diff --git a/CVE-2019-3695-CVE-2019-3696.patch b/CVE-2019-3695-CVE-2019-3696.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9b1070390e48b3d5f0d139665054b08341d10fc7
--- /dev/null
+++ b/CVE-2019-3695-CVE-2019-3696.patch
@@ -0,0 +1,200 @@
+From 34c83f7ee46224fe410572f33c57a739f7bd044f Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Sun, 6 Oct 2019 14:10:40 +1100
+Subject: [PATCH] build: drop old config file transition code from rpm specs
+
+Its been many years since this transition was done, good time
+now with pcp-5.0.0 to full this old shell code.  Also remove
+the Fedora crontab transition logic as thats completely moved
+over to systemd now.
+---
+ build/rpm/GNUmakefile |  1 +
+ build/rpm/fedora.spec | 57 +---------------------------------------
+ build/rpm/pcp.spec.in | 60 ++-----------------------------------------
+ 3 files changed, 4 insertions(+), 114 deletions(-)
+
+diff --git a/build/rpm/GNUmakefile b/build/rpm/GNUmakefile
+index cf6d21f..40a9efe 100644
+--- a/build/rpm/GNUmakefile
++++ b/build/rpm/GNUmakefile
+@@ -111,6 +111,7 @@ pcp.spec: pcp.spec.in
+ 	    -e's|@pcp_sysconf_dir@|$(PCP_SYSCONF_DIR)|g' \
+ 	    -e's|@pcp_share_dir@|$(PCP_SHARE_DIR)|g' \
+ 	    -e's|@pcp_log_dir@|$(PCP_LOG_DIR)|g' \
++	    -e's|@pcp_sa_dir@|$(PCP_LOG_DIR)|g' \
+ 	    -e's|@pcp_var_dir@|$(PCP_VAR_DIR)|g' \
+ 	    -e's|@pcp_etc_dir@|$(PCP_ETC_DIR)|g' \
+ 	    -e's|@pcp_binadm_dir@|$(PCP_BINADM_DIR)|g' \
+diff --git a/build/rpm/fedora.spec b/build/rpm/fedora.spec
+index 0471dbd..1256926 100644
+--- a/build/rpm/fedora.spec
++++ b/build/rpm/fedora.spec
+@@ -2427,56 +2427,6 @@ exit 0
+ getent group pcp >/dev/null || groupadd -r pcp
+ getent passwd pcp >/dev/null || \
+   useradd -c "Performance Co-Pilot" -g pcp -d %{_localstatedir}/lib/pcp -M -r -s /sbin/nologin pcp
+-PCP_CONFIG_DIR=%{_localstatedir}/lib/pcp/config
+-PCP_SYSCONF_DIR=%{_confdir}
+-PCP_LOG_DIR=%{_logsdir}
+-PCP_ETC_DIR=%{_sysconfdir}
+-# rename crontab files to align with current Fedora packaging guidelines
+-for crontab in pmlogger pmie
+-do
+-    test -f "$PCP_ETC_DIR/cron.d/$crontab" || continue
+-    mv -f "$PCP_ETC_DIR/cron.d/$crontab" "$PCP_ETC_DIR/cron.d/pcp-$crontab"
+-done
+-# produce a script to run post-install to move configs to their new homes
+-save_configs_script()
+-{
+-    _new="$1"
+-    shift
+-    for _dir
+-    do
+-        [ "$_dir" = "$_new" ] && continue
+-        if [ -d "$_dir" ]
+-        then
+-            ( cd "$_dir" ; find . -maxdepth 1 -type f ) | sed -e 's/^\.\///' \
+-            | while read _file
+-            do
+-                [ "$_file" = "control" ] && continue
+-                _want=true
+-                if [ -f "$_new/$_file" ]
+-                then
+-                    # file exists in both directories, pick the more
+-                    # recently modified one
+-                    _try=`find "$_dir/$_file" -newer "$_new/$_file" -print`
+-                    [ -n "$_try" ] || _want=false
+-                fi
+-                $_want && echo cp -p "$_dir/$_file" "$_new/$_file"
+-            done
+-        fi
+-    done
+-}
+-# migrate and clean configs if we have had a previous in-use installation
