
+-    Clarified request termination reasons doxy, fixed reporting of 
++    Clarified request termination reasons doxy, fixed reporting of
+     MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used
+     in reporting).
+     Enforce all libcurl tests exit code to be zero or one.
+@@ -76,7 +80,7 @@ November 2021
+     of the last LF in termination chunk, handle correctly chunk sizes with more
+     than 16 digits (leading zeros are valid according to HTTP RFC), fixed
+     handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report
+-    error when invalid chunk format is received without waiting to receive 
++    error when invalid chunk format is received without waiting to receive
+     (possibly missing) end of the line, reply to the client with special error
+     if chunk size is too large to be handled by MHD (>16 EiB).
+     Added error reply if client used too large request payload (>16 EiB).
+@@ -92,7 +96,7 @@ October 2021
+     Added test family test_toolarge to check correct handling of the buffers
+     when the size of data is larger than free space.
+     Fixed missing updated of read and write buffers sizes.
+-    Added detection and use of supported "noreturn" keyword for function 
++    Added detection and use of supported "noreturn" keyword for function
+     declaration. It should help compiler and static analyser.
+     Added support for leak sanitizer.
+     Fixed analyser errors on W32.
+@@ -290,7 +294,7 @@ June 2021
+     used for the next request data.
+     Fixed completely broken calculation of request header size.
+     Chunked response: do not ask app callback for more data then
+-    it is possible to process (more than 16 MBytes). 
++    it is possible to process (more than 16 MBytes).
+     Check and report if app used wrong response code (>999 or <100)
+     Refuse to add second "Transfer-Encoding" header.
+     HTTPS tests: check whether all libcurl function succeeded.
+diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+index 990742150..c00605c77 100644
+--- a/src/microhttpd/postprocessor.c
++++ b/src/microhttpd/postprocessor.c
+@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection,
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid boundary */
+     if ( (boundary[0] == '"') &&
diff --git a/libmicrohttpd.spec b/libmicrohttpd.spec
index 17f88459c3f9919e819ff1d528e8f40926e9e990..d0764e8223c57edcc1e935b131bb0349840b4648 100644
--- a/libmicrohttpd.spec
+++ b/libmicrohttpd.spec
@@ -1,6 +1,6 @@
 Name:           libmicrohttpd
 Version:        0.9.75
-Release:        2
+Release:        3
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
@@ -9,6 +9,7 @@ Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Patch0001:      0001-gnutls-utilize-system-crypto-policy.patch
 Patch0002:      fix-libmicrohttpd-tutorial-info.patch
 Patch0003:      fixed-missing-websocket.inc-in-dist-files.patch
+Patch0004:      CVE-2023-27371.patch
 
 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires(post): info
@@ -89,6 +90,9 @@ fi
 %{_infodir}/libmicrohttpd_performance_data.png.gz
 
 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.75-3
+- Fix CVE-2023-27371
+
 * Fri Aug 5 2022 liyanan <liyanan32@h-partners.com> - 1:0.9.75-2
 - Fixed missing websocket.inc in dist files