diff --git a/0002-fix-CVE-2023-3978.patch b/0002-fix-CVE-2023-3978.patch
new file mode 100644
index 0000000000000000000000000000000000000000..799866f53040cbc3431270021edde0f7f855c936
--- /dev/null
+++ b/0002-fix-CVE-2023-3978.patch
@@ -0,0 +1,85 @@
+From 68b7c3ea0659978cf70ed592a73b2b5c2e0632e1 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Sun, 28 Apr 2024 10:46:26 +0800
+Subject: [PATCH] fix CVE-2023-3978
+
+html: only render content literally in the HTML namespace
+
+Per the WHATWG HTML specification, section 13.3, only append the literal
+content of a text node if we are in the HTML namespace.
+
+Thanks to Mohammad Thoriq Aziz for reporting this issue.
+
+Fixes golang/go#61615
+Fixes CVE-2023-3978
+
+Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+---
+ .../vendor/golang.org/x/net/html/render.go    | 28 ++++++++++++++++---
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
+index d34564f..5914410 100644
+--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
++++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
+@@ -191,9 +191,8 @@ func render1(w writer, n *Node) error {
+ 		}
+ 	}
+ 
+-	// Render any child nodes.
+-	switch n.Data {
+-	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++	// Render any child nodes
++	if childTextNodesAreLiteral(n) {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if c.Type == TextNode {
+ 				if _, err := w.WriteString(c.Data); err != nil {
+@@ -210,7 +209,7 @@ func render1(w writer, n *Node) error {
+ 			// last element in the file, with no closing tag.
+ 			return plaintextAbort
+ 		}
+-	default:
++	} else {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if err := render1(w, c); err != nil {
+ 				return err
+@@ -228,6 +227,27 @@ func render1(w writer, n *Node) error {
+ 	return w.WriteByte('>')
+ }
+ 
++func childTextNodesAreLiteral(n *Node) bool {
++	// Per WHATWG HTML 13.3, if the parent of the current node is a style,
++	// script, xmp, iframe, noembed, noframes, or plaintext element, and the
++	// current node is a text node, append the value of the node's data
++	// literally. The specification is not explicit about it, but we only
++	// enforce this if we are in the HTML namespace (i.e. when the namespace is
++	// "").
++	// NOTE: we also always include noscript elements, although the
++	// specification states that they should only be rendered as such if
++	// scripting is enabled for the node (which is not something we track).
++	if n.Namespace != "" {
++		return false
++	}
++	switch n.Data {
++	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++		return true
++	default:
++		return false
++	}
++}
++
+ // writeQuoted writes s to w surrounded by quotes. Normally it will use double
+ // quotes, but if s contains a double quote, it will use single quotes.
+ // It is used for writing the identifiers in a doctype declaration.
+-- 
+2.20.1
+
diff --git a/podman.spec b/podman.spec
index 3dbb3fec5553bf914771ddecbcfc4d06fb68a2ae..4ade47241622b840aff805b76f1b7b5595da7f5c 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       4.9.4
-Release:       5
+Release:       6
 Summary:       A tool for managing OCI containers and pods.
 Epoch:         1
 License:       Apache-2.0 and MIT
@@ -14,6 +14,7 @@ Source3:       https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.ta
 Patch0:        0001-podman-4.9.4-add-support-for-loongarch64.patch
 
 Patch0001:    0001-fix-CVE-2024-28180.patch
+Patch0002:    0002-fix-CVE-2023-3978.patch
 
 BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
 BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
@@ -116,6 +117,7 @@ sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
 %patch0001 -p1
 # untar dnsname
 tar zxf %{SOURCE1}
+%patch0002 -p1
 # untar %%{name}-gvproxy
 tar zxf %{SOURCE2}
 # untar go-md2man
@@ -293,6 +295,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 %{_bindir}/%{name}sh
 
 %changelog
+* Sun Apr 28 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-3978
+
 * Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-5
 - Type:bugfix
 - CVE:NA