diff -u zend-framework-1.5.1/debian/rules zend-framework-1.5.1/debian/rules
--- zend-framework-1.5.1/debian/rules
+++ zend-framework-1.5.1/debian/rules
@@ -8,11 +8,13 @@
 
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
+include /usr/share/quilt/quilt.make
 
-build:
+
+build: patch
 	dh_testdir
 
-clean:
+clean: unpatch
 	dh_testdir
 	dh_testroot
 	
diff -u zend-framework-1.5.1/debian/changelog zend-framework-1.5.1/debian/changelog
--- zend-framework-1.5.1/debian/changelog
+++ zend-framework-1.5.1/debian/changelog
@@ -1,3 +1,24 @@
+zend-framework (1.5.1-0ubuntu1.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #345682)
+    Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
+    From Zend PHP FW Mailing List:
+    The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
+    Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
+    which tags and specific attributes of those tags to keep.
+    The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
+    If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
+    the attribute would always be included in the final output- even if it was not marked to retain.
+    A security fix has been created and released with Zend Framework 1.7.7.
+    Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
+  * debian/patches/zf_Zend_Filter_security_fix.patch:
+    Fixes security issue according to
+    http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php
+  * debian/control: added quilt as build dependency
+  * debian/rules: include quilt.mk and call patch/unpatch targets
+
+ -- Stephan Hermann <sh@sourcecode.de>  Thu, 14 May 2009 12:39:55 +0000
+
 zend-framework (1.5.1-0ubuntu1) hardy; urgency=low
 
   * New bugfix release
diff -u zend-framework-1.5.1/debian/control zend-framework-1.5.1/debian/control
--- zend-framework-1.5.1/debian/control
+++ zend-framework-1.5.1/debian/control
@@ -3,7 +3,7 @@
 Priority: extra
 Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
 XSBC-Original-Maintainer: Stephan Hermann <sh@sourcecode.de>
-Build-Depends: debhelper (>= 5)
+Build-Depends: debhelper (>= 5), quilt
 Standards-Version: 3.7.3
 
 Package: libzend-framework-php
only in patch2:
unchanged:
--- zend-framework-1.5.1.orig/debian/patches/series
+++ zend-framework-1.5.1/debian/patches/series
@@ -0,0 +1 @@
+zf_Zend_Filter_security_fix.patch
only in patch2:
unchanged:
--- zend-framework-1.5.1.orig/debian/patches/zf_Zend_Filter_security_fix.patch
+++ zend-framework-1.5.1/debian/patches/zf_Zend_Filter_security_fix.patch
@@ -0,0 +1,13 @@
+Index: zend-framework-1.5.1/library/Zend/Filter/StripTags.php
+===================================================================
+--- zend-framework-1.5.1.orig/library/Zend/Filter/StripTags.php	2009-05-14 12:38:27.117151688 +0000
++++ zend-framework-1.5.1/library/Zend/Filter/StripTags.php	2009-05-14 12:39:09.237150866 +0000
+@@ -256,7 +256,7 @@
+         // If there are non-whitespace characters in the attribute string
+         if (strlen($tagAttributes)) {
+             // Parse iteratively for well-formed attributes
+-            preg_match_all('/(\w+)=([\'"])((.(?!=\2))+)\2/s', $tagAttributes, $matches);
++            preg_match_all('/(\w+)\s*=\s*(?:(")(.*?)"|(\')(.*?)\')/s', $tagAttributes, $matches);
+             // Initialize valid attribute accumulator
+             $tagAttributes = '';
+             // Iterate over each matched attribute