diff --git a/0002-shim-Create-pid-file-with-0644-permissions.patch b/0002-shim-Create-pid-file-with-0644-permissions.patch
new file mode 100644
index 0000000..a40da68
--- /dev/null
+++ b/0002-shim-Create-pid-file-with-0644-permissions.patch
@@ -0,0 +1,75 @@
+From 260963a354d972201ffe9a6ce882f1c0e9b319d9 Mon Sep 17 00:00:00 2001
+From: Jaroslav Jindrak <dzejrou@gmail.com>
+Date: Sat, 23 Dec 2023 21:41:54 +0100
+Subject: [PATCH 1/2] shim: Create pid-file with 0644 permissions
+
+Fixes ae7021300
+
+In ae7021300 the WritePidFile and WriteAddress functions were
+changed to use AtomicFile instead of os.CreateFile. However,
+AtomicFile creates a temporary file and then changes its permissions
+with os.Chmod which alters the previously observed behavior of
+os.CreateFile which takes the system's umask into account.
+
+This means that on Linux-based systems these files suddenly
+became world writable (#9363). The address file has since been
+removed, but pid-file was still created as world writable. This
+commit explicitly requests 0644 permissions as even on systems
+without default umask of 0022 there is no reason to have these
+two files world writable.
+
+Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
+(cherry picked from commit 9d328410a5c7bab106fe81cd37a36e4534ce9205)
+Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
+---
+ runtime/v2/shim/util.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
+index fce1318a63ad..3740d87dbf8a 100644
+--- a/runtime/v2/shim/util.go
++++ b/runtime/v2/shim/util.go
+@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error {
+ 	if err != nil {
+ 		return err
+ 	}
+-	f, err := atomicfile.New(path, 0o666)
++	f, err := atomicfile.New(path, 0o644)
+ 	if err != nil {
+ 		return err
+ 	}
+
+From 8d82242eb525f87b91bbc2c2499559855dd363cf Mon Sep 17 00:00:00 2001
+From: Jaroslav Jindrak <dzejrou@gmail.com>
+Date: Sat, 23 Dec 2023 21:46:12 +0100
+Subject: [PATCH 2/2] shim: Create address file with 0644 permissions
+
+Fixes ae70213
+
+In ae70213 the WritePidFile and WriteAddress functions were
+changed to use AtomicFile instead of os.CreateFile. However,
+AtomicFile creates a temporary file and then changes its permissions
+with os.Chmod which alters the previously observed behavior of
+os.CreateFile which takes the system's umask into account.
+
+This means that on Linux-based systems these files suddenly
+became world writable (#9363).
+
+Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
+---
+ runtime/v2/shim/util.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
+index 3740d87dbf8a..e8cfeec077c5 100644
+--- a/runtime/v2/shim/util.go
++++ b/runtime/v2/shim/util.go
+@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error {
+ 	if err != nil {
+ 		return err
+ 	}
+-	f, err := atomicfile.New(path, 0o666)
++	f, err := atomicfile.New(path, 0o644)
+ 	if err != nil {
+ 		return err
+ 	}
diff --git a/containerd.changes b/containerd.changes
index 5f374d1..5f1d14b 100644
--- a/containerd.changes
+++ b/containerd.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jan  8 12:12:00 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for bsc#1217952:
+  + 0002-shim-Create-pid-file-with-0644-permissions.patch
+
 -------------------------------------------------------------------
 Mon Dec  4 08:44:40 UTC 2023 - Aleksa Sarai <asarai@suse.com>
 
@@ -10,7 +16,7 @@ Mon Dec  4 08:44:40 UTC 2023 - Aleksa Sarai <asarai@suse.com>
 Fri Oct 27 21:13:23 UTC 2023 - Aleksa Sarai <asarai@suse.com>
 
 - Update to containerd v1.7.8. Upstream release notes:
-  <https://github.com/containerd/containerd/releases/tag/v1.7.8>
+  <https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
 - Rebase patches:
   * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
 
diff --git a/containerd.spec b/containerd.spec
index bf94992..e4dff34 100644
--- a/containerd.spec
+++ b/containerd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package containerd
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,8 @@ Source1:        %{name}-rpmlintrc
 Source2:        %{name}.service
 # UPSTREAM: Revert <https://github.com/containerd/containerd/pull/7933> to fix build on SLE-12.
 Patch1:         0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
+# https://github.com/containerd/containerd/pull/9571
+Patch2:         0002-shim-Create-pid-file-with-0644-permissions.patch
 BuildRequires:  fdupes
 BuildRequires:  glibc-devel-static
 BuildRequires:  go >= 1.19
@@ -99,6 +101,7 @@ reference the following Go import paths: github.com/containerd/containerd
 %if 0%{?sle_version} == 120000
 %patch1 -p1
 %endif
+%patch2 -p1
 
 %build
 %goprep %{import_path}