diff --git a/resolved-actually-check-authenticated-flag-of-SOA-tr.patch b/resolved-actually-check-authenticated-flag-of-SOA-tr.patch
new file mode 100644
index 0000000000000000000000000000000000000000..659a874c3f4e1e1bdde1c0c88043e287e54c5291
--- /dev/null
+++ b/resolved-actually-check-authenticated-flag-of-SOA-tr.patch
@@ -0,0 +1,22 @@
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 0212569fb0..0306af84a2 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2800,7 +2800,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2827,7 +2827,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
diff --git a/systemd.spec b/systemd.spec
index c72e8baef2ae0cb721881b00eb38e9cd5bf30033..0067fae1f90a68b8b03396b4acf21391d183fa28 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global __requires_exclude pkg-config
 %global pkgdir %{_prefix}/lib/systemd
@@ -59,6 +59,7 @@ Source31: systemd-tests-file-list
 Source32: systemd-devel-file-list
 
 Patch0490: use-bfq-scheduler.patch
+Patch0491: resolved-actually-check-authenticated-flag-of-SOA-tr.patch
 
  
 BuildRequires: gcc gcc-c++ clang coreutils
@@ -2166,6 +2167,9 @@ fi
 %doc docs/DISTRO_PORTING.md docs/HACKING.md
 
 %changelog
+* Wed May 15 2024 Zhenyu Wang <wang.zhenyu5@zte.com.cn> - 255-3
+- fix CVE-2023-7008 
+
 * Mon Apr  8 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 255-2
 - fix build error for loongarch64