diff --git a/debian/changelog b/debian/changelog
index ec94dd6ee66301a18e5ffdeffb9e815b45f5f826..6986df293d14b04d1008c8aeda89deae1e260589 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium
+
+ * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX
+ that adds mitigations into the Mail module for CVE-2021-3618.patch.
+ (Closes: #991328)
+
+ -- Jan MojžÃÅ¡ <jan.mojzis@gmail.com> Sat, 14 May 2022 08:27:08 +0200
+
+nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
+ libnginx-mod-http-lua is loaded and init_worker_by_lua* is used.
+ (Closes: #994178)
+
+ -- Jan MojžÃÅ¡ <jan.mojzis@gmail.com> Tue, 15 Mar 2022 21:36:18 +0100
+
nginx (1.18.0-6.1+apertis1) apertis; urgency=medium
* Refresh the automatically detected licensing information
diff --git a/debian/modules/patches/http-lua/bug-994178-segfault.patch b/debian/modules/patches/http-lua/bug-994178-segfault.patch
new file mode 100644
index 0000000000000000000000000000000000000000..89dee6aa84445d2a874b0b7faa595e98d4310c03
--- /dev/null
+++ b/debian/modules/patches/http-lua/bug-994178-segfault.patch
@@ -0,0 +1,31 @@
+From: Datong Sun <dndx@idndx.com>
+Date: Wed Jul 18 16:21:09 2018 -0700
+Origin: https://github.com/openresty/lua-nginx-module/commit/e94f2e5d64daa45ff396e262d8dab8e56f5f10e0
+Subject: fixed segfault in NGINX core >= 1.15.0 when init_worker_by_lua* is
+ used.
+
+Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
+
+diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c
+index 4a722a06..2a82fcb9 100644
+--- a/src/ngx_http_lua_initworkerby.c
++++ b/src/ngx_http_lua_initworkerby.c
+@@ -25,6 +25,7 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+ void *cur, *prev;
+ ngx_uint_t i;
+ ngx_conf_t conf;
++ ngx_conf_file_t cf_file;
+ ngx_cycle_t *fake_cycle;
+ ngx_module_t **modules;
+ ngx_open_file_t *file, *ofile;
+@@ -166,6 +167,10 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+ conf.pool = fake_cycle->pool;
+ conf.log = cycle->log;
+
++ ngx_memzero(&cf_file, sizeof(cf_file));
++ cf_file.file.name = cycle->conf_file;
++ conf.conf_file = &cf_file;
++
+ http_ctx.loc_conf = ngx_pcalloc(conf.pool,
+ sizeof(void *) * ngx_http_max_module);
+ if (http_ctx.loc_conf == NULL) {
diff --git a/debian/modules/patches/http-lua/series b/debian/modules/patches/http-lua/series
index 1c68a8869923386a04291c48b67b64c68f8f346a..61d5c015a6322a503af7426e386bd94c40dbad94 100644
--- a/debian/modules/patches/http-lua/series
+++ b/debian/modules/patches/http-lua/series
@@ -1,2 +1,3 @@
discover-luajit-2.1.patch
CVE-2020-11724.patch
+bug-994178-segfault.patch
diff --git a/debian/patches/CVE-2021-3618.patch b/debian/patches/CVE-2021-3618.patch
new file mode 100644
index 0000000000000000000000000000000000000000..10f37a9cfc7dcb044fddd640a6e347a3a29449cd
--- /dev/null
+++ b/debian/patches/CVE-2021-3618.patch
@@ -0,0 +1,84 @@
+Subject: Patch mitigation for CVE-2021-3618
+ Mail: max_errors directive.
+ .
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799
+Bug-Debian: https://bugs.debian.org/991328
+
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@
+ ngx_msec_t timeout;
+ ngx_msec_t resolver_timeout;
+
++ ngx_uint_t max_errors;
++
+ ngx_str_t server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@
+ ngx_uint_t command;
+ ngx_array_t args;
+
++ ngx_uint_t errors;
+ ngx_uint_t login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@
+ offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+ NULL },
+
++ { ngx_string("max_errors"),
++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++ ngx_conf_set_num_slot,
++ NGX_MAIL_SRV_CONF_OFFSET,
++ offsetof(ngx_mail_core_srv_conf_t, max_errors),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++ cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver = NGX_CONF_UNSET_PTR;
+
+ cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+ ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+ 30000);
+
++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+ ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -871,7 +871,20 @@
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++ s->errors++;
++
++ if (s->errors >= cscf->max_errors) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client sent too many invalid commands");
++ s->quit = 1;
++ }
++
++ return rc;
++ }
++
++ if (rc == NGX_IMAP_NEXT) {
+ return rc;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index da61d8000ba0a61ee905ae232beebcde6ee1c460..ba47a7e1d944fc4c8325335d0da84708320ab03c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0003-define_gnu_source-on-other-glibc-based-platforms.patch
CVE-2019-20372.patch
Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
+CVE-2021-3618.patch