diff --git a/CVE-2022-30629.patch b/CVE-2022-30629.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6cc910de5e3311f6ae6779f3edec4b20e795f857
--- /dev/null
+++ b/CVE-2022-30629.patch
@@ -0,0 +1,64 @@
+From 82b3697add4063e5c8b0d26d911e422e1348bb22 Mon Sep 17 00:00:00 2001
+From: cenhuilin <cenhuilin@kylinos.cn>
+Date: Fri, 15 Jul 2022 01:37:34 +0000
+Subject: [PATCH] crypto/tls randomly generate ticket_age_add
+As required by RFC 8446, section 4.6.1, ticket_age_add now holds a
+random 32-bit value. Before this change, this value was always set
+to 0.
+
+This change also documents the reasoning for always setting
+ticket_nonce to 0. The value ticket_nonce must be unique per
+connection, but we only ever send one ticket per connection.
+
+Updates #52814
+Fixes #52832
+Fixes CVE-2022-30629
+
+Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb
+Reviewed-on: https://go-review.googlesource.com/c/go/+/405994
+Reviewed-by: Tatiana Bradley <tatiana@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Tatiana Bradley <tatiana@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+(cherry picked from commit fe4de36)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/408574
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+---
+ src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 08251b8..6aa5269 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
++++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -10,6 +10,7 @@ import (
+ 	"crypto"
+ 	"crypto/hmac"
+ 	"crypto/rsa"
++	"encoding/binary"
+ 	"errors"
+ 	"hash"
+ 	"io"
+@@ -741,6 +742,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
+ 	}
+ 	m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
+ 
++	// ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
++	// The value is not stored anywhere; we never need to check the ticket age
++	// because 0-RTT is not supported.
++	ageAdd := make([]byte, 4)
++	_, err = hs.c.config.rand().Read(ageAdd)
++	if err != nil {
++		return err
++	}
++	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
++
++	// ticket_nonce, which must be unique per connection, is always left at
++	// zero because we only ever send one ticket per connection.
++
+ 	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
+ 		return err
+ 	}
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index 11cc5e2bfaf031a3fd58678fc80b622a265f1132..fe1074f1bbe9f0fa5ba1585e5ef8f27d2c4f5634 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        1
+Release:        2
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -155,7 +155,7 @@ Requires:       openEuler-rpm-config
 
 ExclusiveArch:  %{golang_arches}
 
-
+Patch6001: CVE-2022-30629.patch
 
 %description
 %{summary}.
@@ -388,6 +388,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Fri Jul 15 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.17.3-2
+- fix CVE-2022-30629
+
 * Mon Nov 29 2021 chenjiankun <chenjiankun1@huawei.com> - 1.17.3-1
 - upgrade to 1.17.3