diff --git a/vsftpd-avoid-bogus-ssl-write.patch b/vsftpd-avoid-bogus-ssl-write.patch
new file mode 100644
index 0000000..355c501
--- /dev/null
+++ b/vsftpd-avoid-bogus-ssl-write.patch
@@ -0,0 +1,19 @@
+Index: vsftpd-3.0.2/utility.c
+===================================================================
+--- vsftpd-3.0.2.orig/utility.c
++++ vsftpd-3.0.2/utility.c
+@@ -104,11 +104,13 @@ bug(const char* p_text)
+   {
+     if (s_p_sess->ssl_slave_active)
+     {
++      /* Write error through ssl_slave process */
+       priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
+       priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
+     }
+-    else
++    else if (s_p_sess->p_control_ssl)
+     {
++      /* From ssl_slave write the message directly */
+       (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
+     }
+   }
diff --git a/vsftpd.changes b/vsftpd.changes
index b001316..957b170 100644
--- a/vsftpd.changes
+++ b/vsftpd.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jun 18 15:37:38 UTC 2019 - Peter Simons <psimons@suse.com>
+
+- Apply "vsftpd-avoid-bogus-ssl-write.patch" to fix a segmentation
+  fault that occurred while trying to write to an invalid TLS
+  context. [bsc#1125951]
+
 -------------------------------------------------------------------
 Wed Jun 12 14:16:40 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/vsftpd.spec b/vsftpd.spec
index 69a0b78..680b0c3 100644
--- a/vsftpd.spec
+++ b/vsftpd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package vsftpd
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -84,6 +84,7 @@ Patch29:        vsftpd-append-seek-pipe.patch
 Patch30:        vsftpd-3.0.3-address_space_limit.patch
 Patch31:        vsftpd-enable-syscalls-needed-by-sle15.patch
 Patch32:        vsftpd-support-dsa-only-setups.patch
+Patch33:        vsftpd-avoid-bogus-ssl-write.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@@ -148,6 +149,7 @@ tests.
 %patch30 -p1
 %patch31 -p1
 %patch32 -p1
+%patch33 -p1
 
 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP