diff --git a/CVE-2022-0547.patch b/CVE-2022-0547.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3916525b7f9797f1404f6076f035ac6d487b977c
--- /dev/null
+++ b/CVE-2022-0547.patch
@@ -0,0 +1,98 @@
+From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Sun, 13 Mar 2022 20:31:53 +0100
+Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
+
+The plug-in API in OpenVPN 2.x is not designed for running multiple
+deferred authentication processes in parallel. The authentication
+results of such configurations are not to be trusted.  For now we bail
+out when this is discovered with an error in the log.
+
+CVE: 2022-0547
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
+---
+ doc/man-sections/plugin-options.rst |  9 ++++++++
+ src/openvpn/plugin.c                | 33 ++++++++++++++++++++++++++---
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
+index 51c574fe6..9266429ea 100644
+--- a/doc/man-sections/plugin-options.rst
++++ b/doc/man-sections/plugin-options.rst
+@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
+   (such as tls-verify, auth-user-pass-verify, or client-connect), then
+   every module and script must return success (:code:`0`) in order for the
+   connection to be authenticated.
++
++  **WARNING**:
++        Plug-ins may do deferred execution, meaning the plug-in will
++        return the control back to the main OpenVPN process and provide
++        the plug-in result later on via a different thread or process.
++        OpenVPN does **NOT** support multiple authentication plug-ins
++        **where more than one plugin** tries to do deferred authentication.
++        If this behaviour is detected, OpenVPN will shut down upon first
++        authentication.
+diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
+index e8f8830d0..ed5d7c067 100644
+--- a/src/openvpn/plugin.c
++++ b/src/openvpn/plugin.c
+@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         const int n = plugin_n(pl);
+         bool success = false;
+         bool error = false;
+-        bool deferred = false;
++        bool deferred_auth_done = false;
+ 
+         setenv_del(es, "script_type");
+         envp = make_env_array(es, false, &gc);
+@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
+                     break;
+ 
+                 case OPENVPN_PLUGIN_FUNC_DEFERRED:
+-                    deferred = true;
++                    if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
++                        && deferred_auth_done)
++                    {
++                        /*
++                         * Do not allow deferred auth if a deferred auth has
++                         * already been started.  This should allow a single
++                         * deferred auth call to happen, with one or more
++                         * auth calls with an instant authentication result.
++                         *
++                         * The plug-in API is not designed for multiple
++                         * deferred authentications to happen, as the
++                         * auth_control_file file will be shared across all
++                         * the plug-ins.
++                         *
++                         * Since this is considered a critical configuration
++                         * error, we bail out and exit the OpenVPN process.
++                         */
++                        error = true;
++                        msg(M_FATAL,
++                            "Exiting due to multiple authentication plug-ins "
++                            "performing deferred authentication.  Only one "
++                            "authentication plug-in doing deferred auth is "
++                            "allowed.  Ignoring the result and stopping now, "
++                            "the current authentication result is not to be "
++                            "trusted.");
++                        break;
++                    }
++                    deferred_auth_done = true;
+                     break;
+ 
+                 default:
+@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         {
+             return OPENVPN_PLUGIN_FUNC_ERROR;
+         }
+-        else if (deferred)
++        else if (deferred_auth_done)
+         {
+             return OPENVPN_PLUGIN_FUNC_DEFERRED;
+         }
diff --git a/openvpn.spec b/openvpn.spec
index 95e3bf33de1aaa28748ccd6023f9ba65eae0b80a..a73d7a3a7dcfde77812dcddddf7d84cc9c4a20d4 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -1,10 +1,12 @@
 Name: openvpn
 Version: 2.5.5
-Release: 1
+Release: 2
 Summary: A full-featured open source SSL VPN solution
 License: GPL-2.0-or-later and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
+#  https://github.com/OpenVPN/openvpn/commit/af3e382
+Patch0: CVE-2022-0547.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
 
@@ -121,6 +123,9 @@ fi
 %{_mandir}/man5/openvpn-examples.5.gz
 
 %changelog
+* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
+- Fix CVE-2022-0547
+
 * Wed Dec 29 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 2.5.5-1
 - Update to 2.5.5