diff --git a/openssh.spec b/openssh.spec
index 2fe5ab63ea4113e7c2bd377cf8d0aac01088dece..f68b45533479b336fe1263d1192ce0f08769172b 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 7
+%global openssh_release 8
 
 Name:           openssh
 Version:        9.6p1
@@ -191,6 +191,46 @@ instance. The module is most useful for su and sudo service stacks.
 find %{_sourcedir} -type f -exec dos2unix -q {} \;
 find %{_builddir}/%{name}-%{openssh_version} -type f -exec dos2unix -q {} \;
 
+%global spec_file_name %{name}.spec
+validate_cve_references() {
+    local SPECFILE="%{_sourcedir}/%{spec_file_name}"
+    local PATCH_DEFS=$(grep -E '^Patch[0-9]+:' "$SPECFILE")
+
+    local PATCH_CVES=$(
+        echo "$PATCH_DEFS" | grep -i 'cve' | \
+        grep -iEo 'CVE-[0-9]{4}-[0-9]+' | \
+        tr '[:lower:]' '[:upper:]' | sort -u
+    )
+
+    [ -z "$PATCH_CVES" ] && return 0
+    local CHANGELOG_CVES=$(
+        awk '/^[*]/ {flag=1; next} /^[*]/ {flag=0} flag' "$SPECFILE" | \
+        grep -iEo 'CVE-[0-9]{4}-[0-9]+' | \
+        tr '[:lower:]' '[:upper:]' | sort -u
+    )
+
+    local TEMP_PATCH_CVES=$(mktemp)
+    local TEMP_CHANGELOG_CVES=$(mktemp)
+    echo "$PATCH_CVES" > "$TEMP_PATCH_CVES"
+    echo "$CHANGELOG_CVES" > "$TEMP_CHANGELOG_CVES"
+
+    local MISSING_CVES=$(comm -23 "$TEMP_PATCH_CVES" "$TEMP_CHANGELOG_CVES")
+    rm "$TEMP_PATCH_CVES" "$TEMP_CHANGELOG_CVES"
+
+    if [ -n "$MISSING_CVES" ]; then
+        echo "ERROR: The following CVEs are referenced in patch filenames but missing in changelog:" >&2
+        echo "==================================================================================" >&2
+        echo "$MISSING_CVES" | sed 's/^/  - /' >&2
+        echo "==================================================================================">&2
+        echo "Please add entries to %changelog like:"
+        echo "- Fix CVE-XXXX-XXXX (Description)"
+        exit 1
+    fi
+
+    echo "All CVE patches are properly documented in changelog."
+}
+validate_cve_references
+
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 %patch -P 4 -p2 -b .psaa-build
 %patch -P 5 -p2 -b .psaa-seteuid
@@ -505,6 +545,12 @@ fi
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Mon Sep 15 2025 zhangbinqin<zhangbinqin@h-partners.com> - 9.6p1-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Check whether the changelog contains all CVE repair records
+
 * Tue Jul 29 2025 zhangbinqin<zhangbinqin@h-partners.com> - 9.6p1-7
 - Type:bugfix
 - CVE:NA