diff --git a/proftpd-1.3.5e-CVE-2019-19269.patch b/proftpd-1.3.5e-CVE-2019-19269.patch
new file mode 100644
index 0000000..b7b22f2
--- /dev/null
+++ b/proftpd-1.3.5e-CVE-2019-19269.patch
@@ -0,0 +1,37 @@
+--- contrib/mod_tls.c
++++ contrib/mod_tls.c
+@@ -5902,8 +5902,9 @@ static int tls_verify_crl(int ok, X509_S
+       int len;
+       BIO *b = BIO_new(BIO_s_mem());
+ 
++      crl = sk_X509_CRL_value(crls, i);
+       BIO_printf(b, "CA CRL: Issuer: ");
+-      X509_NAME_print(b, issuer, 0);
++      X509_NAME_print(b, X509_CRL_get_issuer(crl), 0);
+ 
+       BIO_printf(b, ", lastUpdate: ");
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+@@ -5984,9 +5985,9 @@ static int tls_verify_crl(int ok, X509_S
+    */
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+-  crls = X509_STORE_get1_crls(store_ctx, subject);
++  crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
+   crls = NULL;
+@@ -6004,7 +6005,10 @@ static int tls_verify_crl(int ok, X509_S
+         X509_REVOKED *revoked;
+         ASN1_INTEGER *sn;
+ 
+-        revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
++        revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++        if (revoked == NULL) {
++          continue;
++        }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+         sn = X509_REVOKED_get0_serialNumber(revoked);
+ #else
diff --git a/proftpd.spec b/proftpd.spec
index e4995d5..3abd060 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -36,7 +36,7 @@
 %global _hardened_build 1
 
 #global prever rc3
-%global rpmrel 7
+%global rpmrel 8
 
 Summary:		Flexible, stable and highly-configurable FTP server
 Name:			proftpd
@@ -65,6 +65,7 @@ Patch5:			proftpd-1.3.5e-insecure-sftp-host-key.patch
 Patch6:			proftpd-1.3.5e-CVE-2019-12815.patch
 Patch7:			proftpd-1.3.5e-issue-846.patch
 Patch8:			proftpd-1.3.5e-mysql8.patch
+Patch9:			proftpd-1.3.5e-CVE-2019-19269.patch
 Patch27:		proftpd-mod-vroot-0.9.2-bug3841.patch
 
 BuildRequires:		coreutils
@@ -257,6 +258,14 @@ cp -p %{SOURCE1} proftpd.conf
 # https://bugzilla.redhat.com/show_bug.cgi?id=1764401
 %patch8
 
+# Fix handling of CRL lookups by properly using issuer for lookups, and
+# guarding against null pointers (CVE-2019-19269)
+# https://github.com/proftpd/proftpd/issues/858
+# https://github.com/proftpd/proftpd/issues/859
+# https://github.com/proftpd/proftpd/issues/860
+# https://github.com/proftpd/proftpd/issues/861
+%patch9
+
 # Fix possible symlink race when applying UserOwner to newly created directory
 # http://bugs.proftpd.org/show_bug.cgi?id=3841
 %patch27
@@ -535,6 +544,11 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Fri Nov 29 2019 Paul Howarth <paul@city-fan.org> - 1.3.5e-8
+- Fix handling of CRL lookups by properly using issuer for lookups, and
+  guarding against null pointers (GH#858, GH#859, GH#860, GH#861,
+  CVE-2019-19269)
+
 * Wed Oct 23 2019 Paul Howarth <paul@city-fan.org> - 1.3.5e-7
 - Fix build compatibility with MySQL 8 (#1764401)
   https://github.com/proftpd/proftpd/issues/824