diff --git a/srcpkgs/cvs/patches/ssh.patch b/srcpkgs/cvs/patches/ssh.patch
new file mode 100644
index 00000000000..21688953a52
--- /dev/null
+++ b/srcpkgs/cvs/patches/ssh.patch
@@ -0,0 +1,23 @@
+Fix for CVE-2017-12836, extracted from MirBSD repository.
+
+--- src/rsh-client.c	2017/03/26 15:54:10	1.6
++++ src/rsh-client.c	2017/08/11 20:41:40	1.7
+@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	rsh_argv[i++] = argvport;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     if (readonlyfs)
+@@ -190,6 +194,8 @@ start_rsh_server (cvsroot_t *root, struc
+ 		*p++ = "-p";
+ 		*p++ = argvport;
+ 	}
++
++	*p++ = "--";
+ 
+ 	*p++ = root->hostname;
+ 	*p++ = command;
diff --git a/srcpkgs/cvs/template b/srcpkgs/cvs/template
index 2e0cfb41dac..0eb781e531f 100644
--- a/srcpkgs/cvs/template
+++ b/srcpkgs/cvs/template
@@ -1,7 +1,7 @@
 # Template file for 'cvs'
 pkgname=cvs
 version=1.12.13
-revision=4
+revision=5
 build_style=gnu-configure
 configure_args="--with-editor=/usr/bin/vi --with-external-zlib
  ac_cv_func_working_mktime=yes"  # broken test upstream