diff --git a/CVE-2019-20372.patch b/CVE-2019-20372.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ae85e3e33fe4d2c806f8838c5e45b7c8249d0e21
--- /dev/null
+++ b/CVE-2019-20372.patch
@@ -0,0 +1,28 @@
+From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 4ffb2cc8ad..76e6705889 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -606,6 +606,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
diff --git a/nginx.spec b/nginx.spec
index eadb3370e86e3c7df890630fd6d92cf80edd7cbe..6d094567f1d00607b0b0772402e2f1413b0fc365 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -14,7 +14,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.12.1
-Release:           16
+Release:           17
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@@ -36,7 +36,7 @@ Source210:         UPGRADE-NOTES-1.6-to-1.10
 Patch0:            nginx-auto-cc-gcc.patch
 Patch1:            0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
 Patch2:            nginx-1.12.1-logs-perm.patch
-
+Patch3:		   CVE-2019-20372.patch
 BuildRequires:     gcc openssl-devel pcre-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl pcre
 Requires:          nginx-all-modules = %{epoch}:%{version}-%{release}        
@@ -349,6 +349,12 @@ fi
 %{_mandir}/man8/nginx-upgrade.8*
 
 %changelog
+* Mon Mar 16 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.12.1-17
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC: fix CVE-2019-20372
+
 * Sat Dec 28 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.12.1-16
 - Type:bugfix
 - ID:NA