diff -u libopenid-ruby-2.1.7debian/debian/changelog libopenid-ruby-2.1.7debian/debian/changelog
--- libopenid-ruby-2.1.7debian/debian/changelog
+++ libopenid-ruby-2.1.7debian/debian/changelog
@@ -1,3 +1,13 @@
+libopenid-ruby (2.1.7debian-1ubuntu0.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: XML denial of service attack (LP: #1190491)
+    - debian/patches/CVE-2013-1812.patch: lib/openid/fetchers.rb,
+      lib/openid/yadis/xrds.rb: limit fetching file size & disable XML entity
+      expansion. Based on upstream patch.
+    - CVE-2013-1812
+
+ -- Christian Kuersteiner <ckuerste@gmx.ch>  Thu, 20 Jun 2013 15:51:01 +0700
+
 libopenid-ruby (2.1.7debian-1) unstable; urgency=low
 
   * new upstream release
diff -u libopenid-ruby-2.1.7debian/debian/control libopenid-ruby-2.1.7debian/debian/control
--- libopenid-ruby-2.1.7debian/debian/control
+++ libopenid-ruby-2.1.7debian/debian/control
@@ -1,7 +1,8 @@
 Source: libopenid-ruby
 Section: ruby
 Priority: optional
-Maintainer: Antonio Terceiro <terceiro@softwarelivre.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Antonio Terceiro <terceiro@softwarelivre.org>
 Uploaders: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>, Paul van Tilburg <paulvt@debian.org>, Ryan Niebur <ryanryan52@gmail.com>
 Build-Depends: ruby-pkg-tools (>= 0.8), cdbs, debhelper (>= 5)
 Build-Depends-Indep: ruby1.8
only in patch2:
unchanged:
--- libopenid-ruby-2.1.7debian.orig/debian/patches/CVE-2013-1812.patch
+++ libopenid-ruby-2.1.7debian/debian/patches/CVE-2013-1812.patch
@@ -0,0 +1,109 @@
+## Description: limit fetching file size & disable XML entity expansion
+## Omitted changes regarding calls to setup_encoding since there is no such
+## function in this libopenid-ruby version.
+## Origin: backport, https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
+## Author: ckuerste@gmx.ch
+## Bug: https://github.com/openid/ruby-openid/pull/43
+## Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491
+diff -Nur -x '*.orig' -x '*~' libopenid-ruby-2.1.7debian/lib/openid/fetchers.rb libopenid-ruby-2.1.7debian.new/lib/openid/fetchers.rb
+--- libopenid-ruby-2.1.7debian/lib/openid/fetchers.rb	2009-07-02 05:13:49.000000000 +0700
++++ libopenid-ruby-2.1.7debian.new/lib/openid/fetchers.rb	2013-06-21 13:38:00.154004517 +0700
+@@ -10,7 +10,7 @@
+   require 'net/http'
+ end
+ 
+-MAX_RESPONSE_KB = 1024
++MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
+ 
+ module Net
+   class HTTP
+@@ -192,6 +192,16 @@
+         conn = make_connection(url)
+         response = nil
+ 
++        whole_body = ''
++        body_size_limitter = lambda do |r|
++          r.read_body do |partial|   # read body now
++            whole_body << partial
++            if whole_body.length > MAX_RESPONSE_KB
++              raise FetchingError.new("Response Too Large")
++            end
++          end
++          whole_body
++        end
+         response = conn.start {
+           # Check the certificate against the URL's hostname
+           if supports_ssl?(conn) and conn.use_ssl?
+@@ -199,10 +209,10 @@
+           end
+ 
+           if body.nil?
+-            conn.request_get(url.request_uri, headers)
++            conn.request_get(url.request_uri, headers, &body_size_limitter)
+           else
+             headers["Content-type"] ||= "application/x-www-form-urlencoded"
+-            conn.request_post(url.request_uri, body, headers)
++            conn.request_post(url.request_uri, body, headers, &body_size_limitter)
+           end
+         }
+       rescue RuntimeError => why
+@@ -231,7 +241,9 @@
+           raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
+         end
+       else
+-        return HTTPResponse._from_net_response(response, unparsed_url)
++        response = HTTPResponse._from_net_response(response, unparsed_url)
++        response.body = whole_body
++        return response
+       end
+     end
+   end
+diff -Nur -x '*.orig' -x '*~' libopenid-ruby-2.1.7debian/lib/openid/yadis/xrds.rb libopenid-ruby-2.1.7debian.new/lib/openid/yadis/xrds.rb
+--- libopenid-ruby-2.1.7debian/lib/openid/yadis/xrds.rb	2009-07-02 05:13:49.000000000 +0700
++++ libopenid-ruby-2.1.7debian.new/lib/openid/yadis/xrds.rb	2013-06-21 13:35:09.866007004 +0700
+@@ -88,23 +88,33 @@
+     end
+ 
+     def Yadis::parseXRDS(text)
+-      if text.nil?
+-        raise XRDSError.new("Not an XRDS document.")
+-      end
++      disable_entity_expansion do
++        if text.nil?
++          raise XRDSError.new("Not an XRDS document.")
++        end
+ 
+-      begin
+-        d = REXML::Document.new(text)
+-      rescue RuntimeError => why
+-        raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+-      end
++        begin
++          d = REXML::Document.new(text)
++        rescue RuntimeError => why
++          raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
++        end
+ 
+-      if is_xrds?(d)
+-        return d
+-      else
+-        raise XRDSError.new("Not an XRDS document.")
++        if is_xrds?(d)
++          return d
++        else
++          raise XRDSError.new("Not an XRDS document.")
++        end
+       end
+     end
+ 
++    def Yadis::disable_entity_expansion
++      _previous_ = REXML::Document::entity_expansion_limit
++      REXML::Document::entity_expansion_limit = 0
++      yield
++    ensure
++      REXML::Document::entity_expansion_limit = _previous_
++    end
++
+     def Yadis::is_xrds?(xrds_tree)
+       xrds_root = xrds_tree.root
+       return (!xrds_root.nil? and