diff --git a/backport-upstream-Fix-logic-error-in-DisableForwarding-option.patch b/backport-upstream-Fix-logic-error-in-DisableForwarding-option.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0272aeca027cc0e755d7258c47507abc1b060542
--- /dev/null
+++ b/backport-upstream-Fix-logic-error-in-DisableForwarding-option.patch
@@ -0,0 +1,40 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+---
+ session.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/session.c b/session.c
+index 1b67393..e968c22 100644
+--- a/session.c
++++ b/session.c
+@@ -2345,7 +2345,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2761,7 +2762,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.33.0
+
diff --git a/openssh.spec b/openssh.spec
index a80e176a37896c8994cea44753000bcf49034ccd..b21a70cbae997543d79f68ce337348c5170265ea 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 7
+%global openssh_release 8
 
 Name:           openssh
 Version:        9.3p2
@@ -114,6 +114,7 @@ Patch91:        backport-openssh-6.6p1-keyperm.patch
 Patch92:        backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch
 Patch93:        backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch
 Patch94:        backport-upstream-some-extra-paranoia.patch
+Patch95:        backport-upstream-Fix-logic-error-in-DisableForwarding-option.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -277,6 +278,7 @@ popd
 %patch92 -p1
 %patch93 -p1
 %patch94 -p1
+%patch95 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -493,6 +495,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Fri Apr 11 2025 liningjie <liningjie@xfusion.com> - 9.3p2-8
+- Type:CVE
+- CVE:CVE-2025-32728
+- SUG:NA
+- DESC:Fix CVE-2025-32728
+
 * Tue Jan 14 2025 bitianyuan <bitianyuan@huawei.com> - 9.3p2-7
 - Type:bugfix
 - ID:NA