diff --git a/debian/changelog b/debian/changelog
index 981aa75..e781caa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cyrus-sasl2 (2.1.25.dfsg1-6+deb7u2) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the ELTS team.
+  * CVE-2019-19906: Fix off-by-one issue in _sasl_add_string function.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Fri, 20 Dec 2019 13:00:37 +0100
+
 cyrus-sasl2 (2.1.25.dfsg1-6+deb7u1) stable; urgency=low
 
   * Fix heavy CPU usage in saslauthd (Closes: #708552)
diff --git a/debian/patches/CVE-2019-19906.patch b/debian/patches/CVE-2019-19906.patch
new file mode 100644
index 0000000..46e729e
--- /dev/null
+++ b/debian/patches/CVE-2019-19906.patch
@@ -0,0 +1,13 @@
+Origin: https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -192,7 +192,7 @@
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 074ab61..995311c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@
 0037-abort_if_no_fqdn_fix.patch
 0038-send_imap_logout.patch
 0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch
+CVE-2019-19906.patch