diff --git a/CVE-2022-0547.patch b/CVE-2022-0547.patch
deleted file mode 100644
index 3916525b7f9797f1404f6076f035ac6d487b977c..0000000000000000000000000000000000000000
--- a/CVE-2022-0547.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
-From: David Sommerseth <davids@openvpn.net>
-Date: Sun, 13 Mar 2022 20:31:53 +0100
-Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
-
-The plug-in API in OpenVPN 2.x is not designed for running multiple
-deferred authentication processes in parallel. The authentication
-results of such configurations are not to be trusted.  For now we bail
-out when this is discovered with an error in the log.
-
-CVE: 2022-0547
-Signed-off-by: David Sommerseth <davids@openvpn.net>
-
-Acked-by: Antonio Quartulli <antonio@openvpn.net>
-Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
-(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
----
- doc/man-sections/plugin-options.rst |  9 ++++++++
- src/openvpn/plugin.c                | 33 ++++++++++++++++++++++++++---
- 2 files changed, 39 insertions(+), 3 deletions(-)
-
-diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
-index 51c574fe6..9266429ea 100644
---- a/doc/man-sections/plugin-options.rst
-+++ b/doc/man-sections/plugin-options.rst
-@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
-   (such as tls-verify, auth-user-pass-verify, or client-connect), then
-   every module and script must return success (:code:`0`) in order for the
-   connection to be authenticated.
-+
-+  **WARNING**:
-+        Plug-ins may do deferred execution, meaning the plug-in will
-+        return the control back to the main OpenVPN process and provide
-+        the plug-in result later on via a different thread or process.
-+        OpenVPN does **NOT** support multiple authentication plug-ins
-+        **where more than one plugin** tries to do deferred authentication.
-+        If this behaviour is detected, OpenVPN will shut down upon first
-+        authentication.
-diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
-index e8f8830d0..ed5d7c067 100644
---- a/src/openvpn/plugin.c
-+++ b/src/openvpn/plugin.c
-@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
-         const int n = plugin_n(pl);
-         bool success = false;
-         bool error = false;
--        bool deferred = false;
-+        bool deferred_auth_done = false;
- 
-         setenv_del(es, "script_type");
-         envp = make_env_array(es, false, &gc);
-@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
-                     break;
- 
-                 case OPENVPN_PLUGIN_FUNC_DEFERRED:
--                    deferred = true;
-+                    if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
-+                        && deferred_auth_done)
-+                    {
-+                        /*
-+                         * Do not allow deferred auth if a deferred auth has
-+                         * already been started.  This should allow a single
-+                         * deferred auth call to happen, with one or more
-+                         * auth calls with an instant authentication result.
-+                         *
-+                         * The plug-in API is not designed for multiple
-+                         * deferred authentications to happen, as the
-+                         * auth_control_file file will be shared across all
-+                         * the plug-ins.
-+                         *
-+                         * Since this is considered a critical configuration
-+                         * error, we bail out and exit the OpenVPN process.
-+                         */
-+                        error = true;
-+                        msg(M_FATAL,
-+                            "Exiting due to multiple authentication plug-ins "
-+                            "performing deferred authentication.  Only one "
-+                            "authentication plug-in doing deferred auth is "
-+                            "allowed.  Ignoring the result and stopping now, "
-+                            "the current authentication result is not to be "
-+                            "trusted.");
-+                        break;
-+                    }
-+                    deferred_auth_done = true;
-                     break;
- 
-                 default:
-@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
-         {
-             return OPENVPN_PLUGIN_FUNC_ERROR;
-         }
--        else if (deferred)
-+        else if (deferred_auth_done)
-         {
-             return OPENVPN_PLUGIN_FUNC_DEFERRED;
-         }
diff --git a/openvpn-2.4-change-tmpfiles-permissions.patch b/openvpn-2.4-change-tmpfiles-permissions.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8adb700652064aa96538aa4703ccd9eb645e62ad
--- /dev/null
+++ b/openvpn-2.4-change-tmpfiles-permissions.patch
@@ -0,0 +1,9 @@
+diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
+index bb79671e..9258f5c6 100644
+--- a/distro/systemd/tmpfiles-openvpn.conf
++++ b/distro/systemd/tmpfiles-openvpn.conf
+@@ -1,2 +1,2 @@
+-d /run/openvpn-client 0710 root root -
+-d /run/openvpn-server 0710 root root -
++d /run/openvpn-client 0750 root openvpn -
++d /run/openvpn-server 0750 root openvpn -
diff --git a/openvpn-2.5.5.tar.gz b/openvpn-2.5.5.tar.gz
deleted file mode 100644
index 6bbb30802a9d5533866ddb43b23ff8579027eb2b..0000000000000000000000000000000000000000
Binary files a/openvpn-2.5.5.tar.gz and /dev/null differ
diff --git a/openvpn-2.5.8.tar.xz b/openvpn-2.5.8.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..a7123bb045ef3f55354576b7370ef502b78e4064
Binary files /dev/null and b/openvpn-2.5.8.tar.xz differ
diff --git a/openvpn.spec b/openvpn.spec
index a73d7a3a7dcfde77812dcddddf7d84cc9c4a20d4..65bbacc57a2a599f4ff60863e812dd691ec8f57a 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -1,14 +1,14 @@
 Name: openvpn
-Version: 2.5.5
-Release: 2
+Version: 2.5.8
+Release: 1
 Summary: A full-featured open source SSL VPN solution
 License: GPL-2.0-or-later and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
-Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
-#  https://github.com/OpenVPN/openvpn/commit/af3e382
-Patch0: CVE-2022-0547.patch
+Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
+Patch0:  openvpn-2.4-change-tmpfiles-permissions.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
+BuildRequires: libselinux-devel
 
 Requires: iproute
 Requires(pre): /usr/sbin/useradd
@@ -123,6 +123,9 @@ fi
 %{_mandir}/man5/openvpn-examples.5.gz
 
 %changelog
+* Thu Feb 02 2023 yaoxin <yaoxin30@h-partners.com> - 2.5.8-1
+- Update to 2.5.8
+
 * Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
 - Fix CVE-2022-0547
 
@@ -138,7 +141,7 @@ fi
 * Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-4
 - fix CVE-2020-11810
 
-* Tue Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
+* Mon Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
 - modify systemd post preun postun
 
 * Mon Nov 11 2019 guanyalong <guanyalong@huawei.com> 2.4.8-2