diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog	2020-06-09 12:15:08.000000000 +0000
+++ nfs-utils-1.3.4/debian/changelog	2021-05-24 20:38:47.000000000 +0000
@@ -1,3 +1,20 @@
+nfs-utils (1:1.3.4-2.1ubuntu5.5) bionic; urgency=medium
+
+  * d/nfs-common.postinst: always start nfs-utils.service, so the
+    restart in the #DEBHELPER# section can do its job if needed
+    (LP: #1928259)
+
+ -- Andreas Hasenack <andreas@canonical.com>  Mon, 24 May 2021 17:38:47 -0300
+
+nfs-utils (1:1.3.4-2.1ubuntu5.4) bionic; urgency=medium
+
+  * Don't use non-thread-safe strtok() in handle_gssd_upcall()
+    (LP: #1927745):
+    - d/p/0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch
+    - d/p/0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch
+
+ -- Andreas Hasenack <andreas@canonical.com>  Fri, 07 May 2021 11:42:14 -0300
+
 nfs-utils (1:1.3.4-2.1ubuntu5.3) bionic-security; urgency=medium
 
   * SECURITY UPDATE: privilege escalation via directory permissions
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst	2020-06-09 12:15:08.000000000 +0000
+++ nfs-utils-1.3.4/debian/nfs-common.postinst	2021-05-24 20:38:47.000000000 +0000
@@ -43,6 +43,10 @@
 	if [ -f /lib/init/rw/sendsigs.omit.d/statd ]; then 
 	    mv /lib/init/rw/sendsigs.omit.d/statd /run/sendsigs.omit.d/statd
 	fi
+
+        # always "start" nfs-utils.service, so package upgrades will restart it,
+        # see LP: #1928259
+        systemctl start nfs-utils.service > /dev/null || true
     ;;
 esac
 
diff -Nru nfs-utils-1.3.4/debian/patches/0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch nfs-utils-1.3.4/debian/patches/0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch
--- nfs-utils-1.3.4/debian/patches/0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch	1970-01-01 00:00:00.000000000 +0000
+++ nfs-utils-1.3.4/debian/patches/0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch	2021-05-24 20:38:47.000000000 +0000
@@ -0,0 +1,42 @@
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Wed, 15 Feb 2017 10:36:47 -0500
+Subject: gssd: replace non-thread-safe strtok with strsep
+
+gssd uses the non-thread-safe strtok() function, which
+can lead to incorrect program behavior.
+
+Replace strtok() with the thread-safe strsep().
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+
+Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=5ae8be8
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1419280
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895381
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1927745
+Last-Update: 2020-05-07
+
+---
+ utils/gssd/gssd_proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index d74d3724..30c6aceb 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -729,10 +729,11 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	char			*target = NULL;
+ 	char			*service = NULL;
+ 	char			*enctypes = NULL;
++	char			*pbuf = info->lbuf;
+ 
+ 	printerr(2, "\n%s: '%s' (%s)\n", __func__, info->lbuf, clp->relpath);
+ 
+-	for (p = strtok(info->lbuf, " "); p; p = strtok(NULL, " ")) {
++	while ((p = strsep(&pbuf, " "))) {
+ 		if (!strncmp(p, "mech=", strlen("mech=")))
+ 			mech = p + strlen("mech=");
+ 		else if (!strncmp(p, "uid=", strlen("uid=")))
+-- 
+2.20.1
+
diff -Nru nfs-utils-1.3.4/debian/patches/0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch nfs-utils-1.3.4/debian/patches/0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch
--- nfs-utils-1.3.4/debian/patches/0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch	1970-01-01 00:00:00.000000000 +0000
+++ nfs-utils-1.3.4/debian/patches/0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch	2021-05-24 20:38:47.000000000 +0000
@@ -0,0 +1,93 @@
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Wed, 15 Feb 2017 10:38:53 -0500
+Subject: gssd:  Duplicate the upcall string for error messages
+
+strsep() modifies the input string, so error messages
+may output only part of the upcall string.
+
+Make a copy of the upcall string, and use that in any
+error messages.
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+
+Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=0a4f5e4
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1419280
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895381
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1927745
+Last-Update: 2021-05-07
+
+---
+ utils/gssd/gssd_proc.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index 30c6aceb..4fc81c30 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -729,10 +729,17 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	char			*target = NULL;
+ 	char			*service = NULL;
+ 	char			*enctypes = NULL;
++	char			*upcall_str;
+ 	char			*pbuf = info->lbuf;
+ 
+ 	printerr(2, "\n%s: '%s' (%s)\n", __func__, info->lbuf, clp->relpath);
+ 
++	upcall_str = strdup(info->lbuf);
++	if (upcall_str == NULL) {
++		printerr(0, "ERROR: malloc failure\n");
++		goto out_nomem;
++	}
++
+ 	while ((p = strsep(&pbuf, " "))) {
+ 		if (!strncmp(p, "mech=", strlen("mech=")))
+ 			mech = p + strlen("mech=");
+@@ -749,7 +756,7 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	if (!mech || strlen(mech) < 1) {
+ 		printerr(0, "WARNING: handle_gssd_upcall: "
+ 			    "failed to find gss mechanism name "
+-			    "in upcall string '%s'\n", info->lbuf);
++			    "in upcall string '%s'\n", upcall_str);
+ 		goto out;
+ 	}
+ 
+@@ -762,7 +769,7 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	if (!uidstr) {
+ 		printerr(0, "WARNING: handle_gssd_upcall: "
+ 			    "failed to find uid "
+-			    "in upcall string '%s'\n", info->lbuf);
++			    "in upcall string '%s'\n", upcall_str);
+ 		goto out;
+ 	}
+ 
+@@ -775,7 +782,7 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	if (target && strlen(target) < 1) {
+ 		printerr(0, "WARNING: handle_gssd_upcall: "
+ 			 "failed to parse target name "
+-			 "in upcall string '%s'\n", info->lbuf);
++			 "in upcall string '%s'\n", upcall_str);
+ 		goto out;
+ 	}
+ 
+@@ -790,7 +797,7 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 	if (service && strlen(service) < 1) {
+ 		printerr(0, "WARNING: handle_gssd_upcall: "
+ 			 "failed to parse service type "
+-			 "in upcall string '%s'\n", info->lbuf);
++			 "in upcall string '%s'\n", upcall_str);
+ 		goto out;
+ 	}
+ 
+@@ -803,6 +810,8 @@ handle_gssd_upcall(struct clnt_upcall_info *info)
+ 		do_error_downcall(clp->gssd_fd, uid, -EACCES);
+ 	}
+ out:
++	free(upcall_str);
++out_nomem:
+ 	free(info);
+ 	return;
+ }
+-- 
+2.20.1
+
diff -Nru nfs-utils-1.3.4/debian/patches/series nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series	2020-06-09 12:15:02.000000000 +0000
+++ nfs-utils-1.3.4/debian/patches/series	2021-05-24 20:38:47.000000000 +0000
@@ -18,3 +18,5 @@
 fix-whitespaces-in-nfs-server.service.patch
 nfsiostat-replace-list-reserved-word.patch
 CVE-2019-3689.patch
+0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch
+0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch