diff --git a/backport-CVE-2023-7008.patch b/backport-CVE-2023-7008.patch
new file mode 100644
index 0000000..ffe3aae
--- /dev/null
+++ b/backport-CVE-2023-7008.patch
@@ -0,0 +1,39 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Conflict:code context adaptation
+Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 262f63c..3a3c078 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2459,7 +2459,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return t->answer_authenticated;
++                        return dt->answer_authenticated;
+                 }
+ 
+                 return true;
+@@ -2489,7 +2489,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                          * RR for us. This means we are not at a zone cut. In
+                          * this case, we require authentication if the SOA
+                          * lookup was authenticated too. */
+-                        return t->answer_authenticated;
++                        return dt->answer_authenticated;
+                 }
+ 
+                 return true;
+-- 
+2.33.0
+
diff --git a/systemd.spec b/systemd.spec
index a3ba361..1ec5ee4 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        72
+Release:        73
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -295,6 +295,7 @@ Patch0247:      backport-test-add-several-tests-for-track-item.patch
 Patch0248:      backport-sd-bus-switch-to-a-manual-overflow-check-in.patch
 Patch0249:      backport-rules-import-previous-SYSTEMD_READY-state-for-suspen.patch
 Patch0250:      backport-rules-go-to-the-end-of-rules-indeed-when-dm-is-suspe.patch
+Patch0251:      backport-CVE-2023-7008.patch
 
 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@@ -1702,6 +1703,9 @@ fi
 %exclude /usr/share/man/man3/*
 
 %changelog
+* Fri Dec 29 2023 wangyuhang <wangyuhang27@huawei.com> - 243-73
+- actually check authenticated flag of SOA transaction in resolved
+
 * Thu Dec 21 2023 xujing <xujing125@huawei.com> - 243-72
 - backport: fix /boot unmounted issue when the device is suspended during boot time