diff --git a/CVE-2021-34337.patch b/CVE-2021-34337.patch
new file mode 100644
index 0000000000000000000000000000000000000000..11d0194e96b63eabd637b22f27716032f9e817a2
--- /dev/null
+++ b/CVE-2021-34337.patch
@@ -0,0 +1,44 @@
+From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <legoktm@debian.org>
+Date: Tue, 8 Jun 2021 00:54:14 -0400
+Subject: [PATCH] Check the REST API password in a way that is resistant to
+ timing attacks (CVE-2021-34337)
+
+Using basic string equality is vulnerable to timing attacks as it will
+short circuit at the first wrong character. Using hmac.compare_digest
+avoids that issue and will take the same time, regardless of whether
+the value is correct or not.
+
+This is only exploitable if an attacker can talk directly to the
+REST API, which by default is bound to localhost.
+
+Fixes #911.
+---
+ src/mailman/rest/wsgiapp.py | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py
+index 14d9a4e03..ab5be448d 100644
+--- a/src/mailman/rest/wsgiapp.py
++++ b/src/mailman/rest/wsgiapp.py
+@@ -18,6 +18,7 @@
+ """Basic WSGI Application object for REST server."""
+ 
+ import re
++import hmac
+ import logging
+ 
+ from base64 import b64decode
+@@ -55,7 +56,8 @@ class Middleware:
+             credentials = b64decode(request.auth[6:]).decode('utf-8')
+             username, password = credentials.split(':', 1)
+             if (username == config.webservice.admin_user and
+-                    password == config.webservice.admin_pass):
++                    hmac.compare_digest(
++                        password, config.webservice.admin_pass)):
+                 authorized = True
+         if not authorized:
+             # Not authorized.
+-- 
+GitLab
+
diff --git a/mailman.spec b/mailman.spec
index f46de6251279048cd4a0ccc039e4bd1a5ff2ef07..7fbf122ea96bac05fb1f9e691caa72c74f56350d 100644
--- a/mailman.spec
+++ b/mailman.spec
@@ -7,7 +7,7 @@
 
 Name:                mailman
 Version:             3.3.2
-Release:             7
+Release:             8
 Epoch:               3
 Summary:             The GNU mailing list manager
 License:             GPLv3
@@ -30,6 +30,7 @@ Patch16:             mailman3-test_as_string_python_bug_27321.patch
 Patch17:             0001-fix-tests-assertion-error.patch
 #Refer: https://gitlab.com/mailman/mailman/-/issues/964#note_1001855903
 Patch18:             support-sqlalchemy-1-4.patch
+Patch19:	     CVE-2021-34337.patch
 BuildArch:           noarch
 BuildRequires:       glibc-langpack-en
 BuildRequires:       python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools
@@ -211,6 +212,9 @@ done
 %{_datadir}/selinux/*/mailman3.pp
 
 %changelog
+* Sun Oct 09 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 3:3.3.2-8
+- fix CVE-2021-34337
+
 * Thu Jul 07 2022 wangkai <wangkai385@h-partners.com> - 3:3.3.2-7
 - Silence sqlalchemy-1.4 warning