diff --git a/CVE-2021-23017.patch b/CVE-2021-23017.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b226f2d734363c40d625a16aee453b6e08aeb7b6
--- /dev/null
+++ b/CVE-2021-23017.patch
@@ -0,0 +1,34 @@
+From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 7939070102..63b26193df 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {
diff --git a/nginx.spec b/nginx.spec
index 9f31d4fd5db9e1b274bf05592a6d63b7cd838bfb..22ef79550609e38ae09568049efe1d595d3c9c26 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -14,7 +14,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.16.1
-Release:           8
+Release:           9
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@@ -35,6 +35,7 @@ Patch0:            nginx-auto-cc-gcc.patch
 Patch2:            nginx-1.12.1-logs-perm.patch
 Patch3:		   CVE-2019-20372.patch
 Patch4:            nginx-fix-pidfile.patch
+Patch5:            CVE-2021-23017.patch
 
 BuildRequires:     gcc openssl-devel pcre-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl pcre
@@ -346,6 +347,9 @@ fi
 %{_mandir}/man8/nginx.8*
 
 %changelog
+* Tue Jun 15 2021 yanglu <yanglu72@huawei.com> - 1:1.16.1-9
+- Fix CVE-2021-23017
+
 * Wed May 12 2021 gaihuiying <gaihuiying1@huawei.com> - 1:1.16.1-8
 - Fix NGINX pidfile handling