+-[ -d "$PCP_LOG_DIR" ] || exit 0	# no configuration file upgrades required
+-rm -f "$PCP_LOG_DIR/configs.sh"
+-for daemon in pmie pmlogger
+-do
+-    save_configs_script >> "$PCP_LOG_DIR/configs.sh" "$PCP_CONFIG_DIR/$daemon" \
+-        "$PCP_SYSCONF_DIR/$daemon"
+-done
+-for daemon in pmcd pmproxy
+-do
+-    save_configs_script >> "$PCP_LOG_DIR/configs.sh" "$PCP_SYSCONF_DIR/$daemon"\
+-        "$PCP_CONFIG_DIR/$daemon" /etc/$daemon
+-done
+ exit 0
+ 
+ %if !%{disable_microhttpd}
+@@ -2828,11 +2778,7 @@ pmieconf -c enable dmthin
+ %{pmda_notready "$1" "prometheus"}
+ 
+ %post
+-PCP_LOG_DIR=%{_logsdir}
+ PCP_PMNS_DIR=%{_pmnsdir}
+-# restore saved configs, if any
+-test -s "$PCP_LOG_DIR/configs.sh" && source "$PCP_LOG_DIR/configs.sh"
+-rm -f $PCP_LOG_DIR/configs.sh
+ 
+ chown -R pcp:pcp %{_logsdir}/pmcd 2>/dev/null
+ chown -R pcp:pcp %{_logsdir}/pmlogger 2>/dev/null
+@@ -2860,7 +2806,7 @@ chmod 644 "$PCP_PMNS_DIR/.NeedRebuild"
+     /sbin/service pmproxy condrestart
+ %endif
+ 
+-cd $PCP_PMNS_DIR && ./Rebuild -s && rm -f .NeedRebuild
++cd "$PCP_PMNS_DIR" && ./Rebuild -s && rm -f .NeedRebuild
+ cd
+ 
+ %post libs -p /sbin/ldconfig
+diff --git a/build/rpm/pcp.spec.in b/build/rpm/pcp.spec.in
+index dba589e..c37e934 100755
+--- a/build/rpm/pcp.spec.in
++++ b/build/rpm/pcp.spec.in
+@@ -2764,11 +2764,6 @@ chown -R pcpqa:pcpqa @pcp_var_dir@/testsuite 2>/dev/null
+ getent group pcp >/dev/null || groupadd -r pcp
+ getent passwd pcp >/dev/null || \
+     useradd -c "Performance Co-Pilot" -g pcp -d @pcp_var_dir@ -M -r -s /sbin/nologin pcp
+-# new directories; they should match /etc/pcp.conf settings after install
+-PCP_CONFIG_DIR=@pcp_var_dir@/config
+-PCP_SYSCONF_DIR=@pcp_sysconf_dir@
+-PCP_LOG_DIR=@pcp_log_dir@
+-PCP_ETC_DIR=@pcp_etc_dir@
+
+ # transition pmdadmcache over to pmdadm (device mapper)
+ PCP_PMCDCONF_PATH=@pcp_pmcdconf_path@
+@@ -2780,52 +2780,6 @@
+     touch "$PCP_PMDAS_DIR/dmcache/.NeedRemove"
+ fi
+
+-# rename crontab files to align with current Fedora packaging guidelines
+-for crontab in pmlogger pmie
+-do
+-    test -f "$PCP_ETC_DIR/cron.d/$crontab" || continue
+-    mv -f "$PCP_ETC_DIR/cron.d/$crontab" "$PCP_ETC_DIR/cron.d/pcp-$crontab"
+-done
+-# produce a script to run post-install to move configs to their new homes
+-save_configs_script()
+-{
+-    _new="$1"
+-    shift
+-    for _dir
+-    do
+-        [ "$_dir" = "$_new" ] && continue
+-        if [ -d "$_dir" ]
+-        then
+-            ( cd "$_dir" ; find . -maxdepth 1 -type f ) | sed -e 's/^\.\///' \
+-            | while read _file
+-            do
+-                [ "$_file" = "control" ] && continue
+-                _want=true
+-                if [ -f "$_new/$_file" ]
+-                then
+-                    # file exists in both directories, pick the more
+-                    # recently modified one
+-                    _try=`find "$_dir/$_file" -newer "$_new/$_file" -print`
+-                    [ -n "$_try" ] || _want=false
+-                fi
+-                $_want && echo cp -p "$_dir/$_file" "$_new/$_file"
+-            done
+-        fi
+-    done
+-}
