diff --git a/debian/changelog b/debian/changelog
index e344f44c..ee0f4654 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+mosquitto (1.6.6-1) unstable; urgency=high
+
+  * SECURITY UPDATE: If an MQTT v5 client connects to Mosquitto, sets a last
+    will and testament, sets a will delay interval, sets a session expiry
+    interval, and the will delay interval is set longer than the session
+    expiry interval, then a use after free error occurs, which has the
+    potential to cause a crash in some situations.
+    - CVE awaiting assignment
+  * SECURITY UPDATE: If a malicious MQTT client sends a SUBSCRIBE packet
+    containing a topic that consists of approximately 65400 or more '/'
+    characters, i.e. the topic hierarchy separator, then a stack overflow will
+    occur.
+    - CVE awaiting assignment
+  * New upstream release.
+  * Remove bug-1367.patch.
+
+ -- Roger A. Light <roger@atchoo.org>  Tue, 17 Sep 2019 18:41:36 +0100
+
 mosquitto (1.6.4-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/bug-1367.patch b/debian/patches/bug-1367.patch
deleted file mode 100644
index 9ef8b06c..00000000
--- a/debian/patches/bug-1367.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Description: Fix for v5 DISCONNECT packets with remaining length=2
-Author: Roger Light <roger@atchoo.org>
-Forwarded: not-needed
---- a/src/handle_disconnect.c
-+++ b/src/handle_disconnect.c
-@@ -34,12 +34,12 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
- 		return MOSQ_ERR_INVAL;
- 	}
- 
--	if(context->protocol == mosq_p_mqtt5 && context->in_packet.remaining_length > 1){
-+	if(context->protocol == mosq_p_mqtt5 && context->in_packet.remaining_length > 0){
- 		/* FIXME - must handle reason code */
- 		rc = packet__read_byte(&context->in_packet, &reason_code);
- 		if(rc) return rc;
- 
--		if(context->in_packet.remaining_length > 2){
-+		if(context->in_packet.remaining_length > 1){
- 			rc = property__read_all(CMD_DISCONNECT, &context->in_packet, &properties);
- 			if(rc) return rc;
- 		}
-@@ -54,7 +54,7 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
- 	}
- 	mosquitto_property_free_all(&properties); /* FIXME - TEMPORARY UNTIL PROPERTIES PROCESSED */
- 
--	if(context->in_packet.remaining_length != 0){
-+	if(context->in_packet.pos != context->in_packet.remaining_length){
- 		return MOSQ_ERR_PROTOCOL;
- 	}
- 	log__printf(NULL, MOSQ_LOG_DEBUG, "Received DISCONNECT from %s", context->id);
--- 
-2.17.1
-
diff --git a/debian/patches/series b/debian/patches/series
index 031bf03a..380236d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,2 @@
 914525.patch
 debian-config.patch
-bug-1367.patch