diff --git a/ppp.spec b/ppp.spec
index bb8172c9d508094224cc4b6258127f6e6eba8e82..9be160d21a0e7774bdb98fdbdda2f8104e945d49 100644
--- a/ppp.spec
+++ b/ppp.spec
@@ -1,6 +1,6 @@
 Name:           ppp
 Version:        2.5.0
-Release:        1
+Release:        2
 Summary:        The Point-to-Point Protocol
 
 License:        BSD and LGPLv2+ and GPLv2+ and Public Domain
@@ -34,6 +34,8 @@ Patch0006:      backport-ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.p
 Patch0007:      backport-ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch
 Patch0008:      backport-0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
 
+Patch0009:      refuse-pap-by-default-for-security.patch
+
 %description
 The Point-to-Point Protocol (PPP) provides a standard way to establish
 a network connection over a serial link.  At present, this package
@@ -133,6 +135,12 @@ mkdir -p %{buildroot}%{_rundir}/ppp
 %{_mandir}/man8/*.8.gz
 
 %changelog
+* Fri May 10 2024 gaihuiying <eaglegai@163.com> - 2.5.0-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:refuse pap by default for security
+
 * Mon Jul 24 2023 gaihuiying <eaglegai@163.com> - 2.5.0-1
 - Type:requirement
 - ID:NA
diff --git a/refuse-pap-by-default-for-security.patch b/refuse-pap-by-default-for-security.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5fa567ea34e5da1fbf5b3bf26fd4bc6a5e221d2f
--- /dev/null
+++ b/refuse-pap-by-default-for-security.patch
@@ -0,0 +1,19 @@
+From 6483148222e054d5fa34b05634f79c7a56acc2b4 Mon Sep 17 00:00:00 2001
+From: Zhen Chen <chenzhen126@huawei.com>
+Date: Thu, 20 Oct 2022 15:49:58 +0800
+Subject: [PATCH] refuse pap by default for security
+
+---
+ etc.ppp/options | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/etc.ppp/options b/etc.ppp/options
+index 4b67b6a0d6b6..7112a65bd6b6 100644
+--- a/etc.ppp/options
++++ b/etc.ppp/options
+@@ -1 +1,2 @@
+ lock
++refuse-pap
+-- 
+2.33.0
+