diff --git a/backport-CVE-2021-29921.patch b/backport-CVE-2021-29921.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3259d986d8d81372a6c448e69c275065adea44e2
--- /dev/null
+++ b/backport-CVE-2021-29921.patch
@@ -0,0 +1,126 @@
+From 5374fbc31446364bf5f12e5ab88c5493c35eaf04 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 2 May 2021 06:49:03 -0700
+Subject: [PATCH] bpo-36384: Leading zeros in IPv4 addresses are no longer
+ tolerated (GH-25099) (GH-25815)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
+parsing even more strict. Like socket.inet_pton() any leading zero
+is now treated as invalid input.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+Co-authored-by: Łukasz Langa <lukasz@langa.pl>
+(cherry picked from commit 60ce8f0be6354ad565393ab449d8de5d713f35bc)
+---
+ Doc/library/ipaddress.rst                           | 19 +++++++++++++++++--
+ Lib/ipaddress.py                                    |  5 +++++
+ Lib/test/test_ipaddress.py                          | 21 +++++++++++++++++----
+ .../2021-03-30-16-29-51.bpo-36384.sCAmLs.rst        |  6 ++++++
+ 4 files changed, 45 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
+
+diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
+index 140401d..7dba43f 100644
+--- a/Doc/library/ipaddress.rst
++++ b/Doc/library/ipaddress.rst
+@@ -104,8 +104,7 @@ write code that handles both IP versions correctly.  Address objects are
+    1. A string in decimal-dot notation, consisting of four decimal integers in
+       the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
+       integer represents an octet (byte) in the address. Leading zeroes are
+-      tolerated only for values less than 8 (as there is no ambiguity
+-      between the decimal and octal interpretations of such strings).
++      not tolerated to prevent confusion with octal notation.
+    2. An integer that fits into 32 bits.
+    3. An integer packed into a :class:`bytes` object of length 4 (most
+       significant octet first).
+@@ -117,6 +116,22 @@ write code that handles both IP versions correctly.  Address objects are
+    >>> ipaddress.IPv4Address(b'\xC0\xA8\x00\x01')
+    IPv4Address('192.168.0.1')
+ 
++   .. versionchanged:: 3.8
++
++      Leading zeros are tolerated, even in ambiguous cases that look like
++      octal notation.
++
++   .. versionchanged:: 3.10
++
++      Leading zeros are no longer tolerated and are treated as an error.
++      IPv4 address strings are now parsed as strict as glibc
++      :func:`~socket.inet_pton`.
++
++   .. versionchanged:: 3.9.5
++
++      The above change was also included in Python 3.9 starting with
++      version 3.9.5.
++
+    .. attribute:: version
+ 
+       The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index a3a04f7..e1c346c 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1173,6 +1173,11 @@ class _BaseV4:
+         if len(octet_str) > 3:
+             msg = "At most 3 characters permitted in %r"
+             raise ValueError(msg % octet_str)
++        # Handle leading zeros as strict as glibc's inet_pton()
++        # See security bug bpo-36384
++        if octet_str != '0' and octet_str[0] == '0':
++            msg = "Leading zeros are not permitted in %r"
++            raise ValueError(msg % octet_str)
+         # Convert to integer (we know digits are legal)
+         octet_int = int(octet_str, 10)
+         if octet_int > 255:
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 2eba740..5205fb0 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -97,10 +97,23 @@ class CommonTestMixin:
+ class CommonTestMixin_v4(CommonTestMixin):
+ 
+     def test_leading_zeros(self):
+-        self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
+-        self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
+-        self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
+-        self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
++        # bpo-36384: no leading zeros to avoid ambiguity with octal notation
++        msg = "Leading zeros are not permitted in '\d+'"
++        addresses = [
++            "000.000.000.000",
++            "192.168.000.001",
++            "016.016.016.016",
++            "192.168.000.001",
++            "001.000.008.016",
++            "01.2.3.40",
++            "1.02.3.40",
++            "1.2.03.40",
++            "1.2.3.040",
++        ]
++        for address in addresses:
++            with self.subTest(address=address):
++                with self.assertAddressError(msg):
++                    self.factory(address)
+ 
+     def test_int(self):
+         self.assertInstancesEqual(0, "0.0.0.0")
+diff --git a/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst b/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
+new file mode 100644
+index 0000000..f956cde
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
+@@ -0,0 +1,6 @@
++:mod:`ipaddress` module no longer accepts any leading zeros in IPv4 address
++strings. Leading zeros are ambiguous and interpreted as octal notation by
++some libraries. For example the legacy function :func:`socket.inet_aton`
++treats leading zeros as octal notatation. glibc implementation of modern
++:func:`~socket.inet_pton` does not accept any leading zeros. For a while
++the :mod:`ipaddress` module used to accept ambiguous leading zeros.
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2021-3426.patch b/backport-CVE-2021-3426.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1856431c5655eb44d8962add55ce9d7623be39dd
--- /dev/null
+++ b/backport-CVE-2021-3426.patch
@@ -0,0 +1,100 @@
+From 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 29 Mar 2021 06:02:40 -0700
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index dc3377d68f8caa..afec613dd85a06 100644
+--- a/Lib/pydoc.py
++++ b/Lib/pydoc.py
+@@ -2364,9 +2364,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2452,19 +2449,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2556,8 +2540,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index c80477c50f0980..72ed8a93b712b0 100644
+--- a/Lib/test/test_pydoc.py
++++ b/Lib/test/test_pydoc.py
+@@ -1360,18 +1360,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 00000000000000..4b42dd05305a83
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
++could be abused to read arbitrary files on the disk (directory traversal
++vulnerability). Moreover, even source code of Python modules can contain
++sensitive data like passwords. Vulnerability reported by David Schwörer.
diff --git a/python3.spec b/python3.spec
index 8a38f2acf7792477296ff4099bd398445eee6257..ffc7c9aa7f87fa83773dcbb2c1259b16fc2826e0 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.8.5
-Release: 10
+Release: 11
 License: Python
 
 %global branchversion 3.8
@@ -100,6 +100,8 @@ Patch254: CVE-2021-3177.patch
 Patch255: backport-CVE-2021-23336.patch
 Patch256: backport-Remove-thread-objects-which-finished-process-its-request.patch
 Patch257: backport-Fix-reference-leak-when-Thread-is-never-joined.patch
+Patch6000: backport-CVE-2021-3426.patch
+Patch6001: backport-CVE-2021-29921.patch
 
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@@ -197,6 +199,8 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch255 -p1
 %patch256 -p1
 %patch257 -p1
+%patch6000 -p1
+%patch6001 -p1
 
 rm configure pyconfig.h.in
 
@@ -804,6 +808,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Mon May 31 2021 shixuantong<shixuantong@huawei.com> - 3.8.5-11
+- Type:CVE
+- CVE:CVE-2021-3426 CVE-2021-29921
+- SUG:NA
+- DESC:fix CVE-2021-3426 CVE-2021-29921
+
 * Sun May 23 2021 shixuantong<shixuantong@huawei.com> - 3.8.5-10
 - Type:bugfix
 - ID:NA