diff -u nginx-0.5.33/debian/changelog nginx-0.5.33/debian/changelog
--- nginx-0.5.33/debian/changelog
+++ nginx-0.5.33/debian/changelog
@@ -1,3 +1,12 @@
+nginx (0.5.33-1ubuntu0.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE: Buffer underflow vulnerability, which allows remote
+    attackers to execute arbitrary code via crafted HTTP request. (LP: #430064)
+    - src/http/ngx_http_parse.c patched.
+    - CVE-2009-2629.
+
+ -- Andres Rodriguez <andreserl@ubuntu.com>  Sat, 26 Sep 2009 13:10:01 -0400
+
 nginx (0.5.33-1) unstable; urgency=low
 
   * New stable upstream release (Closes: #451173)
diff -u nginx-0.5.33/debian/control nginx-0.5.33/debian/control
--- nginx-0.5.33/debian/control
+++ nginx-0.5.33/debian/control
@@ -1,7 +1,8 @@
 Source: nginx
 Section: web
 Priority: optional
-Maintainer: Jose Parrella <bureado@debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jose Parrella <bureado@debian.org>
 Uploaders: Fabio Tranchitella <kobold@debian.org>
 Build-Depends: debhelper (>= 5), autotools-dev, libpcre3-dev, zlib1g-dev, libssl-dev
 Standards-Version: 3.7.2
only in patch2:
unchanged:
--- nginx-0.5.33.orig/src/http/ngx_http_parse.c
+++ nginx-0.5.33/src/http/ngx_http_parse.c
@@ -1081,11 +1081,15 @@
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;