diff -Nru rsync-3.2.3/debian/changelog rsync-3.2.3/debian/changelog
--- rsync-3.2.3/debian/changelog	2020-09-10 13:11:17.000000000 +0000
+++ rsync-3.2.3/debian/changelog	2021-01-12 21:59:54.000000000 +0000
@@ -1,3 +1,23 @@
+rsync (3.2.3-3ubuntu1) hirsute; urgency=medium
+
+  * Merge with Debian unstable. Remaining changes:
+    - debian/rules: add --disable-asm configure flag. The only asm
+      implementation is available for md5 on x86_64, however it is no-op,
+      because we built with OpenSSL which has optimized md5
+      implementation. Furthermore, linking noop md5 asm on x86_64 results in
+      rsync binary not getting marked as CET compatible, because the noop
+      md5 asm is not marked as CET compatible. Thus building without noop
+      md5 asm, results in rsync gaining CET.
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 12 Jan 2021 16:59:54 -0500
+
+rsync (3.2.3-3) unstable; urgency=high
+
+  * d/p/CVE-2020-14387.patch: New patch to fix an openssl related CVE
+    (closes: #969530, CVE-2020-14387)
+
+ -- Samuel Henrique <samueloph@debian.org>  Sat, 19 Dec 2020 12:48:33 +0000
+
 rsync (3.2.3-2ubuntu1) groovy; urgency=medium
 
   * debian/rules: add --disable-asm configure flag. The only asm
diff -Nru rsync-3.2.3/debian/patches/CVE-2020-14387.patch rsync-3.2.3/debian/patches/CVE-2020-14387.patch
--- rsync-3.2.3/debian/patches/CVE-2020-14387.patch	1970-01-01 00:00:00.000000000 +0000
+++ rsync-3.2.3/debian/patches/CVE-2020-14387.patch	2021-01-12 21:58:15.000000000 +0000
@@ -0,0 +1,21 @@
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 16:16:08 +0000 (-0400)
+Subject: rsync-ssl: Verify the hostname in the certificate when using openssl.
+X-Git-Url: http://git.samba.org/?p=rsync.git;a=commitdiff_plain;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859
+
+rsync-ssl: Verify the hostname in the certificate when using openssl.
+---
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975a..46701af1 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+     fi
+ 
+     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+-	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+     elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ 	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+     else
diff -Nru rsync-3.2.3/debian/patches/series rsync-3.2.3/debian/patches/series
--- rsync-3.2.3/debian/patches/series	2020-08-26 20:23:57.000000000 +0000
+++ rsync-3.2.3/debian/patches/series	2021-01-12 21:58:15.000000000 +0000
@@ -1,3 +1,4 @@
 disable_reconfigure_req.diff
 skip_devices_test.patch
 perl_shebang.patch
+CVE-2020-14387.patch