diff --git a/bugfix-for-cve-2024-39894.patch b/bugfix-for-cve-2024-39894.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1f0203eea8dd9f5fb3a4b1fa70abd32d4ecfe55f
--- /dev/null
+++ b/bugfix-for-cve-2024-39894.patch
@@ -0,0 +1,32 @@
+From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 1 Jul 2024 04:31:17 +0000
+Subject: upstream: when sending ObscureKeystrokeTiming chaff packets, we
+
+can't rely on channel_did_enqueue to tell that there is data to send. This
+flag indicates that the channels code enqueued a packet on _this_ ppoll()
+iteration, not that data was enqueued in _any_ ppoll() iteration in the
+timeslice. ok markus@
+
+OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+---
+ clientloop.c | 5 ++++---
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 0b6f3c9b..8ed8b1c3 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
+
diff --git a/openssh.spec b/openssh.spec
index aaf6f0772e66963777d3a382d014391ff477a8d9..a0997c547c6fb9ba2c17306c53affaaf80bf45e7 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global WITH_SELINUX 1
 
@@ -231,6 +231,10 @@ Patch1019: bugfix-for-cve-2025-26465.patch
 # https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
 Patch1020: bugfix-for-cve-2024-6387.patch
 
+# CVE-2024-39894
+# https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
+Patch1021: bugfix-for-cve-2024-39894.patch
+
 # https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -449,6 +453,7 @@ popd
 %patch -P 1018 -p1
 %patch -P 1019 -p1
 %patch -P 1020 -p1
+%patch -P 1021 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -757,6 +762,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Aug 28 2025 zjl02254423 <zjl02254423@libaba-inc.com> - 9.6p1-3
+- add patch to fix CVE-2024-39894
+
 * Tue Aug 19 2025 zjl02254423 <zjl02254423@libaba-inc.com> - 9.6p1-2
 - add patch to fix CVE-2024-6387