diff --git a/0001-CVE-2023-33201-added-filter-encode-to-search.patch b/0001-CVE-2023-33201-added-filter-encode-to-search.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b110f520ef079d037385c95593bc17a2f01e9636
--- /dev/null
+++ b/0001-CVE-2023-33201-added-filter-encode-to-search.patch
@@ -0,0 +1,161 @@
+From e8c409a8389c815ea3fda5e8b94c92fdfe583bcc Mon Sep 17 00:00:00 2001
+From: royb <roy.basmacier@primekey.com>
+Date: Tue, 25 Apr 2023 23:11:52 -0400
+Subject: [PATCH] added filter encode to search
+
+---
+ .../jce/provider/X509LDAPCertStoreSpi.java    | 89 +++++++++++++++----
+ 1 file changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java b/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
+index f526994..d9a2090 100644
+--- a/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
++++ b/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
+@@ -50,21 +50,22 @@
+ public class X509LDAPCertStoreSpi
+     extends CertStoreSpi
+ {
+-    private X509LDAPCertStoreParameters params;
+-
+-    public X509LDAPCertStoreSpi(CertStoreParameters params)
+-        throws InvalidAlgorithmParameterException
++    private static String[] FILTER_ESCAPE_TABLE = new String['\\' + 1];
++    static        
+     {
+-        super(params);
+-
+-        if (!(params instanceof X509LDAPCertStoreParameters))
++        // Filter encoding table -------------------------------------
++        // fill with char itself
++        for (char c = 0; c < FILTER_ESCAPE_TABLE.length; c++)
+         {
+-            throw new InvalidAlgorithmParameterException(
+-                X509LDAPCertStoreSpi.class.getName() + ": parameter must be a " + X509LDAPCertStoreParameters.class.getName() + " object\n"
+-                    + params.toString());
++            FILTER_ESCAPE_TABLE[c] = String.valueOf(c);
+         }
+ 
+-        this.params = (X509LDAPCertStoreParameters)params;
++        // escapes (RFC2254)
++        FILTER_ESCAPE_TABLE['*'] = "\\2a";
++        FILTER_ESCAPE_TABLE['('] = "\\28";
++        FILTER_ESCAPE_TABLE[')'] = "\\29";
++        FILTER_ESCAPE_TABLE['\\'] = "\\5c";
++        FILTER_ESCAPE_TABLE[0] = "\\00";
+     }
+ 
+     /**
+@@ -86,8 +87,26 @@ public X509LDAPCertStoreSpi(CertStoreParameters params)
+      * Package Prefix for loading URL context factories.
+      */
+     private static final String URL_CONTEXT_PREFIX = "com.sun.jndi.url";
++    private X509LDAPCertStoreParameters params;
++
++    public X509LDAPCertStoreSpi(CertStoreParameters params)
++        throws InvalidAlgorithmParameterException
++    {
++        super(params);
++
++        if (!(params instanceof X509LDAPCertStoreParameters))
++        {
++            throw new InvalidAlgorithmParameterException(
++                X509LDAPCertStoreSpi.class.getName() + ": parameter must be a " + X509LDAPCertStoreParameters.class.getName() + " object\n"
++                    + params.toString());
++        }
+ 
+-    private DirContext connectLDAP() throws NamingException
++        this.params = (X509LDAPCertStoreParameters)params;
++    }
++
++
++    private DirContext connectLDAP() 
++        throws NamingException
+     {
+         Properties props = new Properties();
+         props.setProperty(Context.INITIAL_CONTEXT_FACTORY, LDAP_PROVIDER);
+@@ -137,7 +156,7 @@ private String parseDN(String subject, String subjectAttributeName)
+         {
+             temp = temp.substring(0, temp.length() - 1);
+         }
+-        return temp;
++        return filterEncode(temp);
+     }
+ 
+     public Collection engineGetCertificates(CertSelector selector)
+@@ -195,7 +214,7 @@ public Collection engineGetCertificates(CertSelector selector)
+                 {
+ 
+                 }
+-                for (Iterator it2 = bytesList.iterator(); it2.hasNext();)
++                for (Iterator it2 = bytesList.iterator(); it2.hasNext(); )
+                 {
+                     ByteArrayInputStream bIn = new ByteArrayInputStream(
+                         (byte[])it2.next());
+@@ -346,7 +365,7 @@ public Collection engineGetCRLs(CRLSelector selector)
+         if (xselector.getIssuerNames() != null)
+         {
+             for (Iterator it = xselector.getIssuerNames().iterator(); it
+-                .hasNext();)
++                .hasNext(); )
+             {
+                 Object o = it.next();
+                 String attrValue = null;
+@@ -396,6 +415,42 @@ public Collection engineGetCRLs(CRLSelector selector)
+         return crlSet;
+     }
+ 
++     /**
++     * Escape a value for use in a filter.
