diff -Nru varnish-5.2.1/debian/changelog varnish-5.2.1/debian/changelog
--- varnish-5.2.1/debian/changelog	2017-11-29 19:48:23.000000000 +0000
+++ varnish-5.2.1/debian/changelog	2022-05-04 20:12:53.000000000 +0100
@@ -1,3 +1,10 @@
+varnish (5.2.1-1ubuntu0.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: CVE-2022-23959 (LP: #1971504)
+    - debian/patches/CVE-2022-23959.patch: New patch from Debian buster.
+
+ -- Luís Infante da Câmara <luis.infante.da.camara@tecnico.ulisboa.pt>  Wed, 04 May 2022 20:12:53 +0100
+
 varnish (5.2.1-1) unstable; urgency=medium
 
   * Imported upstream release 5.2.1 (closes: #881808, CVE-2017-8807)
diff -Nru varnish-5.2.1/debian/patches/CVE-2022-23959.patch varnish-5.2.1/debian/patches/CVE-2022-23959.patch
--- varnish-5.2.1/debian/patches/CVE-2022-23959.patch	1970-01-01 01:00:00.000000000 +0100
+++ varnish-5.2.1/debian/patches/CVE-2022-23959.patch	2022-05-04 20:12:53.000000000 +0100
@@ -0,0 +1,25 @@
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Fri, 17 Dec 2021 22:10:16 +0100
+X-Dgit-Generated: 6.1.1-1+deb10u3 bdd0ecb0018cc536ee370c7625aeb7b1addde6d9
+Subject: Mark req doclose when failing to ignore req body
+
+Previously we would ignore errors to iterate the request body into
+oblivion in VRB_Ignore(), keeping the connection open. This opens an
+out-of-sync vulnerability on H/1 connections.
+
+This patch tests the status of the request body in VRB_Ignore(), marking
+the request failed and that it should be closed on errors.
+
+---
+
+--- varnish-6.1.1.orig/bin/varnishd/cache/cache_req_body.c
++++ varnish-6.1.1/bin/varnishd/cache/cache_req_body.c
+@@ -247,6 +247,8 @@ VRB_Ignore(struct req *req)
+ 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
+ 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
+ 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
++	if (req->req_body_status == REQ_BODY_FAIL)
++		req->doclose = SC_RX_BODY;
+ 	return(0);
+ }
+
diff -Nru varnish-5.2.1/debian/patches/series varnish-5.2.1/debian/patches/series
--- varnish-5.2.1/debian/patches/series	2017-11-29 19:48:23.000000000 +0000
+++ varnish-5.2.1/debian/patches/series	2022-05-04 20:12:53.000000000 +0100
@@ -1 +1,2 @@
 0001-Ensure-package-builds-reproducibly.patch
+CVE-2022-23959.patch