diff --git a/0002-CVE-2020-8020.patch b/0002-CVE-2020-8020.patch
new file mode 100644
index 0000000000000000000000000000000000000000..60aed7c1f5ba308d9ecf16d4d25417dbf39f81b0
--- /dev/null
+++ b/0002-CVE-2020-8020.patch
@@ -0,0 +1,28 @@
+From 4d3a644b8a68e625d34a0a1490b539d3bb648001 Mon Sep 17 00:00:00 2001
+From: Victor Pereira <vpereira@suse.de>
+Date: Wed, 13 May 2020 08:02:52 +0200
+Subject: [PATCH] Use Redcarpet Safe render to base OBS markdown render
+
+Conflict:delete src/api/spec/helpers/webui/markdown_helper_spec.rb change
+Reference:https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb
+
+Signed-off-by: Victor Pereira <vpereira@suse.de>
+---
+ src/api/lib/obsapi/markdown_renderer.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/api/lib/obsapi/markdown_renderer.rb b/src/api/lib/obsapi/markdown_renderer.rb
+index bc75e7b..cff936f 100644
+--- a/src/api/lib/obsapi/markdown_renderer.rb
++++ b/src/api/lib/obsapi/markdown_renderer.rb
+@@ -1,7 +1,7 @@
+ require 'uri'
+
+ module OBSApi
+-  class MarkdownRenderer < Redcarpet::Render::HTML
++  class MarkdownRenderer < Redcarpet::Render::Safe
+     include Rails.application.routes.url_helpers
+
+     def self.default_url_options
+--
+2.23.0
\ No newline at end of file
diff --git a/0003-CVE-2020-8021.patch b/0003-CVE-2020-8021.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3a023095cc4de291c6a4634bc7f45546a517b49c
--- /dev/null
+++ b/0003-CVE-2020-8021.patch
@@ -0,0 +1,31 @@
+From 7323c904f86ba9e04065c23422d06c03647589fb Mon Sep 17 00:00:00 2001
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Wed, 13 May 2020 22:08:16 +0200
+Subject: [PATCH] bs_srcserver: Forbid the creation of a _link in
+ mergeservicerun
+
+A _link file is not allowed because it can result in a potential
+privilege escalation.
+
+Conflict:NA
+Reference:https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb
+
+Signed-off-by:Marcus Huewe <suse-tux@gmx.de>
+---
+ src/backend/bs_srcserver | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/backend/bs_srcserver b/src/backend/bs_srcserver
+index da3f3c3..07e411e 100755
+--- a/src/backend/bs_srcserver
++++ b/src/backend/bs_srcserver
+@@ -391,6 +391,7 @@ sub mergeservicerun {
+   delete $files->{'_service'};
+   for (sort keys %$files) {
+     next unless /^_service:.*:(.*?)$/s;
++    die("cannot create a link from a service") if $1 eq '_link';
+     $files->{$1} = $files->{$_};
+     delete $files->{$_};
+     BSSrcrep::copyonefile($projid, $packid, $1, $projid, $packid, $_, $files->{$1});
+--
+2.23.0
\ No newline at end of file
diff --git a/obs-server.spec b/obs-server.spec
index aaa2322d5d3233c9515be6c1d8bada38eb255f38..fcc9a88fe202c826dab16448b97d90cf5ce12cbb 100644
--- a/obs-server.spec
+++ b/obs-server.spec
@@ -6,7 +6,7 @@
 
 Name:           obs-server
 Version:        2.10.7
-Release:        5
+Release:        6
 Summary:        The Open Build Service -- Server Component
 License:        GPL-2.0-only OR GPL-3.0-only
 URL:            http://www.openbuildservice.org
@@ -14,6 +14,8 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Source0:        https://github.com/openSUSE/open-build-service/archive/2.10.7.tar.gz
 Source1:        Gemfile.lock
 Patch1:         0001-obs_server-fix-usage-info.patch
+Patch2:		0002-CVE-2020-8020.patch
+Patch3:		0003-CVE-2020-8021.patch
 
 BuildArch:      noarch
 
@@ -482,6 +484,9 @@ usermod -a -G docker obsservicerun
 %{_sbindir}/rcobsstoragesetup
 
 %changelog
+* Tue Mar 16 2021 yanglongkang <yanglongkang@huawei.com> - 2.10.7-6
+- fix CVE-2020-8020 CVE-2020-8021
+
 * Mon Dec 28 2020 xinghe <xinghe1@huawei.com> - 2.10.7-5
 - fix obs_admin can't locate BSConfig.pm