diff --git a/debian/changelog b/debian/changelog
index f2fc02b..78c5c0a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+tinc (1.0.19-3~bpo60+1) squeeze-backports; urgency=high
+
+  * Rebuild for squeeze-backports.
+  * Build-depend on libvdeplug2-dev, not libvdeplug-dev,
+    as it is how it is named in squeeze.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 23 Apr 2013 08:35:41 +0400
+
+tinc (1.0.19-3) unstable; urgency=high
+
+  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
+
+ -- Guus Sliepen <guus@debian.org>  Fri, 12 Apr 2013 22:52:10 +0200
+
 tinc (1.0.19-2) unstable; urgency=low
 
   * Fix behaviour of tinc-pidfile. Closes: #679130
diff --git a/debian/control b/debian/control
index ace6328..e223ccf 100644
--- a/debian/control
+++ b/debian/control
@@ -2,8 +2,9 @@ Source: tinc
 Section: net
 Priority: optional
 Maintainer: Guus Sliepen <guus@debian.org>
+Uploaders: Michael Tokarev <mjt@tls.msk.ru>
 Standards-Version: 3.9.3
-Build-Depends: libssl-dev, debhelper (>= 9), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev
+Build-Depends: libssl-dev, debhelper (>= 9), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev | libvdeplug2-dev
 Homepage: http://www.tinc-vpn.org/
 
 Package: tinc
diff --git a/debian/patches/fix-CVE-2013-1428 b/debian/patches/fix-CVE-2013-1428
new file mode 100644
index 0000000..f49de8e
--- /dev/null
+++ b/debian/patches/fix-CVE-2013-1428
@@ -0,0 +1,29 @@
+From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
+From: Guus Sliepen <guus@tinc-vpn.org>
+Date: Fri, 12 Apr 2013 17:15:05 +0200
+Subject: [PATCH] Drop packets forwarded via TCP if they are too big
+ (CVE-2013-1428).
+
+Normally all requests sent via the meta connections are checked so that they
+cannot be larger than the input buffer. However, when packets are forwarded via
+meta connections, they are copied into a packet buffer without checking whether
+it fits into it. Since the packet buffer is allocated on the stack, this in
+effect allows an authenticated remote node to cause a stack overflow.
+
+This issue was found by Martin Schobert.
+---
+ src/net_packet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/net_packet.c
++++ b/src/net_packet.c
+@@ -378,6 +378,9 @@
+ void receive_tcppacket(connection_t *c, const char *buffer, int len) {
+ 	vpn_packet_t outpkt;
+ 
++	if(len > sizeof outpkt.data)
++		return;
++
+ 	outpkt.len = len;
+ 	if(c->options & OPTION_TCPONLY)
+ 		outpkt.priority = 0;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f301124
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+fix-CVE-2013-1428