diff --git a/CVE-2020-15078.patch b/CVE-2020-15078.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0fa20077646490b21a123853937736e37958078a
--- /dev/null
+++ b/CVE-2020-15078.patch
@@ -0,0 +1,39 @@
+From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Tue, 6 Apr 2021 00:05:21 +0200
+Subject: [PATCH] Ensure key state is authenticated before sending push reply
+
+This ensures that the key state is authenticated when sendinga push reply.
+---
+ src/openvpn/push.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index dd5bd41..fcdd76b 100644
+--- a/src/openvpn/push.c
++++ b/src/openvpn/push.c
+@@ -647,6 +647,7 @@ int
+ process_incoming_push_request(struct context *c)
+ {
+     int ret = PUSH_MSG_ERROR;
++    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ 
+ #ifdef ENABLE_ASYNC_PUSH
+     c->c2.push_request_received = true;
+@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
+         send_auth_failed(c, client_reason);
+         ret = PUSH_MSG_AUTH_FAILURE;
+     }
+-    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
++    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
++             && ks->authenticated
++ #ifdef ENABLE_DEF_AUTH
++             && !ks->auth_deferred
++ #endif
++             )
+     {
+         time_t now;
+ 
+-- 
+2.23.0
+
diff --git a/openvpn.spec b/openvpn.spec
index 1734335361925fffecf399d8c6bdd6e5e87a0ff5..0dc0a8c6e0443aef5c4e03a89c486a91e6d67967 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -1,11 +1,12 @@
 Name:          openvpn
 Version:       2.4.8
-Release:       6
+Release:       7
 Summary:       A full-featured open source SSL VPN solution
 License:       GPLv2 and OpenSSL and SSLeay
 URL:           https://community.openvpn.net/openvpn
 Source0:       https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
 Patch0000:     CVE-2020-11810.patch
+Patch0001:     CVE-2020-15078.patch
 
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
@@ -37,9 +38,7 @@ User guide and other related documents for %{name}.
 
 
 %prep
-%setup -q -n %{name}-%{version}
-%patch00000 -p1
-
+%autosetup -n %{name}-%{version} -p1
 
 %build
 %configure --enable-x509-alt-username --enable-iproute2 --with-crypto-library=openssl --enable-pkcs11 --enable-selinux --enable-systemd SYSTEMD_UNIT_DIR=%{_unitdir} TMPFILES_DIR=%{_tmpfilesdir} IPROUTE=/sbin/ip
@@ -126,6 +125,9 @@ fi
 %{_mandir}/man8/%{name}.8*
 
 %changelog
+* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 2.4.8-7
+- fix CVE-2020-15078
+
 * Wed Feb 10 2021 wangyue <wangyue92@huawei.com> 2.4.8-6
 - Fix CVE-2020-11810