diff --git a/CVE-2021-3449.patch b/CVE-2021-3449.patch
new file mode 100644
index 0000000000000000000000000000000000000000..159e14320f3fd21b557c8e789c314158ff7dcbc6
--- /dev/null
+++ b/CVE-2021-3449.patch
@@ -0,0 +1,47 @@
+From fb9fa6b51defd48157eeb207f52181f735d96148 Mon Sep 17 00:00:00 2001
+From: Peter Kaestle <peter.kaestle@nokia.com>
+Date: Mon, 15 Mar 2021 13:19:56 +0100
+Subject: [PATCH] ssl sigalg extension: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
+possible to crash an openssl tls secured server remotely by sending a
+manipulated hello message in a rehandshake.
+
+On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
+tls12_shared_sigalgs() with the peer_sigalgslen of the previous
+handshake, while the peer_sigalgs has been freed.
+As a result tls12_shared_sigalgs() walks over the available
+peer_sigalgs and tries to access data of a NULL pointer.
+
+This issue was introduced by c589c34e61 (Add support for the TLS 1.3
+signature_algorithms_cert extension, 2018-01-11).
+
+Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+
+CVE-2021-3449
+
+CLA: trivial
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ ssl/statem/extensions.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index b055935d697b..4aed508d0f03 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -1139,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
+     /* Clear any signature algorithms extension received */
+     OPENSSL_free(s->s3->tmp.peer_sigalgs);
+     s->s3->tmp.peer_sigalgs = NULL;
++    s->s3->tmp.peer_sigalgslen = 0;
+ 
+     return 1;
+ }
diff --git a/openssl.spec b/openssl.spec
index 59dd9300d95faec0cdb22890f486306f004e9f4b..e9c0fdee028a29c4d1898cf8cab0f03d0816e572 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1f
-Release:     4
+Release:     5
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -19,6 +19,7 @@ Patch8:      CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
 Patch9:      CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
 Patch10:     CVE-2021-23841.patch
 Patch11:     CVE-2021-23840.patch
+Patch12:     CVE-2021-3449.patch
 
 BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel
 
@@ -195,6 +196,9 @@ make test || :
 %{_pkgdocdir}/html/
 
 %changelog
+* Wed Apr 7 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-5
+- fix CVE-2021-3449
+
 * Tue Mar 02 2021 Liufeng <liufeng111@huawei.com> - 1:1.1.1f-4
 - fix CVE-2021-23840 and CVE-2021-23841