diff -Nru prosody-0.9.1/debian/changelog prosody-0.9.1/debian/changelog
--- prosody-0.9.1/debian/changelog	2013-09-14 17:34:24.000000000 +0200
+++ prosody-0.9.1/debian/changelog	2016-01-11 21:33:49.000000000 +0100
@@ -1,3 +1,15 @@
+prosody (0.9.1-1ubuntu0.1) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: path traversal vulnerability in mod_http_files
+    - debian/patches/CVE-2016-1231.patch
+    - CVE-2016-1231
+    - LP: #1532943
+  * SECURITY UPDATE: use of weak PRNG in generation of dialback secrets
+    - CVE-2016-1232
+    - LP: #1532943
+
+ -- Felix Geyer <debfx@ubuntu.com>  Mon, 11 Jan 2016 19:21:33 +0100
+
 prosody (0.9.1-1) unstable; urgency=low
 
   * New upstream release including ipv6 support (Closes: #721970, #562161)
diff -Nru prosody-0.9.1/debian/patches/CVE-2016-1231.patch prosody-0.9.1/debian/patches/CVE-2016-1231.patch
--- prosody-0.9.1/debian/patches/CVE-2016-1231.patch	1970-01-01 01:00:00.000000000 +0100
+++ prosody-0.9.1/debian/patches/CVE-2016-1231.patch	2016-01-11 19:28:11.000000000 +0100
@@ -0,0 +1,60 @@
+From: Enrico Tassi <gareuselesinge@debian.org>
+Date: Thu, 7 Jan 2016 21:01:23 +0100
+Subject: CVE-2016-1231: path traversal in http built-in server
+
+---
+ plugins/mod_http_files.lua | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/mod_http_files.lua b/plugins/mod_http_files.lua
+index 3a9368b..62b957b 100644
+--- a/plugins/mod_http_files.lua
++++ b/plugins/mod_http_files.lua
+@@ -49,6 +49,34 @@ if not mime_map then
+ 	end
+ end
+ 
++local forbidden_chars_pattern = "[/%z]";
++if prosody.platform == "windows" then
++	forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
++end
++
++local urldecode = require "util.http".urldecode;
++function sanitize_path(path)
++	local out = {};
++
++	local c = 0;
++	for component in path:gmatch("([^/]+)") do
++		component = urldecode(component);
++		if component:find(forbidden_chars_pattern) then
++			return nil;
++		elseif component == ".." then
++			if c <= 0 then
++				return nil;
++			end
++			out[c] = nil;
++			c = c - 1;
++		elseif component ~= "." then
++			c = c + 1;
++			out[c] = component;
++		end
++	end
++	return "/"..table.concat(out, "/");
++end
++
+ local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
+ 
+ function serve(opts)
+@@ -60,7 +88,11 @@ function serve(opts)
+ 	local directory_index = opts.directory_index;
+ 	local function serve_file(event, path)
+ 		local request, response = event.request, event.response;
+-		local orig_path = request.path;
++		path = sanitize_path(path);
++		if not path then
++			return 400;
++		end
++		local orig_path = sanitize_path(request.path);
+ 		local full_path = base_path .. (path and "/"..path or "");
+ 		local attr = stat(full_path);
+ 		if not attr then
diff -Nru prosody-0.9.1/debian/patches/CVE-2016-1232.patch prosody-0.9.1/debian/patches/CVE-2016-1232.patch
--- prosody-0.9.1/debian/patches/CVE-2016-1232.patch	1970-01-01 01:00:00.000000000 +0100
+++ prosody-0.9.1/debian/patches/CVE-2016-1232.patch	2016-01-11 19:20:36.000000000 +0100
@@ -0,0 +1,74 @@
+From: Enrico Tassi <gareuselesinge@debian.org>
+Date: Fri, 8 Jan 2016 10:20:33 +0100
+Subject: CVE-2016-1232: weak PRNG for dialback on S2S
+
+---
+ util/uuid.lua | 44 ++++++++++++++++----------------------------
+ 1 file changed, 16 insertions(+), 28 deletions(-)
+
+diff --git a/util/uuid.lua b/util/uuid.lua
+index 796c8ee..58f792f 100644
+--- a/util/uuid.lua
++++ b/util/uuid.lua
+@@ -6,45 +6,33 @@
+ -- COPYING file in the source package for more information.
+ --
+ 
+-
+-local m_random = math.random;
+-local tostring = tostring;
+-local os_time = os.time;
+-local os_clock = os.clock;
+-local sha1 = require "util.hashes".sha1;
++local error = error;
++local round_up = math.ceil;
++local urandom, urandom_err = io.open("/dev/urandom", "r+");
+ 
+ module "uuid"
+ 
+-local last_uniq_time = 0;
+-local function uniq_time()
+-	local new_uniq_time = os_time();
+-	if last_uniq_time >= new_uniq_time then new_uniq_time = last_uniq_time + 1; end
+-	last_uniq_time = new_uniq_time;
+-	return new_uniq_time;
+-end
+-
+-local function new_random(x)
+-	return sha1(x..os_clock()..tostring({}), true);
+-end
+-
+-local buffer = new_random(uniq_time());
+-local function _seed(x)
+-	buffer = new_random(buffer..x);
+-end
+ local function get_nibbles(n)
+-	if #buffer < n then _seed(uniq_time()); end
+-	local r = buffer:sub(0, n);
+-	buffer = buffer:sub(n+1);
+-	return r;
++	local binary_random = urandom:read(round_up(n/2));
++	local hex_random = binary_random:gsub(".",
++		function (x) return ("%02x"):format(x:byte()) end);
++	return hex_random:sub(1, n);
+ end
+ local function get_twobits()
+-	return ("%x"):format(get_nibbles(1):byte() % 4 + 8);
++	return ("%x"):format(urandom:read(1):byte() % 4 + 8);
+ end
+ 
+ function generate()
++	if not urandom then
++		error("Unable to obtain a secure random number generator, please see https://prosody.im/doc/random ("..urandom_err..")");
++	end
+ 	-- generate RFC 4122 complaint UUIDs (version 4 - random)
+ 	return get_nibbles(8).."-"..get_nibbles(4).."-4"..get_nibbles(3).."-"..(get_twobits())..get_nibbles(3).."-"..get_nibbles(12);
+ end
+-seed = _seed;
++
++function seed(x)
++	urandom:write(x);
++	urandom:flush();
++end
+ 
+ return _M;
diff -Nru prosody-0.9.1/debian/patches/series prosody-0.9.1/debian/patches/series
--- prosody-0.9.1/debian/patches/series	2013-09-14 17:34:24.000000000 +0200
+++ prosody-0.9.1/debian/patches/series	2016-01-11 19:24:22.000000000 +0100
@@ -1,3 +1,5 @@
 conf.patch
 prosody-lua51.patch
 dpkg-buildflags.patch
+CVE-2016-1231.patch
+CVE-2016-1232.patch