diff --git a/debian/changelog b/debian/changelog
index 86f8304..eb17378 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cyrus-sasl2 (2.1.27+dfsg-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Off-by-one in _sasl_add_string function (CVE-2019-19906) (Closes: #947043)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 19 Dec 2019 22:59:30 +0100
+
 cyrus-sasl2 (2.1.27+dfsg-1) unstable; urgency=medium
 
   [ Ryan Tandy ]
diff --git a/debian/patches/0021-CVE-2019-19906.patch b/debian/patches/0021-CVE-2019-19906.patch
new file mode 100644
index 0000000..82b9e1f
--- /dev/null
+++ b/debian/patches/0021-CVE-2019-19906.patch
@@ -0,0 +1,20 @@
+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function
+Origin: vendor
+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587
+Bug-Debian: https://bugs.debian.org/947043
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906
+Author: Stephan Zeisberg <stephan@srlabs.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2019-12-19
+
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 49ba9aa..b383d1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@
 0033-cross.patch
 0019-Stop-importing-docutils_version-in-sphinx-build-manp.patch
 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch
+0021-CVE-2019-19906.patch