+-# migrate and clean configs if we have had a previous in-use installation
+-[ -d "$PCP_LOG_DIR" ] || exit 0	# no configuration file upgrades required
+-rm -f "$PCP_LOG_DIR/configs.sh"
+-for daemon in pmie pmlogger
+-do
+-    save_configs_script >> "$PCP_LOG_DIR/configs.sh" "$PCP_CONFIG_DIR/$daemon" \
+-        "$PCP_SYSCONF_DIR/$daemon"
+-done
+-for daemon in pmcd pmproxy
+-do
+-    save_configs_script >> "$PCP_LOG_DIR/configs.sh" "$PCP_SYSCONF_DIR/$daemon"\
+-        "$PCP_CONFIG_DIR/$daemon" /etc/$daemon
+-done
+ exit 0
+ 
+ %if "@enable_webapi@" == "true"
+@@ -3191,11 +3129,7 @@ fi
+ %post
+ PCP_PMNS_DIR=@pcp_var_dir@/pmns
+ PCP_LOG_DIR=@pcp_log_dir@
+-PCP_SYSCONFIG_DIR=@pcp_sysconfig_dir@
+-
+-# restore saved configs, if any
+-test -s "$PCP_LOG_DIR/configs.sh" && source "$PCP_LOG_DIR/configs.sh"
+-rm -f $PCP_LOG_DIR/configs.sh
++PCP_SA_DIR=@pcp_sa_dir@
+ 
+ chown -R pcp:pcp "$PCP_LOG_DIR/pmcd" 2>/dev/null
+ chown -R pcp:pcp "$PCP_LOG_DIR/pmlogger" 2>/dev/null
+@@ -3224,7 +3158,7 @@ chmod 644 "$PCP_PMNS_DIR/.NeedRebuild"
+     /sbin/service pmproxy condrestart
+ %endif
+ 
+-cd $PCP_PMNS_DIR && ./Rebuild -s && rm -f .NeedRebuild
++cd "$PCP_PMNS_DIR" && ./Rebuild -s && rm -f .NeedRebuild
+ cd
+ 
+ %post libs -p /sbin/ldconfig
diff --git a/pcp.spec b/pcp.spec
index 9028df2af18b4a737816268c4a24b0fd63c5f73c..58171991bb780a7b42b3c88b5513b3eeac7fd602 100644
--- a/pcp.spec
+++ b/pcp.spec
@@ -9,7 +9,7 @@
 Name:             pcp
 Version:          4.1.3
 Summary:          System-level performance monitoring and performance management
-Release:          3
+Release:          4
 License:          GPLv2+ and LGPLv2.1+ and CC-BY
 URL:              https://pcp.io
 Source0:          https://dl.bintray.com/pcp/source/pcp-4.1.3.tar.gz
@@ -17,6 +17,8 @@ Source1:          https://github.com/performancecopilot/pcp-webapp-vector/archiv
 Source2:          https://github.com/performancecopilot/pcp-webapp-grafana/archive/1.9.1-2/pcp-webapp-grafana-1.9.1-2.tar.gz
 Source3:          https://github.com/performancecopilot/pcp-webapp-graphite/archive/0.9.10/pcp-webapp-graphite-0.9.10.tar.gz
 Source4:          https://github.com/performancecopilot/pcp-webapp-blinkenlights/archive/1.0.1/pcp-webapp-blinkenlights-1.0.1.tar.gz
+Patch6000:        CVE-2019-3695-CVE-2019-3696.patch
+
 BuildRequires:    gcc gcc-c++ procps autoconf bison flex nss-devel rpm-devel avahi-devel xz-devel zlib-devel
 BuildRequires:    python2-devel python3-devel ncurses-devel readline-devel cyrus-sasl-devel papi-devel libpfm-devel >= 4
 BuildRequires:    libmicrohttpd-devel cairo-devel systemtap-sdt-devel boost-devel perl-generators perl-devel perl(strict)
@@ -857,6 +859,7 @@ This package installs selinux support files for PCP.
 %setup -q -T -D -a 3 -c -n graphite
 %setup -q -T -D -a 4 -c -n blinkenlights
 %setup -q
+%patch6000 -p1
 
 %build
 
@@ -2208,5 +2211,11 @@ fi
 %config(noreplace) /etc/pcp/pmrep/*
 
 %changelog
+* Wed May 13 2020 huanghaitao <huanghaitao8@huawei.com> - 4.1.3-4
+- Type:cves
+- ID: CVE-2019-3695 CVE-2019-3696 
+- SUG:restart
+- DESC: fix CVE-2019-3695 CVE-2019-3696
+
 * Fri Feb 21 2020 Senlin Xia <xiasenlin1@huawei.com> - 4.1.3-3
 - package init