diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index 08389a432..92217db3d 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -349,7 +349,11 @@ calc_hash(struct module_qstate* qstate, char* buf, size_t len)
 	
 	/* hash the buffer */
 	secalgo_hash_sha256(clear, clen, hash);
+#ifdef HAVE_EXPLICIT_BZERO
+	explicit_bzero(clear, clen);
+#else
 	memset(clear, 0, clen);
+#endif
 
 	/* hex encode output for portability (some online dbs need
 	 * no nulls, no control characters, and so on) */
diff --git a/doc/Changelog b/doc/Changelog
index 19d4e2d8d..8fac8f128 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+11 September 2019: Wouter
+	- Use explicit bzero for wiping clear buffer of hash in cachedb,
+	  reported by Eric Sesterhenn from X41 D-Sec.
+
 9 September 2019: Wouter
 	- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
 	  LOG_DAEMON (as before) can set the syslog facility that the server