diff -Nru ntp-4.2.6.p3+dfsg/debian/changelog ntp-4.2.6.p3+dfsg/debian/changelog
--- ntp-4.2.6.p3+dfsg/debian/changelog	2015-10-23 11:58:22.000000000 -0400
+++ ntp-4.2.6.p3+dfsg/debian/changelog	2015-10-29 09:47:45.000000000 -0400
@@ -1,3 +1,11 @@
+ntp (1:4.2.6.p3+dfsg-1ubuntu3.7) precise; urgency=medium
+
+  * Fix use-after-free in routing socket code (closes: #795315)
+    - debian/patches/use-after-free-in-routing-socket.patch: 
+      fix logic in ntpd/ntp_io.c (LP: #1481388)
+
+ -- Eric Desrochers <eric.desrochers@canonical.com>  Thu, 29 Oct 2015 09:47:20 -0400
+
 ntp (1:4.2.6.p3+dfsg-1ubuntu3.6) precise-security; urgency=medium
 
   * SECURITY UPDATE: denial of service via crafted NUL-byte in
diff -Nru ntp-4.2.6.p3+dfsg/debian/patches/series ntp-4.2.6.p3+dfsg/debian/patches/series
--- ntp-4.2.6.p3+dfsg/debian/patches/series	2015-10-23 11:56:40.000000000 -0400
+++ ntp-4.2.6.p3+dfsg/debian/patches/series	2015-10-29 09:45:39.000000000 -0400
@@ -31,3 +31,4 @@
 CVE-2015-7853.patch
 CVE-2015-7855.patch
 CVE-2015-7871.patch
+use-after-free-in-routing-socket.patch
diff -Nru ntp-4.2.6.p3+dfsg/debian/patches/use-after-free-in-routing-socket.patch ntp-4.2.6.p3+dfsg/debian/patches/use-after-free-in-routing-socket.patch
--- ntp-4.2.6.p3+dfsg/debian/patches/use-after-free-in-routing-socket.patch	1969-12-31 19:00:00.000000000 -0500
+++ ntp-4.2.6.p3+dfsg/debian/patches/use-after-free-in-routing-socket.patch	2015-10-29 09:47:06.000000000 -0400
@@ -0,0 +1,31 @@
+Description:  Fix use-after-free in routing socket code.
+Origin:       backport, https://bugs.ntp.org/attachment.cgi?id=883 
+Bug:          http://bugs.ntp.org/2224
+--- a/ntpd/ntp_io.c
++++ b/ntpd/ntp_io.c
+@@ -3534,7 +3534,8 @@
+ 	int select_count = 0;
+ 	endpt *ep;
+ #if defined(HAS_ROUTING_SOCKET)
+-	struct asyncio_reader *asyncio_reader;
++	struct asyncio_reader * asyncio_reader;
++	struct asyncio_reader * next_asyncio_reader;
+ #endif
+ 
+ 	handler_calls++;
+@@ -3637,11 +3638,13 @@
+ 	asyncio_reader = asyncio_reader_list;
+ 
+ 	while (asyncio_reader != NULL) {
++		/* callback may unlink and free asyncio_reader */
++		next_asyncio_reader = asyncio_reader->link;
+ 		if (FD_ISSET(asyncio_reader->fd, &fds)) {
+ 			++select_count;
+-			(asyncio_reader->receiver)(asyncio_reader);
++			(*asyncio_reader->receiver)(asyncio_reader);
+ 		}
+-		asyncio_reader = asyncio_reader->link;
++		asyncio_reader = next_asyncio_reader;
+ 	}
+ #endif /* HAS_ROUTING_SOCKET */
+