Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 cyrus-sasl2 (2.1.27+dfsg-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Off-by-one in _sasl_add_string function (CVE-2019-19906) (Closes: #947043)
Author: Salvatore Bonaccorso <carnil@debian.org>
Bug-Debian: https://bugs.debian.org/947043

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2020-03-10

--- cyrus-sasl2-2.1.27+dfsg.orig/plugins/gssapi.c
+++ cyrus-sasl2-2.1.27+dfsg/plugins/gssapi.c
@@ -879,7 +879,7 @@ gssapi_server_mech_authneg(context_t *te
 	if ( server_creds == GSS_C_NO_CREDENTIAL) {
 	    GSS_LOCK_MUTEX_CTX(params->utils, text);
 	    maj_stat = gss_acquire_cred(&min_stat, 
-					text->server_name,
+					GSS_C_NO_NAME,
 					GSS_C_INDEFINITE, 
 					GSS_C_NO_OID_SET,
 					GSS_C_ACCEPT,
