reverted:
--- libapache-mod-security-2.5.11/debian/mod-security-mlogc.debhelper.log
+++ libapache-mod-security-2.5.11.orig/debian/mod-security-mlogc.debhelper.log
@@ -1,11 +0,0 @@
-dh_installdirs
-dh_install
-dh_link
-dh_strip
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
diff -u libapache-mod-security-2.5.11/debian/changelog libapache-mod-security-2.5.11/debian/changelog
--- libapache-mod-security-2.5.11/debian/changelog
+++ libapache-mod-security-2.5.11/debian/changelog
@@ -1,3 +1,15 @@
+libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: disclosure of local files or denial of service by
+    resource exhaustion via XML External Entity (XEE) attacks (LP:
+    #1169030)
+    - debian/patches/CVE-2013-1915.patch: Add an option to allow loading
+      external entities (disabled by default). Backported from upstream
+      patch
+    - CVE-2013-1915
+
+ -- Evan Broder <evan@stripe.com>  Sun, 14 Apr 2013 22:09:28 -0700
+
 libapache-mod-security (2.5.11-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- libapache-mod-security-2.5.11.orig/debian/patches/CVE-2013-1915.patch
+++ libapache-mod-security-2.5.11/debian/patches/CVE-2013-1915.patch
@@ -0,0 +1,141 @@
+Subject: Add SecXmlExternalEntity to control loading external XML entities
+Origin: backport, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030
+From: Breno Silva <breno.silva@gmail.com>
+Last-Updated: 2013-04-14
+
+Index: libapache-mod-security-2.5.11/apache2/apache2_config.c
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/apache2_config.c	2009-11-05 11:36:32.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/apache2_config.c	2013-04-15 12:28:57.253307898 -0700
+@@ -123,6 +123,9 @@
+ 
+     dcfg->request_encoding = NOT_SET_P;
+ 
++    /* xml external entity */
++    dcfg->xml_external_entity = NOT_SET;
++
+     return dcfg;
+ }
+ 
+@@ -475,6 +478,10 @@
+     merged->request_encoding = (child->request_encoding == NOT_SET_P
+         ? parent->request_encoding : child->request_encoding);
+ 
++    /* xml external entity */
++    merged->xml_external_entity = (child->xml_external_entity == NOT_SET
++        ? parent->xml_external_entity : child->xml_external_entity);
++
+     return merged;
+ }
+ 
+@@ -562,6 +569,10 @@
+     if (dcfg->cache_trans_maxitems == (apr_size_t)NOT_SET) dcfg->cache_trans_maxitems = 512;
+ 
+     if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL;
++
++    /* xml external entity */
++    if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
++
+ }
+ 
+ /**
+@@ -1629,7 +1640,34 @@
+     return NULL;
+ }
+ 
+-/* -- PDF Protection configuration -- */
++/**
++* \brief Add SecXmlExternalEntity configuration option
++*
++* \param cmd Pointer to configuration data
++* \param _dcfg Pointer to directory configuration
++* \param p1 Pointer to configuration option
++*
++* \retval NULL On failure
++* \retval apr_psprintf On Success
++*/
++static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    if (dcfg == NULL) return NULL;
++
++    if (strcasecmp(p1, "on") == 0)  {
++        dcfg->xml_external_entity = 1;
++    }
++    else if (strcasecmp(p1, "off") == 0)    {
++        dcfg->xml_external_entity = 0;
++    }
++    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
++
++    return NULL;
++}
++
++
++* -- PDF Protection configuration -- */
+ 
+ static const char *cmd_pdf_protect(cmd_parms *cmd, void *_dcfg, int flag) {
+     directory_config *dcfg = (directory_config *)_dcfg;
+@@ -2158,6 +2196,14 @@
+         NULL,
+         CMD_SCOPE_ANY,
+         "On or Off"
++    ),
++
++    AP_INIT_TAKE1 (
++        "SecXmlExternalEntity",
++        cmd_xml_external_entity,
++        NULL,
++        CMD_SCOPE_ANY,
++        "On or Off"
+     ),
+ 
+     AP_INIT_FLAG (
+Index: libapache-mod-security-2.5.11/apache2/modsecurity.h
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/modsecurity.h	2009-11-05 11:36:32.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/modsecurity.h	2013-04-15 12:23:59.306557092 -0700
+@@ -471,6 +471,9 @@
+ 
+     /* Request character encoding. */
+     const char          *request_encoding;
++
++    /* xml */
++    int xml_external_entity;
+ };
+ 
+ struct error_message {
+Index: libapache-mod-security-2.5.11/apache2/msc_xml.c
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/msc_xml.c	2009-03-05 21:32:03.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/msc_xml.c	2013-04-15 12:23:15.586697264 -0700
+@@ -18,17 +18,28 @@
+  */
+ #include "msc_xml.h"
+ 
++static xmlParserInputBufferPtr
++xml_unload_external_entity(const char *URI, xmlCharEncoding enc)    {
++    return NULL;
++}
++
+ 
+ /**
+  * Initialise XML parser.
+  */
+ int xml_init(modsec_rec *msr, char **error_msg) {
++    xmlParserInputBufferCreateFilenameFunc entity;
++
+     if (error_msg == NULL) return -1;
+     *error_msg = NULL;
+ 
+     msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
+     if (msr->xml == NULL) return -1;
+ 
++    if(msr->txcfg->xml_external_entity == 0)    {
++        entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
++    }
++
+     return 1;
+ }
+ 
only in patch2:
unchanged:
--- libapache-mod-security-2.5.11.orig/debian/patches/series
+++ libapache-mod-security-2.5.11/debian/patches/series
@@ -0,0 +1 @@
+CVE-2013-1915.patch