diff --git a/cyrus-sasl/.signature b/cyrus-sasl/.signature
index 2e65f592e..69f5d6656 100644
--- a/cyrus-sasl/.signature
+++ b/cyrus-sasl/.signature
@@ -1,6 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/Qlm/syxT8yAkV0NPeVWH/0PFZQPdT7AaFcugj5He7WIqe48UokpwBIEJtcxHNCDGIf9PcrQVT5qjrhkyapNqQg=
-SHA256 (Pkgfile) = cef4a501f59ccd97778a607a83e2220b5ca7ba758ff3d8aeb1923b046bf3f970
+RWSE3ohX2g5d/Vhbibws7KK6930LuQcksptQS49VKZPhYVeF/L45qmLvv/AzMOJOD334q0O14XwZRlo0fg4GAHiPo20KZ1WQjwA=
+SHA256 (Pkgfile) = f559af8ea4758a3a9f70c33dc34f92b2f197ceb5e9b92f473c9a921acfe7d6c0
 SHA256 (.footprint) = e4e77c95f7485a0b84ae04ce6db392db6aa362e706da3a52ca28f95b97ca6abd
 SHA256 (cyrus-sasl-2.1.27.tar.gz) = 26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05d5
 SHA256 (saslauthd) = 2a96dca868261d5275087ed8e1eef59946f47c6d35797368710c3037f46e61bd
+SHA256 (cyrus-sasl-2.1.27-CVE-2019-19906.patch) = 7744ae3fd2a9f62a7fa7ba58604dc78d982cfe8f9b740a94dcfd9672ce00bfa8
diff --git a/cyrus-sasl/Pkgfile b/cyrus-sasl/Pkgfile
index 7999cdae8..b2d9a8586 100644
--- a/cyrus-sasl/Pkgfile
+++ b/cyrus-sasl/Pkgfile
@@ -1,16 +1,20 @@
 # Description: Simple Authentication and Security Layer
 # URL:         https://www.cyrusimap.org/sasl/
 # Maintainer:  Thomas Penteker, tek at serverop dot de
-# Depends on:  db openssl
+# Depends on:  db openssl linux-pam
 
 name=cyrus-sasl
 version=2.1.27
-release=1
-source=(https://www.cyrusimap.org/releases/$name-$version.tar.gz saslauthd)
+release=2
+source=(https://github.com/cyrusimap/$name/releases/download/$name-$version/$name-$version.tar.gz
+  saslauthd
+  cyrus-sasl-2.1.27-CVE-2019-19906.patch)
 
-build(){
+build() {
   cd $name-$version
 
+  patch -p1 -i $SRC/cyrus-sasl-2.1.27-CVE-2019-19906.patch
+
   ./configure \
       --prefix=/usr \
       --sysconfdir=/etc/sasl \
@@ -26,13 +30,12 @@ build(){
       --enable-digest \
       --enable-shared
 
-  make
+  make CFLAGS="$CFLAGS -fPIC"
   make DESTDIR=$PKG install
 
-  mkdir -p \
+  install -d \
       $PKG/usr/lib/sasl2 \
       $PKG/var/sasl/saslauthd \
-      $PKG/etc/rc.d
 
-  install -m 755 $SRC/saslauthd $PKG/etc/rc.d
+  install -Dm 755 $SRC/saslauthd $PKG/etc/rc.d/saslauthd
 }
diff --git a/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch
new file mode 100644
index 000000000..82b9e1fb6
--- /dev/null
+++ b/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch
@@ -0,0 +1,20 @@
+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function
+Origin: vendor
+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587
+Bug-Debian: https://bugs.debian.org/947043
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906
+Author: Stephan Zeisberg <stephan@srlabs.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2019-12-19
+
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+