diff -Nru ntpsec-1.1.0+dfsg1/debian/changelog ntpsec-1.1.0+dfsg1/debian/changelog
--- ntpsec-1.1.0+dfsg1/debian/changelog	2018-08-21 00:27:21.000000000 -0500
+++ ntpsec-1.1.0+dfsg1/debian/changelog	2019-01-18 20:07:06.000000000 -0600
@@ -1,3 +1,20 @@
+ntpsec (1.1.0+dfsg1-1ubuntu0.2) bionic-security; urgency=medium
+
+  * Backport three commits from 1.1.3 to fix (LP: #1812458)
+    - CVE-2019-6442: "An authenticated attacker can write one byte out of
+      bounds in ntpd via a malformed config request, related to
+      config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
+      yyerror in ntp_parser.y."
+    - CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
+      buffer over-read in read_sysvars in ntp_control.c in ntpd.
+    - CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
+      buffer over-read because attacker-controlled data is dereferenced by
+      ntohl() in ntpd."
+    - CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
+      dereference and ntpd crash in ntp_control.c, related to ctl_getitem."
+
+ -- Richard Laager <rlaager@wiktel.com>  Fri, 18 Jan 2019 20:07:06 -0600
+
 ntpsec (1.1.0+dfsg1-1ubuntu0.1) bionic; urgency=medium
 
   * Update apparmor for new drift temp file (LP: #1788102)
diff -Nru ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Check-for-count-too-big-in-control-packet.patch ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Check-for-count-too-big-in-control-packet.patch
--- ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Check-for-count-too-big-in-control-packet.patch	1969-12-31 18:00:00.000000000 -0600
+++ ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Check-for-count-too-big-in-control-packet.patch	2019-01-18 20:07:06.000000000 -0600
@@ -0,0 +1,36 @@
+Origin: upstream, https://gitlab.com/NTPsec/ntpsec/commit/2ccb87ab78d7ca962f8a903499a4e50a379c56dd
+Bug: https://gitlab.com/NTPsec/ntpsec/issues/507
+Bug: https://gitlab.com/NTPsec/ntpsec/issues/508
+From: "Gary E. Miller" <gem@rellim.com>
+Date: Wed, 17 Oct 2018 20:55:06 -0700
+Subject: [PATCH] ntp_control: Check for count too big in control packet.
+
+---
+ ntpd/ntp_control.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/ntpd/ntp_control.c
++++ b/ntpd/ntp_control.c
+@@ -825,6 +825,13 @@
+ 		return;
+ 	}
+ 
++	if (CTL_MAX_DATA_LEN < req_count) {
++                /* count to big */
++		ctl_error(CERR_BADFMT);
++		numctlbadpkts++;
++		return;
++	}
++
+ 	properlen = req_count + (int)CTL_HEADER_LEN;
+ 	/* round up proper len to a 8 octet boundary */
+ 
+@@ -2505,7 +2512,7 @@
+ 
+ 	/* Scan the string in the packet until we hit comma or
+ 	 * EoB. Register position of first '=' on the fly. */
+-	for (tp = NULL, cp = reqpt; cp != reqend; ++cp) {
++	for (tp = NULL, cp = reqpt; cp < reqend; ++cp) {
+ 		if (*cp == '=' && tp == NULL)
+ 			tp = cp;
+ 		if (*cp == ',')
diff -Nru ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Stop-potentially-dereferencing-a-NULL-pointer.patch ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Stop-potentially-dereferencing-a-NULL-pointer.patch
--- ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Stop-potentially-dereferencing-a-NULL-pointer.patch	1969-12-31 18:00:00.000000000 -0600
+++ ntpsec-1.1.0+dfsg1/debian/patches/ntp_control-Stop-potentially-dereferencing-a-NULL-pointer.patch	2019-01-18 20:07:06.000000000 -0600
@@ -0,0 +1,30 @@
+Origin: upstream, https://gitlab.com/NTPsec/ntpsec/commit/acb2ecdcabad2ab42e9c6352999e174dd102eb3f
+Bug: https://gitlab.com/NTPsec/ntpsec/issues/509
+From: "Gary E. Miller" <gem@rellim.com>
+Date: Mon, 22 Oct 2018 13:47:20 -0700
+Subject: [PATCH] ntp_control: Stop potentially dereferencing a NULL pointer.
