diff --git a/backport-CVE-2021-28861.patch b/backport-CVE-2021-28861.patch
new file mode 100644
index 0000000000000000000000000000000000000000..693d474508d8bcc02061e9395df62d1f7a7f023b
--- /dev/null
+++ b/backport-CVE-2021-28861.patch
@@ -0,0 +1,131 @@
+From 8a34afd55258c721e446d6de4a70353c39a24148 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 22 Jun 2022 15:05:00 -0700
+Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in
+ http.server. (GH-93879) (GH-94095)
+
+Fix an open redirection vulnerability in the `http.server` module when
+an URI path starts with `//` that could produce a 301 Location header
+with a misleading target.  Vulnerability discovered, and logic fix
+proposed, by Hamza Avvan (@hamzaavvan).
+
+Test and comments authored by Gregory P. Smith [Google].
+(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/http/server.py                                 |  7 +++
+ Lib/test/test_httpservers.py                       | 53 +++++++++++++++++++++-
+ .../2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst  |  3 ++
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
+
+diff --git a/Lib/http/server.py b/Lib/http/server.py
+index ca2dd50..7d51fc9 100644
+--- a/Lib/http/server.py
++++ b/Lib/http/server.py
+@@ -331,6 +331,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
+                 return False
+         self.command, self.path = command, path
+ 
++        # gh-87389: The purpose of replacing '//' with '/' is to protect
++        # against open redirect attacks possibly triggered if the path starts
++        # with '//' because http clients treat //path as an absolute URI
++        # without scheme (similar to http://path) rather than a path.
++        if self.path.startswith('//'):
++            self.path = '/' + self.path.lstrip('/')  # Reduce to a single /
++
+         # Examine the headers and look for a Connection directive.
+         try:
+             self.headers = http.client.parse_headers(self.rfile,
+diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
+index cc829a5..c11855b 100644
+--- a/Lib/test/test_httpservers.py
++++ b/Lib/test/test_httpservers.py
+@@ -329,7 +329,7 @@ class SimpleHTTPServerTestCase(BaseTestCase):
+         pass
+ 
+     def setUp(self):
+-        BaseTestCase.setUp(self)
++        super().setUp()
+         self.cwd = os.getcwd()
+         basetempdir = tempfile.gettempdir()
+         os.chdir(basetempdir)
+@@ -357,7 +357,7 @@ class SimpleHTTPServerTestCase(BaseTestCase):
+             except:
+                 pass
+         finally:
+-            BaseTestCase.tearDown(self)
++            super().tearDown()
+ 
+     def check_status_and_reason(self, response, status, data=None):
+         def close_conn():
+@@ -413,6 +413,55 @@ class SimpleHTTPServerTestCase(BaseTestCase):
+         self.check_status_and_reason(response, HTTPStatus.OK,
+                                      data=support.TESTFN_UNDECODABLE)
+ 
++    def test_get_dir_redirect_location_domain_injection_bug(self):
++        """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
++
++        //netloc/ in a Location header is a redirect to a new host.
++        https://github.com/python/cpython/issues/87389
++
++        This checks that a path resolving to a directory on our server cannot
++        resolve into a redirect to another server.
++        """
++        os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
++        url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
++        expected_location = f'{url}/'  # /python.org.../ single slash single prefix, trailing slash
++        # Canonicalizes to /tmp/tempdir_name/existing_directory which does
++        # exist and is a dir, triggering the 301 redirect logic.
++        response = self.request(url)
++        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
++        location = response.getheader('Location')
++        self.assertEqual(location, expected_location, msg='non-attack failed!')
++
++        # //python.org... multi-slash prefix, no trailing slash
++        attack_url = f'/{url}'
++        response = self.request(attack_url)
++        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
++        location = response.getheader('Location')
++        self.assertFalse(location.startswith('//'), msg=location)
++        self.assertEqual(location, expected_location,
++                msg='Expected Location header to start with a single / and '
++                'end with a / as this is a directory redirect.')
++
++        # ///python.org... triple-slash prefix, no trailing slash
++        attack3_url = f'//{url}'
++        response = self.request(attack3_url)
++        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
++        self.assertEqual(response.getheader('Location'), expected_location)
++
++        # If the second word in the http request (Request-URI for the http
++        # method) is a full URI, we don't worry about it, as that'll be parsed
++        # and reassembled as a full URI within BaseHTTPRequestHandler.send_head
++        # so no errant scheme-less //netloc//evil.co/ domain mixup can happen.
++        attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}'
++        expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/'
++        response = self.request(attack_scheme_netloc_2slash_url)
++        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
++        location = response.getheader('Location')
++        # We're just ensuring that the scheme and domain make it through, if
++        # there are or aren't multiple slashes at the start of the path that
++        # follows that isn't important in this Location: header.
++        self.assertTrue(location.startswith('https://pypi.org/'), msg=location)
++
+     def test_get(self):
+         #constructs the path relative to the root directory of the HTTPServer
+         response = self.request(self.base_url + '/test')
+diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
+new file mode 100644
+index 0000000..029d437
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
+@@ -0,0 +1,3 @@
++:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server
++when an URI path starts with ``//``.  Vulnerability discovered, and initial
++fix proposed, by Hamza Avvan.
+-- 
+1.8.3.1
+
diff --git a/python3.spec b/python3.spec
index 0ed237b05d3151e4e7d491ccb881311ee911ee5d..8a13087e44ca93ff18eb2249d26943b088dacd80 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.7.9
-Release: 24
+Release: 25
 License: Python-2.0
 
 %global branchversion 3.7
@@ -161,6 +161,7 @@ Patch6050: backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch
 Patch6051: backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch
 Patch6052: backport-bpo-46811-Make-test-suite-support-Expat-2.4.5.patch
 Patch6053: backport-CVE-2015-20107.patch
+Patch6054: backport-CVE-2021-28861.patch
 
 Recommends: %{name}-help = %{version}-%{release}
 Provides: python%{branchversion} = %{version}-%{release}
@@ -308,6 +309,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6051 -p1
 %patch6052 -p1
 %patch6053 -p1
+%patch6054 -p1
 
 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
 rm configure pyconfig.h.in
@@ -909,6 +911,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Thu Aug 25 2022 shixuantong <shixuantong@h-partners.com> - 3.7.9-25
+- Type:CVE
+- CVE:CVE-2021-28861
+- SUG:NA
+- DESC:fix CVE-2021-28861
+
 * Wed Jul 06 2022 shixuantong <shixuantong@h-partners.com> - 3.7.9-24
 - Type:bugfix
 - CVE:NA