reverted:
--- libapache-mod-security-2.5.11/debian/mod-security-mlogc.debhelper.log
+++ libapache-mod-security-2.5.11.orig/debian/mod-security-mlogc.debhelper.log
@@ -1,11 +0,0 @@
-dh_installdirs
-dh_install
-dh_link
-dh_strip
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
diff -u libapache-mod-security-2.5.11/debian/changelog libapache-mod-security-2.5.11/debian/changelog
--- libapache-mod-security-2.5.11/debian/changelog
+++ libapache-mod-security-2.5.11/debian/changelog
@@ -1,3 +1,20 @@
+libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: bypass multipart filtering using invalid quoting (LP:
+    #1016909)
+    - debian/patches/CVE-2012-2751: Fix detection of invalid
+      quotes. Thanks to Alberto Gonzalez Iniesta for the backported patch.
+    - CVE-2012-2751
+  * SECURITY UPDATE: disclosure of local files or denial of service by
+    resource exhaustion via XML External Entity (XEE) attacks (LP:
+    #1169030)
+    - debian/patches/CVE-2013-1915.patch: Add an option to allow loading
+      external entities (disabled by default). Backported from upstream
+      patch
+    - CVE-2013-1915
+
+ -- Evan Broder <evan@stripe.com>  Tue, 16 Apr 2013 09:05:37 -0700
+
 libapache-mod-security (2.5.11-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- libapache-mod-security-2.5.11.orig/debian/patches/CVE-2013-1915.patch
+++ libapache-mod-security-2.5.11/debian/patches/CVE-2013-1915.patch
@@ -0,0 +1,141 @@
+Subject: Add SecXmlExternalEntity to control loading external XML entities
+Origin: backport, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030
+From: Breno Silva <breno.silva@gmail.com>
+Last-Updated: 2013-04-14
+
+Index: libapache-mod-security-2.5.11/apache2/apache2_config.c
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/apache2_config.c	2009-11-05 11:36:32.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/apache2_config.c	2013-04-15 12:28:57.253307898 -0700
+@@ -123,6 +123,9 @@
+ 
+     dcfg->request_encoding = NOT_SET_P;
+ 
++    /* xml external entity */
++    dcfg->xml_external_entity = NOT_SET;
++
+     return dcfg;
+ }
+ 
+@@ -475,6 +478,10 @@
+     merged->request_encoding = (child->request_encoding == NOT_SET_P
+         ? parent->request_encoding : child->request_encoding);
+ 
++    /* xml external entity */
++    merged->xml_external_entity = (child->xml_external_entity == NOT_SET
++        ? parent->xml_external_entity : child->xml_external_entity);
++
+     return merged;
+ }
+ 
+@@ -562,6 +569,10 @@
+     if (dcfg->cache_trans_maxitems == (apr_size_t)NOT_SET) dcfg->cache_trans_maxitems = 512;
+ 
+     if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL;
++
++    /* xml external entity */
++    if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
++
+ }
+ 
+ /**
+@@ -1629,7 +1640,34 @@
+     return NULL;
+ }
+ 
+-/* -- PDF Protection configuration -- */
++/**
++* \brief Add SecXmlExternalEntity configuration option
++*
++* \param cmd Pointer to configuration data
++* \param _dcfg Pointer to directory configuration
++* \param p1 Pointer to configuration option
++*
++* \retval NULL On failure
++* \retval apr_psprintf On Success
++*/
++static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    if (dcfg == NULL) return NULL;
++
++    if (strcasecmp(p1, "on") == 0)  {
++        dcfg->xml_external_entity = 1;
++    }
++    else if (strcasecmp(p1, "off") == 0)    {
++        dcfg->xml_external_entity = 0;
++    }
++    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
++
++    return NULL;
++}
++
++
++* -- PDF Protection configuration -- */
+ 
+ static const char *cmd_pdf_protect(cmd_parms *cmd, void *_dcfg, int flag) {
+     directory_config *dcfg = (directory_config *)_dcfg;
+@@ -2158,6 +2196,14 @@
+         NULL,
+         CMD_SCOPE_ANY,
+         "On or Off"
++    ),
++
++    AP_INIT_TAKE1 (
++        "SecXmlExternalEntity",
++        cmd_xml_external_entity,
++        NULL,
++        CMD_SCOPE_ANY,
++        "On or Off"
+     ),
+ 
+     AP_INIT_FLAG (
+Index: libapache-mod-security-2.5.11/apache2/modsecurity.h
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/modsecurity.h	2009-11-05 11:36:32.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/modsecurity.h	2013-04-15 12:23:59.306557092 -0700
+@@ -471,6 +471,9 @@
+ 
+     /* Request character encoding. */
+     const char          *request_encoding;
++
++    /* xml */
++    int xml_external_entity;
+ };
+ 
+ struct error_message {
+Index: libapache-mod-security-2.5.11/apache2/msc_xml.c
+===================================================================
+--- libapache-mod-security-2.5.11.orig/apache2/msc_xml.c	2009-03-05 21:32:03.000000000 -0800
++++ libapache-mod-security-2.5.11/apache2/msc_xml.c	2013-04-15 12:23:15.586697264 -0700
+@@ -18,17 +18,28 @@
+  */
+ #include "msc_xml.h"
+ 
++static xmlParserInputBufferPtr
++xml_unload_external_entity(const char *URI, xmlCharEncoding enc)    {
++    return NULL;
++}
++
+ 
+ /**
+  * Initialise XML parser.
