diff --git a/CVE-2021-3445.patch b/CVE-2021-3445.patch
new file mode 100644
index 0000000000000000000000000000000000000000..78701d274d5b9755a97a408e6fec1d3963d78999
--- /dev/null
+++ b/CVE-2021-3445.patch
@@ -0,0 +1,117 @@
+From 930f2582f91077b3f338b84cf9567559d52713de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 29 Mar 2021 09:22:09 +0200
+Subject: [PATCH] Hardening: add signature check with rpmcliVerifySignatures
+
+This api is not ideal but works for now. We don't have to set
+installroot for the used transaction because we set keyring which is
+used to retrieve the keys.
+
+= changelog =
+msg: Hardening: add signature check with rpmcliVerifySignatures
+type: security
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
+
+CVE-2021-3445
+RhBug:1932079
+RhBug:1932089
+RhBug:1932090
+
+Related: CVE-2021-3421, CVE-2021-20271
+---
+ libdnf/dnf-keyring.cpp | 52 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 50 insertions(+), 2 deletions(-)
+
+diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
+index eec58c69ea..62a6248cb8 100644
+--- a/libdnf/dnf-keyring.cpp
++++ b/libdnf/dnf-keyring.cpp
+@@ -34,6 +34,8 @@
+ #include <glib.h>
+ #include <rpm/rpmlib.h>
+ #include <rpm/rpmts.h>
++#include <rpm/rpmlog.h>
++#include <rpm/rpmcli.h>
+ 
+ #include "catch-error.hpp"
+ #include "dnf-types.h"
+@@ -216,6 +218,26 @@ dnf_keyring_add_public_keys(rpmKeyring keyring, GError **error) try
+     return TRUE;
+ } CATCH_TO_GERROR(FALSE)
+ 
++static int
++rpmcliverifysignatures_log_handler_cb(rpmlogRec rec, rpmlogCallbackData data)
++{
++    GString **string =(GString **) data;
++
++    /* create string if required */
++    if (*string == NULL)
++        *string = g_string_new("");
++
++    /* if text already exists, join them */
++    if ((*string)->len > 0)
++        g_string_append(*string, ": ");
++    g_string_append(*string, rpmlogRecMessage(rec));
++
++    /* remove the trailing /n which rpm does */
++    if ((*string)->len > 0)
++        g_string_truncate(*string,(*string)->len - 1);
++    return 0;
++}
++
+ /**
+  * dnf_keyring_check_untrusted_file:
+  */
+@@ -232,6 +254,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+     rpmtd td = NULL;
+     rpmts ts = NULL;
+ 
++    char *path = g_strdup(filename);
++    char *path_array[2] = {path, NULL};
++    g_autoptr(GString) rpm_error = NULL;
++
+     /* open the file for reading */
+     fd = Fopen(filename, "r.fdio");
+     if (fd == NULL) {
+@@ -252,9 +278,27 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+         goto out;
+     }
+ 
+-    /* we don't want to abort on missing keys */
+     ts = rpmtsCreate();
+-    rpmtsSetVSFlags(ts, _RPMVSF_NOSIGNATURES);
++
++    if (rpmtsSetKeyring(ts, keyring) < 0) {
++        g_set_error_literal(error, DNF_ERROR, DNF_ERROR_INTERNAL_ERROR, "failed to set keyring");
++        goto out;
++    }
++    rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE);
++    rpmlogSetCallback(rpmcliverifysignatures_log_handler_cb, &rpm_error);
++
++    // rpm doesn't provide any better API call than rpmcliVerifySignatures (which is for CLI):
++    // - use path_array as input argument
++    // - gather logs via callback because we don't want to print anything if check is successful
++    if (rpmcliVerifySignatures(ts, (char * const*) path_array)) {
++        g_set_error(error,
++                DNF_ERROR,
++                DNF_ERROR_GPG_SIGNATURE_INVALID,
++                "%s could not be verified.\n%s",
++                filename,
++                (rpm_error ? rpm_error->str : "UNKNOWN ERROR"));
++        goto out;
++    }
+ 
+     /* read in the file */
+     rc = rpmReadPackageFile(ts, fd, filename, &hdr);
+@@ -318,6 +362,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+     g_debug("%s has been verified as trusted", filename);
+     ret = TRUE;
+ out:
++    rpmlogSetCallback(NULL, NULL);
++
++    if (path != NULL)
++        g_free(path);
+     if (dig != NULL)
+         pgpFreeDig(dig);
+     if (td != NULL) {
+
diff --git a/libdnf.spec b/libdnf.spec
index 2c6975b34321b43c5c674747d01bd2468379a59a..2be311e2e9cbb8afb1dad12ca0cde6f30b4a4147 100644
--- a/libdnf.spec
+++ b/libdnf.spec
@@ -20,13 +20,14 @@
 
 Name:                      libdnf
 Version:                   0.48.0
-Release:                   1
+Release:                   2
 Summary:                   Library providing simplified C and Python API to libsolv
 License:                   LGPLv2+
 URL:                       https://github.com/rpm-software-management/libdnf
 Source0:                   %{url}/archive/%{version}/%{name}-%{version}.tar.gz                    
 
-Patch0000:                 fix-python2-no-format-arguments-error.patch
+Patch0:                    fix-python2-no-format-arguments-error.patch
+Patch1:                    CVE-2021-3445.patch
 
 BuildRequires:             cmake gcc gcc-c++ libsolv-devel >= %{libsolv_version} gettext
 BuildRequires:             pkgconfig(librepo) >= %{librepo_version} pkgconfig(check)              
@@ -143,12 +144,6 @@ popd
 %endif
 
 %check
-%if %{with python2}
-pushd build-py2
-  make ARGS="-V" test
-popd
-%endif
-
 %if %{with python3}
 %if %{without python2}
 pushd build-py3
@@ -213,6 +208,12 @@ popd
 %endif
 
 %changelog
+* Tue Jun 8 2021 gaihuiying <gaihuiying@huawei.com> - 0.48.0-2
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2021-3445 and remove python2 test
+
 * Sat Aug 29 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.48.0-1
 - Type:requirement
 - ID:NA