diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog
--- openssl-1.0.2g/debian/changelog	2018-12-04 13:41:02.000000000 +0000
+++ openssl-1.0.2g/debian/changelog	2019-02-26 18:16:49.000000000 +0000
@@ -1,3 +1,12 @@
+openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: 0-byte record padding oracle
+    - debian/patches/CVE-2019-1559.patch: go into the error state if a
+      fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c.
+    - CVE-2019-1559
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 26 Feb 2019 13:16:01 -0500
+
 openssl (1.0.2g-1ubuntu4.14) xenial-security; urgency=medium
 
   * SECURITY UPDATE: PortSmash side channel attack
diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1559.patch openssl-1.0.2g/debian/patches/CVE-2019-1559.patch
--- openssl-1.0.2g/debian/patches/CVE-2019-1559.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2g/debian/patches/CVE-2019-1559.patch	2019-02-26 18:15:37.000000000 +0000
@@ -0,0 +1,59 @@
+Backport of:
+
+From e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 14 Dec 2018 07:28:30 +0000
+Subject: [PATCH] Go into the error state if a fatal alert is sent or received
+
+If an application calls SSL_shutdown after a fatal alert has occured and
+then behaves different based on error codes from that function then the
+application may be vulnerable to a padding oracle.
+
+CVE-2019-1559
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+---
+ ssl/d1_pkt.c |  1 +
+ ssl/s3_pkt.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.2g/ssl/d1_pkt.c
+===================================================================
+--- openssl-1.0.2g.orig/ssl/d1_pkt.c	2019-02-26 13:09:11.010950562 -0500
++++ openssl-1.0.2g/ssl/d1_pkt.c	2019-02-26 13:12:42.259997034 -0500
+@@ -1267,6 +1267,7 @@ int dtls1_read_bytes(SSL *s, int type, u
+             ERR_add_error_data(2, "SSL alert number ", tmp);
+             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+             SSL_CTX_remove_session(s->ctx, s->session);
++            s->state = SSL_ST_ERR;
+             return (0);
+         } else {
+             al = SSL_AD_ILLEGAL_PARAMETER;
+Index: openssl-1.0.2g/ssl/s3_pkt.c
+===================================================================
+--- openssl-1.0.2g.orig/ssl/s3_pkt.c	2019-02-26 13:09:11.010950562 -0500
++++ openssl-1.0.2g/ssl/s3_pkt.c	2019-02-26 13:15:26.492809651 -0500
+@@ -1489,6 +1489,7 @@ int ssl3_read_bytes(SSL *s, int type, un
+             ERR_add_error_data(2, "SSL alert number ", tmp);
+             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+             SSL_CTX_remove_session(s->ctx, s->session);
++            s->state = SSL_ST_ERR;
+             return (0);
+         } else {
+             al = SSL_AD_ILLEGAL_PARAMETER;
+@@ -1708,9 +1709,12 @@ int ssl3_send_alert(SSL *s, int level, i
+                                           * protocol_version alerts */
+     if (desc < 0)
+         return -1;
+-    /* If a fatal one, remove from cache */
+-    if ((level == 2) && (s->session != NULL))
+-        SSL_CTX_remove_session(s->ctx, s->session);
++    /* If a fatal one, remove from cache and go into the error state */
++    if (level == SSL3_AL_FATAL) {
++        if (s->session != NULL)
++            SSL_CTX_remove_session(s->ctx, s->session);
++        s->state = SSL_ST_ERR;
++    }
+ 
+     s->s3->alert_dispatch = 1;
+     s->s3->send_alert[0] = level;
diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series
--- openssl-1.0.2g/debian/patches/series	2018-12-04 13:38:10.000000000 +0000
+++ openssl-1.0.2g/debian/patches/series	2019-02-26 18:09:08.000000000 +0000
@@ -66,3 +66,4 @@
 CVE-2018-0734-2.patch
 CVE-2018-0734-3.patch
 CVE-2018-5407.patch
+CVE-2019-1559.patch