diff -Nru modsecurity-apache-2.6.6/debian/changelog modsecurity-apache-2.6.6/debian/changelog
--- modsecurity-apache-2.6.6/debian/changelog	2012-10-22 07:25:47.000000000 -0700
+++ modsecurity-apache-2.6.6/debian/changelog	2013-04-14 22:37:07.000000000 -0700
@@ -1,3 +1,15 @@
+modsecurity-apache (2.6.6-5ubuntu0.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: disclosure of local files or denial of service by
+    resource exhaustion via XML External Entity (XEE) attacks (LP:
+    #1169030)
+    - debian/patches/CVE-2013-1915.patch: Add an option to allow loading
+      external entities (disabled by default). Backported from upstream
+      patch
+    - CVE-2013-1915
+
+ -- Evan Broder <evan@stripe.com>  Sun, 14 Apr 2013 22:09:28 -0700
+
 modsecurity-apache (2.6.6-5) unstable; urgency=high
 
   * Applied upstream patch to fix multipart/invalid part
diff -Nru modsecurity-apache-2.6.6/debian/patches/CVE-2013-1915.patch modsecurity-apache-2.6.6/debian/patches/CVE-2013-1915.patch
--- modsecurity-apache-2.6.6/debian/patches/CVE-2013-1915.patch	1969-12-31 16:00:00.000000000 -0800
+++ modsecurity-apache-2.6.6/debian/patches/CVE-2013-1915.patch	2013-04-14 22:36:54.000000000 -0700
@@ -0,0 +1,139 @@
+Subject: Add SecXmlExternalEntity to control loading external XML entities
+Origin: backport, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030
+From: Breno Silva <breno.silva@gmail.com>
+Last-Updated: 2013-04-14
+
+Index: modsecurity-apache-2.6.6/apache2/apache2_config.c
+===================================================================
+--- modsecurity-apache-2.6.6.orig/apache2/apache2_config.c	2012-06-14 06:39:00.000000000 -0700
++++ modsecurity-apache-2.6.6/apache2/apache2_config.c	2013-04-14 22:08:01.432481370 -0700
+@@ -128,6 +128,9 @@
+     /* Collection timeout */
+     dcfg->col_timeout = NOT_SET;
+ 
++    /* xml external entity */
++    dcfg->xml_external_entity = NOT_SET;
++
+     return dcfg;
+ }
+ 
+@@ -518,6 +521,10 @@
+     merged->col_timeout = (child->col_timeout == NOT_SET
+         ? parent->col_timeout : child->col_timeout);
+ 
++    /* xml external entity */
++    merged->xml_external_entity = (child->xml_external_entity == NOT_SET
++        ? parent->xml_external_entity : child->xml_external_entity);
++
+     return merged;
+ }
+ 
+@@ -615,6 +622,10 @@
+     if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
+ 
+     if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
++
++    /* xml external entity */
++    if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
++
+ }
+ 
+ /**
+@@ -1961,6 +1972,33 @@
+     return NULL;
+ }
+ 
++/**
++* \brief Add SecXmlExternalEntity configuration option
++*
++* \param cmd Pointer to configuration data
++* \param _dcfg Pointer to directory configuration
++* \param p1 Pointer to configuration option
++*
++* \retval NULL On failure
++* \retval apr_psprintf On Success
++*/
++static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    if (dcfg == NULL) return NULL;
++
++    if (strcasecmp(p1, "on") == 0)  {
++        dcfg->xml_external_entity = 1;
++    }
++    else if (strcasecmp(p1, "off") == 0)    {
++        dcfg->xml_external_entity = 0;
++    }
++    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
++
++    return NULL;
++}
++
++
+ /* PCRE Limits */
+ 
+ static const char *cmd_pcre_match_limit(cmd_parms *cmd,
+@@ -2566,6 +2604,14 @@
+         NULL,
+         CMD_SCOPE_ANY,
+         "On or Off"
++    ),
++
++    AP_INIT_TAKE1 (
++        "SecXmlExternalEntity",
++        cmd_xml_external_entity,
++        NULL,
++        CMD_SCOPE_ANY,
++        "On or Off"
+     ),
+ 
+     AP_INIT_FLAG (
+Index: modsecurity-apache-2.6.6/apache2/modsecurity.h
+===================================================================
+--- modsecurity-apache-2.6.6.orig/apache2/modsecurity.h	2012-06-14 06:39:00.000000000 -0700
++++ modsecurity-apache-2.6.6/apache2/modsecurity.h	2013-04-14 22:08:01.432481370 -0700
+@@ -522,6 +522,9 @@
+ 
+     /* Collection timeout */
+     int col_timeout;
++
++    /* xml */
++    int xml_external_entity;
+ };
+ 
+ struct error_message {
+Index: modsecurity-apache-2.6.6/apache2/msc_xml.c
+===================================================================
+--- modsecurity-apache-2.6.6.orig/apache2/msc_xml.c	2012-06-14 06:39:00.000000000 -0700
++++ modsecurity-apache-2.6.6/apache2/msc_xml.c	2013-04-14 22:08:01.436481362 -0700
+@@ -14,17 +14,28 @@
+ 
+ #include "msc_xml.h"
+ 
++static xmlParserInputBufferPtr
++xml_unload_external_entity(const char *URI, xmlCharEncoding enc)    {
++    return NULL;
++}
++
+ 
+ /**
+  * Initialise XML parser.
+  */
+ int xml_init(modsec_rec *msr, char **error_msg) {
++    xmlParserInputBufferCreateFilenameFunc entity;
++
+     if (error_msg == NULL) return -1;
+     *error_msg = NULL;
+ 
+     msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
+     if (msr->xml == NULL) return -1;
+ 
++    if(msr->txcfg->xml_external_entity == 0)    {
++        entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
++    }
++
+     return 1;
+ }
+ 
diff -Nru modsecurity-apache-2.6.6/debian/patches/series modsecurity-apache-2.6.6/debian/patches/series
--- modsecurity-apache-2.6.6/debian/patches/series	2012-10-22 07:20:39.000000000 -0700
+++ modsecurity-apache-2.6.6/debian/patches/series	2013-04-14 22:07:51.000000000 -0700
@@ -1,2 +1,3 @@
 debian_log_dir.patch
 CVE-2012-4528.patch
+CVE-2013-1915.patch