diff --git a/fix-CVE-2024-0397.patch b/fix-CVE-2024-0397.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bba875448fe5dacec300d398dcb2881cb85ade7d
--- /dev/null
+++ b/fix-CVE-2024-0397.patch
@@ -0,0 +1,153 @@
+From 01c37f1d0714f5822d34063ca7180b595abf589d Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 20 Feb 2024 17:34:44 +0100
+Subject: [PATCH] [3.11] gh-114572: Fix locking in cert_store_stats and
+ get_ca_certs (GH-114573) (#115549)
+
+gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)
+
+* gh-114572: Fix locking in cert_store_stats and get_ca_certs
+
+cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
+X509_STORE_get0_objects, but reading the result requires a lock. See
+https://github.com/openssl/openssl/pull/23224 for details.
+
+Instead, use X509_STORE_get1_objects, newly added in that PR.
+X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
+polyfill it with X509_STORE_lock and X509_STORE_unlock.
+
+* Work around const-correctness problem
+
+* Add missing X509_STORE_get1_objects failure check
+
+* Add blurb
+(cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab)
+
+Co-authored-by: David Benjamin <davidben@google.com>
+---
+ ...-01-26-22-14-09.gh-issue-114572.t1QMQD.rst |  4 ++
+ Modules/_ssl.c                                | 65 +++++++++++++++++--
+ 2 files changed, 64 insertions(+), 5 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst b/Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst
+new file mode 100644
+index 00000000000000..b4f9fe64db0615
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst
+@@ -0,0 +1,4 @@
++:meth:`ssl.SSLContext.cert_store_stats` and
++:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
++certificate store, when the :class:`ssl.SSLContext` is shared across
++multiple threads.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 67ce6e97af9016..81d36a6f11ed40 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -4529,6 +4529,50 @@ set_sni_callback(PySSLContext *self, PyObject *arg, void *c)
+     return 0;
+ }
+ 
++#if OPENSSL_VERSION_NUMBER < 0x30300000L
++static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj)
++{
++    int ok;
++    X509_OBJECT *ret = X509_OBJECT_new();
++    if (ret == NULL) {
++        return NULL;
++    }
++    switch (X509_OBJECT_get_type(obj)) {
++        case X509_LU_X509:
++            ok = X509_OBJECT_set1_X509(ret, X509_OBJECT_get0_X509(obj));
++            break;
++        case X509_LU_CRL:
++            /* X509_OBJECT_get0_X509_CRL was not const-correct prior to 3.0.*/
++            ok = X509_OBJECT_set1_X509_CRL(
++                ret, X509_OBJECT_get0_X509_CRL((X509_OBJECT *)obj));
++            break;
++        default:
++            /* We cannot duplicate unrecognized types in a polyfill, but it is
++             * safe to leave an empty object. The caller will ignore it. */
++            ok = 1;
++            break;
++    }
++    if (!ok) {
++        X509_OBJECT_free(ret);
++        return NULL;
++    }
++    return ret;
++}
++
++static STACK_OF(X509_OBJECT) *
++X509_STORE_get1_objects(X509_STORE *store)
++{
++    STACK_OF(X509_OBJECT) *ret;
++    if (!X509_STORE_lock(store)) {
++        return NULL;
++    }
++    ret = sk_X509_OBJECT_deep_copy(X509_STORE_get0_objects(store),
++                                   x509_object_dup, X509_OBJECT_free);
++    X509_STORE_unlock(store);
++    return ret;
++}
++#endif
++
+ PyDoc_STRVAR(PySSLContext_sni_callback_doc,
+ "Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.\n\
+ \n\
+@@ -4558,7 +4602,12 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
+     int x509 = 0, crl = 0, ca = 0, i;
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    objs = X509_STORE_get0_objects(store);
++    objs = X509_STORE_get1_objects(store);
++    if (objs == NULL) {
++        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
++        return NULL;
++    }
++
+     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+         obj = sk_X509_OBJECT_value(objs, i);
+         switch (X509_OBJECT_get_type(obj)) {
+@@ -4572,12 +4621,11 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
+                 crl++;
+                 break;
+             default:
+-                /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
+-                 * As far as I can tell they are internal states and never
+-                 * stored in a cert store */
++                /* Ignore unrecognized types. */
+                 break;
+         }
+     }
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
+     return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
+         "x509_ca", ca);
+ }
+@@ -4609,7 +4657,12 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
+     }
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    objs = X509_STORE_get0_objects(store);
++    objs = X509_STORE_get1_objects(store);
++    if (objs == NULL) {
++        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
++        goto error;
++    }
++
+     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+         X509_OBJECT *obj;
+         X509 *cert;
+@@ -4637,9 +4690,11 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
+         }
+         Py_CLEAR(ci);
+     }
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
+     return rlist;
+ 
+   error:
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
+     Py_XDECREF(ci);
+     Py_XDECREF(rlist);
+     return NULL;
diff --git a/python3.spec b/python3.spec
index 05f5fa418e005a1284add661653f5fb337847d27..b46e15c002cba40fdef97d97c6802b345ebe9c0b 100644
--- a/python3.spec
+++ b/python3.spec
@@ -1,4 +1,4 @@
-%define anolis_release 4
+%define anolis_release 5
 %global pybasever 3.11
 
 # pybasever without the dot:
@@ -243,6 +243,8 @@ Patch1003: 0001-add-loongarch64-support-for-python-3.10.12.patch
 Patch1004: fix-cve-2023-6597.patch
 Patch1005: fix-cve-2025-0938.patch
 Patch1006: 0001-add-sw_64-support.patch
+# https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d    
+Patch1007: fix-CVE-2024-0397.patch
 
 # ==========================================
 # Descriptions, and metadata for subpackages
@@ -1515,6 +1517,9 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Tue Jun 10 2025 wenxin <wx02272781@alibaba-inc.com> - 3.11.6-5
+- Fix CVE-2024-0397
+
 * Thu Apr 17 2025 Dong Chuanjian <chuanjian@nfschina.com> - 3.11.6-4
 - Add sw_64 support