diff --git a/debian/changelog b/debian/changelog
index a4e78965373a64f6ec51dfd612d527771dd065a4..536f3e3fa839d6d9505619881addbeebec6c3f74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+golang-1.15 (1.15.9-6+apertis0) apertis; urgency=medium
+
+  * Sync from debian/bullseye.
+
+ -- Apertis CI <devel@lists.apertis.org>  Thu, 29 Jul 2021 19:18:39 +0000
+
+golang-1.15 (1.15.9-6) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patche for CVE-2021-34558
+    crypto/tls: clients can panic when provided a certificate of the wrong type
+    for the negotiated parameters
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 13 Jul 2021 13:55:42 +0800
+
 golang-1.15 (1.15.9-5+apertis0) apertis; urgency=medium
 
   * Sync from debian/bullseye.
diff --git a/debian/patches/0013-CVE-2021-34558.patch b/debian/patches/0013-CVE-2021-34558.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2d1565dae2e47f5e4e514927eaa367a6dcab614f
--- /dev/null
+++ b/debian/patches/0013-CVE-2021-34558.patch
@@ -0,0 +1,46 @@
+From c77980bc077f3774276ab2deba78d8e6bfe4b3bd Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 9 Jun 2021 11:31:27 -0700
+Subject: [PATCH] [release-branch.go1.15] crypto/tls: test key type when
+ casting
+
+When casting the certificate public key in generateClientKeyExchange,
+check the type is appropriate. This prevents a panic when a server
+agrees to a RSA based key exchange, but then sends an ECDSA (or
+other) certificate.
+
+Updates #47143
+Fixes #47144
+Fixes CVE-2021-34558
+
+Thanks to Imre Rad for reporting this issue.
+
+Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/334030
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+ src/crypto/tls/key_agreement.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go
+index 7e6534bd465e3..22f1b2e1f2441 100644
+--- a/src/crypto/tls/key_agreement.go
++++ b/src/crypto/tls/key_agreement.go
+@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello
+ 		return nil, nil, err
+ 	}
+ 
+-	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
++	rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
++	if !ok {
++		return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
++	}
++	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
+ 	if err != nil {
+ 		return nil, nil, err
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index f0d63b9a9941e5f7da3e01d45a0f627b588b1464..42e148beb89d2b2e893e3ad6f33e07b15af0c850 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
 0010-CVE-2021-33195-2.patch
 0011-CVE-2021-33197.patch
 0012-CVE-2021-33198.patch
+0013-CVE-2021-34558.patch