diff -Nru jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/changelog jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/changelog
--- jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/changelog	2011-09-01 13:30:30.000000000 +0100
+++ jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/changelog	2011-11-22 12:22:21.000000000 +0000
@@ -1,3 +1,17 @@
+jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2.1) oneiric-security; urgency=low
+
+  * SECURITY UPDATE: XSS vulnerability in default error pages.
+    - debian/patches/fix_xss.patch: escape error messages which are supposed 
+      be plain text and not markup in
+      src/java/winstone/ErrorServlet.java,
+      src/java/winstone/URIUtil.java,
+      src/java/winstone/WinstoneResponse.java
+    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2011-11-08.cb
+  * d/maven.{properties,ignoreRules}: Disabled testing as htmlunit is 
+    currently broken in 11.10.
+
+ -- James Page <james.page@ubuntu.com>  Tue, 22 Nov 2011 12:21:24 +0000
+
 jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2) oneiric; urgency=low
 
   * Support offline validation of XML configuration files (LP: #827651):
diff -Nru jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.ignoreRules jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.ignoreRules
--- jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.ignoreRules	2011-09-01 13:30:30.000000000 +0100
+++ jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.ignoreRules	2011-11-22 09:28:12.000000000 +0000
@@ -15,3 +15,4 @@
 #   junit junit jar s/3\\..*/3.x/
 
 org.jvnet.wagon-svn wagon-svn * * * *
+httpunit httpunit * * * *
diff -Nru jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.properties jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.properties
--- jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.properties	2011-09-01 13:30:30.000000000 +0100
+++ jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/maven.properties	2011-11-22 09:23:06.000000000 +0000
@@ -1,4 +1,4 @@
 # Include here properties to pass to Maven during the build.
 # For example:
-# maven.test.skip=true
+maven.test.skip=true
 
diff -Nru jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/fix_xss.patch jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/fix_xss.patch
--- jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/fix_xss.patch	1970-01-01 01:00:00.000000000 +0100
+++ jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/fix_xss.patch	2011-11-22 09:14:01.000000000 +0000
@@ -0,0 +1,64 @@
+From 410ed3001d51c689cf59085b7417466caa2ded7b Mon Sep 17 00:00:00 2001
+From: Kohsuke Kawaguchi <kk@kohsuke.org>
+Date: Tue, 1 Nov 2011 22:27:09 -0700
+Subject: [PATCH] escape error messages which are supposed be plain text and
+ not markup
+
+---
+ src/java/winstone/ErrorServlet.java     |    2 +-
+ src/java/winstone/URIUtil.java          |   17 +++++++++++++++++
+ src/java/winstone/WinstoneResponse.java |    2 +-
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+Index: jenkins-winstone/src/java/winstone/ErrorServlet.java
+===================================================================
+--- jenkins-winstone.orig/src/java/winstone/ErrorServlet.java	2011-11-22 09:12:33.772125000 +0000
++++ jenkins-winstone/src/java/winstone/ErrorServlet.java	2011-11-22 09:13:42.699934201 +0000
+@@ -42,7 +42,7 @@
+          
+         // If we are here there was no error servlet, so show the default error page
+         String output = Launcher.RESOURCES.getString("WinstoneResponse.ErrorPage",
+-                new String[] { sc + "", (msg == null ? "" : msg), sw.toString(),
++                new String[] { sc + "", URIUtil.htmlEscape(msg == null ? "" : msg), URIUtil.htmlEscape(sw.toString()),
+                 Launcher.RESOURCES.getString("ServerVersion"),
+                         "" + new Date() });
+         response.setContentLength(output.getBytes(response.getCharacterEncoding()).length);
+Index: jenkins-winstone/src/java/winstone/URIUtil.java
+===================================================================
+--- jenkins-winstone.orig/src/java/winstone/URIUtil.java	2011-11-22 09:12:33.772125000 +0000
++++ jenkins-winstone/src/java/winstone/URIUtil.java	2011-11-22 09:13:42.699934201 +0000
+@@ -50,4 +50,21 @@
+         return buf.toString();
+     }
+ 
++    /**
++     * Performs necessary escaping to render arbitrary plain text as plain text without any markup.
++     */
++    public static String htmlEscape(String text) {
++        StringBuilder buf = new StringBuilder(text.length()+64);
++        for( int i=0; i<text.length(); i++ ) {
++            char ch = text.charAt(i);
++            if(ch=='<')
++                buf.append("&lt;");
++            else
++            if(ch=='&')
++                buf.append("&amp;");
++            else
++                buf.append(ch);
++        }
++        return buf.toString();
++    }
+ }
+Index: jenkins-winstone/src/java/winstone/WinstoneResponse.java
+===================================================================
+--- jenkins-winstone.orig/src/java/winstone/WinstoneResponse.java	2011-11-22 09:12:33.772125000 +0000
++++ jenkins-winstone/src/java/winstone/WinstoneResponse.java	2011-11-22 09:13:42.699934201 +0000
+@@ -805,7 +805,7 @@
+             this.statusCode = sc;
+         }
+         String output = Launcher.RESOURCES.getString("WinstoneResponse.ErrorPage",
+-                new String[] { sc + "", (msg == null ? "" : msg), "",
++                new String[] { sc + "", URIUtil.htmlEscape(msg == null ? "" : msg), "",
+                         Launcher.RESOURCES.getString("ServerVersion"),
+                         "" + new Date() });
+         setContentLength(output.getBytes(getCharacterEncoding()).length);
diff -Nru jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/series jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/series
--- jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/series	2011-09-01 13:30:30.000000000 +0100
+++ jenkins-winstone-0.9.10-jenkins-25+dfsg/debian/patches/series	2011-11-22 09:13:35.000000000 +0000
@@ -1,2 +1,3 @@
 java-1.6.patch
 specification-resources.patch
+fix_xss.patch