diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch
--- /dev/null
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
+##
+## DP: network plugin: Fix heap overflow in parse_packet().
+## DP:
+## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
+## DP: function used by the network plugin to parse incoming network packets.
+## DP:
+## DP: This is a vulnerability in collectd, though the scope is not clear at
+## DP: this point. At the very least specially crafted network packets can be
+## DP: used to crash the daemon. We can't rule out a potential remote code
+## DP: execution though.
+## DP:
+## DP: Fixes: CVE-2016-6254
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/b589096
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1392,6 +1392,7 @@
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1419,6 +1420,7 @@
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1560,6 +1562,7 @@
+ DEBUG ("network plugin: parse_packet: Unknown part"
+ " type: 0x%04hx", pkg_type);
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ }
+ } /* while (buffer_size > sizeof (part_header_t)) */
+