diff --git a/SOURCES/nginx-1.18.0-CVE-2021-23017.patch b/SOURCES/nginx-1.18.0-CVE-2021-23017.patch
new file mode 100644
index 0000000..26d01ff
--- /dev/null
+++ b/SOURCES/nginx-1.18.0-CVE-2021-23017.patch
@@ -0,0 +1,24 @@
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index e51712c..4e75ab8 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -3993,15 +3993,15 @@ done:
+ n = *src++;
+
+ } else {
++ if (dst != name->data) {
++ *dst++ = '.';
++ }
++
+ ngx_strlow(dst, src, n);
+ dst += n;
+ src += n;
+
+ n = *src++;
+-
+- if (n != 0) {
+- *dst++ = '.';
+- }
+ }
+
+ if (n == 0) {
diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec
index 1a98009..e5ee179 100644
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@@ -19,7 +19,7 @@
Name: nginx
Epoch: 1
Version: 1.18.0
-Release: 3%{?dist}
+Release: 3%{?dist}.1
Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons
@@ -60,6 +60,9 @@ Patch4: nginx-1.16.0-enable-tls1v3-by-default.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1668717
Patch5: nginx-1.18.0-pkcs11-cert.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1963121
+Patch6: nginx-1.18.0-CVE-2021-23017.patch
+
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
%endif
@@ -192,6 +195,7 @@ Requires: nginx
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@@ -473,6 +477,11 @@ fi
%changelog
+* Tue May 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.18.0-3.1
+- Resolves: #1963178 - CVE-2021-23017 nginx:1.18/nginx: Off-by-one in
+ ngx_resolver_copy() when labels are followed by a pointer to a root
+ domain name
+
* Thu Nov 12 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-3
- Resolves: #1651377 - centralizing default index.html on nginx
- Resolves: #1825683 - Outdated Red Hat branding used in nginx default pages