diff --git a/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-wallaby.patch b/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-wallaby.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d8029cfac49edd5c70115266fc1f33d078a64a5c
--- /dev/null
+++ b/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-wallaby.patch
@@ -0,0 +1,79 @@
+From 4259fde22f61ce4a6b66d8aabb825483be3c7f84 Mon Sep 17 00:00:00 2001
+From: Slawek Kaplonski <skaplons@redhat.com>
+Date: Mon, 23 Aug 2021 13:01:37 +0200
+Subject: [PATCH] Remove dhcp_extra_opt value after first newline character
+
+Passing newline to the dnsmasq may cause security issues, especially
+that in case of Neutron that dhcp options' values are controlled by
+cloud users.
+This patch removes everything what is after first newline character
+in the dhcp_extra_opt's values before passing them to dnsmasq.
+
+Closes-Bug: #1939733
+Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
+---
+ neutron/agent/linux/dhcp.py                                | 7 ++++---
+ neutron/tests/unit/agent/linux/test_dhcp.py                | 7 ++++++-
+ ...wline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml | 6 ++++++
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+ create mode 100644 releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+
+diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py
+index dd8f317525..8e247adb24 100644
+--- a/neutron/agent/linux/dhcp.py
++++ b/neutron/agent/linux/dhcp.py
+@@ -1322,10 +1322,11 @@ class Dnsmasq(DhcpLocalProcess):
+         elif not option.isdigit():
+             option = 'option:%s' % option
+         if extra_tag:
+-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
++            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
+         else:
+-            tags = ('tag:' + tag, '%s' % option)
+-        return ','.join(tags + args)
++            tags = ['tag:' + tag, '%s' % option]
++
++        return ','.join(tags + [v.split("\n", 1)[0] for v in args])
+ 
+     @staticmethod
+     def _convert_to_literal_addrs(ip_version, ips):
+diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py
+index f90aaff1a6..cc02eb22cf 100644
+--- a/neutron/tests/unit/agent/linux/test_dhcp.py
++++ b/neutron/tests/unit/agent/linux/test_dhcp.py
+@@ -230,6 +230,9 @@ class FakeV6PortExtraOpt(object):
+         self.extra_dhcp_opts = [
+             DhcpOpt(opt_name='dns-server',
+                     opt_value='ffea:3ba5:a17a:4ba3::100',
++                    ip_version=constants.IP_VERSION_6),
++            DhcpOpt(opt_name='malicious-option',
++                    opt_value='aaa\nbbb.ccc\n',
+                     ip_version=constants.IP_VERSION_6)]
+ 
+ 
+@@ -2909,7 +2912,9 @@ class TestDnsmasq(TestBase):
+         exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
+                         'option6:domain-search,openstacklocal\n'
+                         'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+-                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
++                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
++                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
++                        'option6:malicious-option,aaa').lstrip()
+         dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
+         dm._output_hosts_file()
+         dm._output_opts_file()
+diff --git a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+new file mode 100644
+index 0000000000..d2a8c2f68b
+--- /dev/null
++++ b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+@@ -0,0 +1,6 @@
++---
++security:
++  - |
++    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
++    dropping from the dhcp extra option values everything what is after first
++    newline (``\n``) character before passing them to the dnsmasq.
+-- 
+2.33.0
+
diff --git a/openstack-neutron.spec b/openstack-neutron.spec
index 8acb5743f12c6270c8b8c96120c4c7c68ba01b47..f0ff86372cc63453bbe6c5e3f586579e2137fc01 100644
--- a/openstack-neutron.spec
+++ b/openstack-neutron.spec
@@ -18,7 +18,7 @@ capabilities (e.g., QoS, ACLs, network monitoring, etc.)
 
 Name:           openstack-%{service}
 Version:        18.1.0
-Release:        1
+Release:        2
 Summary:        OpenStack Networking Service
 
 License:        ASL 2.0
@@ -52,6 +52,8 @@ Source34:       neutron-l2-agent-sysctl.conf
 Source35:       neutron-l2-agent.modules
 Source36:       neutron-destroy-patch-ports.service
 Source37:       neutron-ovn-metadata-agent.service
+
+Patch1:         0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-wallaby.patch
 # Required for tarball sources verification
 
 BuildArch:      noarch
@@ -383,7 +385,7 @@ OpenStack to OVN based backend.
 
 
 %prep
-%autosetup -n %{service}-%{upstream_version} -S git 
+%autosetup -n %{service}-%{upstream_version} -S git
 sed -i 's/\/usr\/bin\/python/\/usr\/bin\/python3/' %{SOURCE36}
 
 find %{service} -name \*.py -exec sed -i '/\/usr\/bin\/env python/{d;q}' {} +
@@ -848,7 +850,10 @@ fi
 %{_datadir}/ansible/neutron-ovn-migration/
 
 %changelog
-* Fri Jul 23 2021 liksh <liks11@chinaunicom.cn> 1:18.1.0-1
+* Wed Sep 01 2021 huangtianhua <huangtianhua@huawei.com> - 18.1.0-2
+- Fix CVE_2021_40085
+
+* Fri Jul 23 2021 liksh <liks11@chinaunicom.cn> 18.1.0-1
 - Update to 18.1.0
 
 * Fri Jan 15 2021 joec88 <joseph.chn1988@gmail.com> 1:17.0.0-1