diff --git a/0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch b/0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1af377edf9f0fef3ca9d498484c22406c4305bb4
--- /dev/null
+++ b/0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
@@ -0,0 +1,147 @@
+From 6dc693737f84785a30238ca7640ad8ba605c0eac Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Sat, 7 Oct 2023 05:16:27 +0800
+Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39325
+Reference: https://go-review.googlesource.com/c/go/+/534255
+
+Pull in a security fix from x/net/http2:
+http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 5433ebdc51..b87d14b6ea 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4181,9 +4181,11 @@ type http2serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*http2stream
++	unstartedHandlers           []http2unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -4577,6 +4579,8 @@ func (sc *http2serverConn) serve() {
+ 					return
+ 				case http2gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case http2handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -4622,6 +4626,7 @@ var (
+ 	http2idleTimerMsg        = new(http2serverMessage)
+ 	http2shutdownTimerMsg    = new(http2serverMessage)
+ 	http2gracefulShutdownMsg = new(http2serverMessage)
++	http2handlerDoneMsg      = new(http2serverMessage)
+ )
+ 
+ func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
+@@ -5584,8 +5589,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
+@@ -5832,8 +5836,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
+ 	return rw, req, nil
+ }
+ 
++type http2unstartedHandler struct {
++	streamID uint32
++	rw       *http2responseWriter
++	req      *Request
++	handler  func(ResponseWriter, *Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *http2serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
++	defer sc.sendServeMsg(http2handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index cac07ad73104e4b83244fde52eeaf51b410e50aa..4788d731224d25100dd19ef1a8783b22eecaf90f 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        24
+Release:        25
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -210,6 +210,7 @@ Patch6049:	0049-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
 Patch6050:	0050-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6051:	0051-Backport-html-template-properly-handle-special-tags-.patch
 Patch6052:	0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
+Patch6053:	0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -455,6 +456,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon Oct 23 2023 hanchao <hanchao63@huawei.com> - 1.17.3-25
+- Type:CVE
+- CVE:CVE-2023-39325
+- SUG:NA
+- DESC:fix CVE-2023-39325
+
 * Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-24
 - Type:CVE
 - CVE:CVE-2023-39323