diff -Nru batik-1.7.ubuntu/debian/changelog batik-1.7.ubuntu/debian/changelog
--- batik-1.7.ubuntu/debian/changelog	2015-03-24 14:51:40.000000000 +0000
+++ batik-1.7.ubuntu/debian/changelog	2017-05-04 16:50:52.000000000 +0000
@@ -1,3 +1,13 @@
+batik (1.7.ubuntu-8ubuntu2.14.04.2) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: SSRF through external DTD resolution
+    - debian/patches/CVE-2017-5662.patch: disable external DTD resolution
+      in sources/org/apache/batik/dom/util/SAXDocumentFactory.java.
+    - Thanks to Debian for the patch backport.
+    - CVE-2017-5662
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 May 2017 12:48:26 -0400
+
 batik (1.7.ubuntu-8ubuntu2.14.04.1) trusty-security; urgency=medium
 
   * SECURITY UPDATE: XML external entity information disclosure
diff -Nru batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch
--- batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch	1970-01-01 00:00:00.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch	2017-05-04 16:48:19.000000000 +0000
@@ -0,0 +1,27 @@
+Description: fix for CVE-2017-5662
+Bug-Debian: https://bugs.debian.org/860566
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1742892 http://svn.apache.org/viewvc?view=revision&revision=1743326
+Bug: https://issues.apache.org/jira/browse/BATIK-1139
+Reviewed-By: Antoine Beaupré
+Last-Update: 2017-04-26
+
+--- batik-1.7+dfsg.orig/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
++++ batik-1.7+dfsg/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+@@ -395,6 +395,7 @@ public class SAXDocumentFactory
+         try {
+             saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+             saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++			saxFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+         } catch (SAXNotRecognizedException e) {
+             e.printStackTrace();
+         } catch (SAXNotSupportedException e) {
+@@ -437,6 +438,9 @@ public class SAXDocumentFactory
+                               true);
+             parser.setFeature("http://xml.org/sax/features/validation",
+                               isValidating);
++            parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++			parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+             parser.setProperty("http://xml.org/sax/properties/lexical-handler",
+                                this);
+             parser.parse(is);
diff -Nru batik-1.7.ubuntu/debian/patches/series batik-1.7.ubuntu/debian/patches/series
--- batik-1.7.ubuntu/debian/patches/series	2015-03-24 14:51:27.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/series	2017-05-04 16:48:19.000000000 +0000
@@ -1,3 +1,4 @@
 06_fix_paths_in_policy_files.patch
 source-1.5.patch
 cve_2015_0250.patch
+CVE-2017-5662.patch