++     *
++     * @param value the value to escape.
++     * @return a properly escaped representation of the supplied value.
++     */
++    private String filterEncode(String value)
++    {
++        if (value == null)
++        {
++            return null;
++        }
++
++        // make buffer roomy
++        StringBuilder encodedValue = new StringBuilder(value.length() * 2);
++
++        int length = value.length();
++
++        for (int i = 0; i < length; i++)
++        {
++            char c = value.charAt(i);
++
++            if (c < FILTER_ESCAPE_TABLE.length)
++            {
++                encodedValue.append(FILTER_ESCAPE_TABLE[c]);
++            }
++            else
++            {
++                // default: add the char
++                encodedValue.append(c);
++            }
++        }
++
++        return encodedValue.toString();
++    }
++
+     /**
+      * Returns a Set of byte arrays with the certificate or CRL encodings.
+      *
+@@ -406,9 +461,11 @@ public Collection engineGetCRLs(CRLSelector selector)
+      * @return Set of byte arrays with the certificate encodings.
+      */
+     private Set search(String attributeName, String attributeValue,
+-                       String[] attrs) throws CertStoreException
++                       String[] attrs) 
++        throws CertStoreException
+     {
+         String filter = attributeName + "=" + attributeValue;
++//      System.out.println(filter);
+         if (attributeName == null)
+         {
+             filter = null;
+-- 
+2.39.2
+
diff --git a/bouncycastle.spec b/bouncycastle.spec
index 7c789c83bae1120688431a277900af3e6cc51995..41d4a2097937814f41fa78ef93b9a71815c99c86 100644
--- a/bouncycastle.spec
+++ b/bouncycastle.spec
@@ -6,7 +6,7 @@
 
 Name:             bouncycastle
 Version:          1.67
-Release:          1
+Release:          2
 Summary:          A Java implementation of cryptographic algorithms
 License:          MIT
 URL:              http://www.bouncycastle.org
@@ -16,6 +16,7 @@ Source2:          https://repo1.maven.org/maven2/org/bouncycastle/bcpg-jdk15on/%
 Source3:          https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/%{version}/bcpkix-jdk15on-%{version}.pom
 Source4:          https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/%{version}/bcprov-jdk15on-%{version}.pom
 Source5:          https://repo1.maven.org/maven2/org/bouncycastle/bctls-jdk15on/%{version}/bctls-jdk15on-%{version}.pom
+Patch001:	  0001-CVE-2023-33201-added-filter-encode-to-search.patch
 BuildRequires:    ant ant-junit aqute-bnd javamail javapackages-local
 BuildRequires:    jakarta-activation
 Requires(post):   javapackages-tools
@@ -146,6 +147,9 @@ fi
 %{java_sec_dir}/2000-%{class_name}
 
 %changelog
+* Sun Jun 25 2023 licihua <licihua@huawei.com> - 1.67-2
+- fix cve CVE-2023-33201
+
 * Fri Nov 25 2022 wangkai <wangkai385@h-partners.com> - 1.67-1
 - Update to 1.67