diff --git a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f9d75d1cf35fc4f4e6d29b438581ab5476c9b4fd
--- /dev/null
+++ b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
@@ -0,0 +1,46 @@
+From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
+From: Hsiaoming Yang <me@lepture.com>
+Date: Tue, 4 Jun 2024 11:34:43 +0900
+Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys
+
+https://github.com/lepture/authlib/issues/654
+---
+ authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
+index 1db321a..44e1f72 100644
+--- a/authlib/jose/rfc7518/oct_key.py
++++ b/authlib/jose/rfc7518/oct_key.py
+@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
+ from ..rfc7517 import Key
+ 
+ 
++POSSIBLE_UNSAFE_KEYS = (
++    b"-----BEGIN ",
++    b"---- BEGIN ",
++    b"ssh-rsa ",
++    b"ssh-dss ",
++    b"ssh-ed25519 ",
++    b"ecdsa-sha2-",
++)
++
++
+ class OctKey(Key):
+     """Key class of the ``oct`` key type."""
+ 
+@@ -65,6 +75,11 @@ class OctKey(Key):
+             key._dict_data = raw
+         else:
+             raw_key = to_bytes(raw)
++
++            # security check
++            if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
++                raise ValueError("This key may not be safe to import")
++
+             key = cls(raw_key=raw_key, options=options)
+         return key
+ 
+-- 
+2.33.0
+
diff --git a/python-Authlib.spec b/python-Authlib.spec
index e296e62d94464b4b26d5ec5b2f05684fd479efac..766729baaa5df4959d52cb3642973f09b0d11c3e 100644
--- a/python-Authlib.spec
+++ b/python-Authlib.spec
@@ -1,13 +1,15 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-Authlib
 Version:	1.2.0
-Release:	1
+Release:	2
 Summary:	The ultimate Python library in building OAuth and OpenID Connect servers and clients.
 License:	BSD 3-Clause License
 URL:		https://authlib.org/
 Source0:	https://files.pythonhosted.org/packages/1e/84/3c82d181a04053fefa456dcb15edea93ffdb06071570b6cb05783f5e5fa5/Authlib-1.2.0.tar.gz
 BuildArch:	noarch
 
+Patch0001:	backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
+
 Requires:	python3-cryptography
 
 %description
@@ -32,7 +34,7 @@ The ultimate Python library in building OAuth and OpenID Connect servers.
 JWS, JWK, JWA, JWT are included.
 
 %prep
-%autosetup -n Authlib-1.2.0
+%autosetup -p1 -n Authlib-1.2.0
 
 %build
 %py3_build
@@ -72,5 +74,8 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Wed Jun 26 2024 wangziliang <wangziliang@kylinos.cn> - 1.2.0-2
+- fix CVE-2024-37568
+
 * Wed Jun 07 2023 lichaoran <pkwarcraft@hotmail.com> - 1.2.0-1
 - Package Spec generated