diff --git a/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a537c7b9b439b00fbacff5af2fa297105928e955
--- /dev/null
+++ b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
@@ -0,0 +1,100 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a
+---
+ ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/ssh.c b/ssh.c
+index 35c48e62d..48d93ddf2 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh.c,v 1.519 2020/02/07 03:54:44 dtucker Exp $ */
++/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -570,6 +570,41 @@ set_addrinfo_port(struct addrinfo *addrs, int port)
+ 	}
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1118,6 +1153,10 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
++	if (options.user != NULL && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
+-- 
+2.23.0
+
diff --git a/openssh.spec b/openssh.spec
index 4b0d0dc89ebea4693b3212c3974d43fe67a94945..8048bb39856624f30e27526f764e0261fceb0783 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 21
+%global openssh_release 22
 
 Name:           openssh
 Version:        8.2p1
@@ -100,6 +100,7 @@ Patch67:        backport-change-types-in-convtime-unit-test-to-int-to-match.patc
 Patch68:        backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
 Patch69:        set-ssh-config.patch
 Patch70:        backport-fix-CVE-2023-38408-upstream-terminate-process.patch
+Patch71:        backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -272,6 +273,7 @@ popd
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
+%patch71 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@@ -478,6 +480,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-22
+- Type:CVE
+- CVE:CVE-2023-51385
+- SUG:NA
+- DESC:fix CVE-2023-51385
+
 * Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21
 - CVE:CVE-2023-38408