diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog
--- apache2-2.2.22/debian/changelog	2013-03-08 14:54:13.000000000 +0000
+++ apache2-2.2.22/debian/changelog	2013-07-12 12:58:11.000000000 +0000
@@ -1,3 +1,16 @@
+apache2 (2.2.22-1ubuntu1.4) precise-security; urgency=low
+
+  * SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
+    - debian/patches/CVE-2013-1862.patch: properly escape items in
+      modules/mappers/mod_rewrite.c.
+    - CVE-2013-1862
+  * SECURITY UPDATE: denial of service via MERGE request
+    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
+      in modules/dav/main/mod_dav.c.
+    - CVE-2013-1896
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 12 Jul 2013 08:58:01 -0400
+
 apache2 (2.2.22-1ubuntu1.3) precise-security; urgency=low
 
   * SECURITY UPDATE: multiple cross-site scripting issues
diff -Nru apache2-2.2.22/debian/patches/CVE-2013-1862.patch apache2-2.2.22/debian/patches/CVE-2013-1862.patch
--- apache2-2.2.22/debian/patches/CVE-2013-1862.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.2.22/debian/patches/CVE-2013-1862.patch	2013-07-12 12:57:09.000000000 +0000
@@ -0,0 +1,33 @@
+Description: fix log file poisoning via mod_rewrite
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1482349
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1188069
+
+Index: apache2-2.2.22/modules/mappers/mod_rewrite.c
+===================================================================
+--- apache2-2.2.22.orig/modules/mappers/mod_rewrite.c	2013-07-12 08:08:49.000000000 -0400
++++ apache2-2.2.22/modules/mappers/mod_rewrite.c	2013-07-12 08:28:34.254549021 -0400
+@@ -493,11 +493,11 @@
+ 
+     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
+                                     "(%d) %s%s%s%s" APR_EOL_STR,
+-                           rhost ? rhost : "UNKNOWN-HOST",
+-                           rname ? rname : "-",
+-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
++                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
++                           rname ? ap_escape_logitem(r->pool, rname) : "-",
++                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
+                            current_logtime(r),
+-                           ap_get_server_name(r),
++                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
+                            (void *)(r->server),
+                            (void *)r,
+                            r->main ? "subreq" : "initial",
+@@ -507,7 +507,7 @@
+                            perdir ? "[perdir " : "",
+                            perdir ? perdir : "",
+                            perdir ? "] ": "",
+-                           text);
++                           ap_escape_logitem(r->pool, text));
+ 
+     nbytes = strlen(logline);
+     apr_file_write(conf->rewritelogfp, logline, &nbytes);
diff -Nru apache2-2.2.22/debian/patches/CVE-2013-1896.patch apache2-2.2.22/debian/patches/CVE-2013-1896.patch
--- apache2-2.2.22/debian/patches/CVE-2013-1896.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.2.22/debian/patches/CVE-2013-1896.patch	2013-07-12 12:57:14.000000000 +0000
@@ -0,0 +1,33 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1497101
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1497212
+
+Index: apache2-2.2.22/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.2.22.orig/modules/dav/main/mod_dav.c	2013-07-12 08:28:50.666549535 -0400
++++ apache2-2.2.22/modules/dav/main/mod_dav.c	2013-07-12 08:29:07.298550056 -0400
+@@ -719,6 +719,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2655,11 +2661,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series
--- apache2-2.2.22/debian/patches/series	2013-03-08 14:42:55.000000000 +0000
+++ apache2-2.2.22/debian/patches/series	2013-07-12 12:57:14.000000000 +0000
@@ -32,3 +32,5 @@
 CVE-2012-2687.patch
 CVE-2012-4929.patch
 CVE-2012-3499_4558.patch
+CVE-2013-1862.patch
+CVE-2013-1896.patch