+  */
+ int xml_init(modsec_rec *msr, char **error_msg) {
++    xmlParserInputBufferCreateFilenameFunc entity;
++
+     if (error_msg == NULL) return -1;
+     *error_msg = NULL;
+ 
+     msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
+     if (msr->xml == NULL) return -1;
+ 
++    if(msr->txcfg->xml_external_entity == 0)    {
++        entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
++    }
++
+     return 1;
+ }
+ 
only in patch2:
unchanged:
--- libapache-mod-security-2.5.11.orig/debian/patches/series
+++ libapache-mod-security-2.5.11/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2012-2751.patch
+CVE-2013-1915.patch
only in patch2:
unchanged:
--- libapache-mod-security-2.5.11.orig/debian/patches/CVE-2012-2751.patch
+++ libapache-mod-security-2.5.11/debian/patches/CVE-2012-2751.patch
@@ -0,0 +1,89 @@
+Subject: Fix quote validation in multipart code
+Origin: vendor, http://bazaar.launchpad.net/~ubuntu-branches/debian/squeeze/libapache-mod-security/squeeze/view/head:/debian/patches/CVE-2012-2751.patch
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678529
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1016909
+From: Alberto Gonzalez Iniesta <agi@inittab.org>
+Last-Updated: 2013-04-16
+
+Patches backported from
+https://github.com/SpiderLabs/ModSecurity/commit/d3ad05e9c9ef9db05d683730719cb7ca63309389
+and
+https://github.com/SpiderLabs/ModSecurity/commit/988e78e9ab6c42d2dba8ce5b310e11282566daff
+
+Index: libapache-mod-security-2.5.12/apache2/msc_multipart.c
+===================================================================
+--- libapache-mod-security-2.5.12.orig/apache2/msc_multipart.c	2012-07-02 14:46:27.599913760 +0000
++++ libapache-mod-security-2.5.12/apache2/msc_multipart.c	2012-07-02 14:46:52.608037765 +0000
+@@ -24,6 +24,32 @@
+ #include "msc_util.h"
+ #include "msc_parsers.h"
+ 
++void validate_quotes(modsec_rec *msr, unsigned char *data)  {
++    int i, len;
++
++    if(msr == NULL)
++        return;
++
++    if(msr->mpd == NULL)
++        return;
++
++    if(data == NULL)
++        return;
++
++    len = strlen(data);
++
++    for(i = 0; i < len; i++)   {
++
++        if(data[i] == '\'') {
++            if (msr->txcfg->debuglog_level >= 9) {
++                msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes",
++                        log_escape_nq(msr->mp, data), len);
++            }
++            msr->mpd->flag_invalid_quoting = 1;
++        }
++    }
++}
++
+ 
+ #if 0
+ static char *multipart_construct_filename(modsec_rec *msr) {
+@@ -159,6 +185,9 @@
+         /* evaluate part */
+ 
+         if (strcmp(name, "name") == 0) {
++
++            validate_quotes(msr, value);
++
+             if (msr->mpd->mpp->name != NULL) {
+                 msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s",
+                     log_escape_nq(msr->mp, value));
+@@ -173,6 +202,9 @@
+         }
+         else
+         if (strcmp(name, "filename") == 0) {
++
++            validate_quotes(msr, value);
++
+             if (msr->mpd->mpp->filename != NULL) {
+                 msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s",
+                     log_escape_nq(msr->mp, value));
+@@ -191,7 +223,18 @@
+             while((*p == '\t') || (*p == ' ')) p++;
+             /* the next character must be a zero or a semi-colon */
+             if (*p == '\0') return 1; /* this is OK */
+-            if (*p != ';') return -12;
++            if (*p != ';') {
++                p--;
++                if(*p == '\'' || *p == '\"') {
++                    if (msr->txcfg->debuglog_level >= 9) {
++                        msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes",
++                                log_escape_nq(msr->mp, p), strlen(p));
++                    }
++                    msr->mpd->flag_invalid_quoting = 1;
++                }
++                p++;
++                return -12;
++            }
+             p++; /* move over the semi-colon */
+         }
+