+
+---
+ ntpd/ntp_control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/ntpd/ntp_control.c
++++ b/ntpd/ntp_control.c
+@@ -2855,6 +2855,7 @@
+ 	const struct ctl_var *v;
+ 	int ext_var;
+ 	char *valuep;
++	char nulltxt[1] = { '\0' };
+ 	long val;
+ 	size_t octets;
+ 	char *vareqv;
+@@ -2900,6 +2901,9 @@
+ 			ctl_error(CERR_PERMISSION);
+ 			return;
+ 		}
++		if (NULL == valuep)
++			valuep = nulltxt;
++
+ 		errno = 0;
+ 		if (!ext_var && (*valuep == '\0'
+ 				 || (val = strtol(valuep, NULL, 10), errno != 0))) {
diff -Nru ntpsec-1.1.0+dfsg1/debian/patches/ntp_parser.y-Fix-a-potential-overflow-in-err_msg.patch ntpsec-1.1.0+dfsg1/debian/patches/ntp_parser.y-Fix-a-potential-overflow-in-err_msg.patch
--- ntpsec-1.1.0+dfsg1/debian/patches/ntp_parser.y-Fix-a-potential-overflow-in-err_msg.patch	1969-12-31 18:00:00.000000000 -0600
+++ ntpsec-1.1.0+dfsg1/debian/patches/ntp_parser.y-Fix-a-potential-overflow-in-err_msg.patch	2019-01-18 20:05:44.000000000 -0600
@@ -0,0 +1,58 @@
+Origin: upstream, https://gitlab.com/NTPsec/ntpsec/commit/a619d39ac2b6d3b435edd2f6f527c7cc81f78d02
+Bug: https://gitlab.com/NTPsec/ntpsec/issues/510
+From: "Gary E. Miller" <gem@rellim.com>
+Date: Mon, 22 Oct 2018 15:16:46 -0700
+Subject: [PATCH] ntp_parser.y: Fix a potential overflow in err_msg.
+
+---
+ ntpd/ntp_parser.y | 41 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 28 insertions(+), 13 deletions(-)
+
+--- a/ntpd/ntp_parser.y
++++ b/ntpd/ntp_parser.y
+@@ -1416,19 +1416,34 @@
+ 	
+ 	msyslog(LOG_ERR, "CONFIG: line %d column %d %s", 
+ 		ip_ctx->errpos.nline, ip_ctx->errpos.ncol, msg);
+-	if (!lex_from_file()) {
+-		/* Save the error message in the correct buffer */
+-		retval = snprintf(remote_config.err_msg + remote_config.err_pos,
+-				  (size_t)(MAXLINE - remote_config.err_pos),
+-				  "column %d %s",
+-				  ip_ctx->errpos.ncol, msg);
++	if (lex_from_file()) {
++                /* all is good, so far */
++                return;
++        }
++        /* Uh, oh, got an error */
+ 
+-		/* Increment the value of err_pos */
+-		if (retval > 0)
+-			remote_config.err_pos += retval;
++	/* Increment the number of errors */
++	++remote_config.no_errors;
+ 
+-		/* Increment the number of errors */
+-		++remote_config.no_errors;
++	/* Save the error message in the correct buffer */
++	if ((MAXLINE - 10) < remote_config.err_pos) {
++		/* err_msg already full, ignore this */
++		return;
++	}
++	retval = snprintf(remote_config.err_msg + remote_config.err_pos,
++			  (size_t)(MAXLINE - remote_config.err_pos),
++			  "column %d %s", ip_ctx->errpos.ncol, msg);
++
++	/* Increment the value of err_pos */
++	if (retval > 0) {
++		/* careful, retval is not bytes written, it is
++		 * bytes that would have been written if space had
++                 * been available */
++		remote_config.err_pos += retval;
++		if (MAXLINE < remote_config.err_pos) {
++			/* err_msg overflowed! */
++			remote_config.err_pos = MAXLINE;
++		}
+ 	}
+ }
+ 
diff -Nru ntpsec-1.1.0+dfsg1/debian/patches/series ntpsec-1.1.0+dfsg1/debian/patches/series
--- ntpsec-1.1.0+dfsg1/debian/patches/series	2018-03-16 00:42:24.000000000 -0500
+++ ntpsec-1.1.0+dfsg1/debian/patches/series	2019-01-18 20:07:06.000000000 -0600
@@ -1,3 +1,8 @@
+# Accepted upstream
+ntp_control-Check-for-count-too-big-in-control-packet.patch
+ntp_control-Stop-potentially-dereferencing-a-NULL-pointer.patch
+ntp_parser.y-Fix-a-potential-overflow-in-err_msg.patch
+
 # Forwarding not needed
 use-upstream-version.patch
 systemd-use-wrapper.patch