diff -Nru curl-7.47.0/debian/changelog curl-7.47.0/debian/changelog
--- curl-7.47.0/debian/changelog	2019-05-16 12:41:16.000000000 +0000
+++ curl-7.47.0/debian/changelog	2019-09-06 05:30:31.000000000 +0000
@@ -1,3 +1,19 @@
+curl (7.47.0-1ubuntu2.14) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: double-free when using kerberos over FTP may cause
+    denial-of-service
+    - debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
+      double-free on large memory allocation failures
+    - CVE-2019-5481
+  * SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
+    cause denial-of-service or remote code-execution
+    - debian/patches/CVE-2019-5482.patch: ensure to use the correct block
+      size when calling recvfrom() if the server returns an OACK without
+      specifying a block size in lib/tftp.c
+    - CVE-2019-5482
+
+ -- Alex Murray <alex.murray@canonical.com>  Fri, 06 Sep 2019 15:00:31 +0930
+
 curl (7.47.0-1ubuntu2.13) xenial-security; urgency=medium
 
   * SECURITY UPDATE: TFTP receive buffer overflow
diff -Nru curl-7.47.0/debian/patches/CVE-2019-5481.patch curl-7.47.0/debian/patches/CVE-2019-5481.patch
--- curl-7.47.0/debian/patches/CVE-2019-5481.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.47.0/debian/patches/CVE-2019-5481.patch	2019-09-06 05:29:52.000000000 +0000
@@ -0,0 +1,37 @@
+From df710e843f07001ee629ab5b7169c9cb5bef21f8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+Index: curl-7.47.0/lib/security.c
+===================================================================
+--- curl-7.47.0.orig/lib/security.c
++++ curl-7.47.0/lib/security.c
+@@ -192,7 +192,6 @@ static CURLcode read_data(struct connect
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -202,12 +201,11 @@ static CURLcode read_data(struct connect
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = realloc(buf->data, len);
++    buf->data = realloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
diff -Nru curl-7.47.0/debian/patches/CVE-2019-5482.patch curl-7.47.0/debian/patches/CVE-2019-5482.patch
--- curl-7.47.0/debian/patches/CVE-2019-5482.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.47.0/debian/patches/CVE-2019-5482.patch	2019-09-06 05:30:22.000000000 +0000
@@ -0,0 +1,57 @@
+Backport of the following patch:
+From 0846bdc0c3f8323b931247ca31c2fb30a3265f00 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: curl-7.47.0/lib/tftp.c
+===================================================================
+--- curl-7.47.0.orig/lib/tftp.c
++++ curl-7.47.0/lib/tftp.c
+@@ -952,6 +952,7 @@ static CURLcode tftp_connect(struct conn
+ {
+   tftp_state_data_t *state;
+   int blksize, rc;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -966,15 +967,20 @@ static CURLcode tftp_connect(struct conn
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -988,7 +994,7 @@ static CURLcode tftp_connect(struct conn
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
diff -Nru curl-7.47.0/debian/patches/series curl-7.47.0/debian/patches/series
--- curl-7.47.0/debian/patches/series	2019-05-16 12:41:08.000000000 +0000
+++ curl-7.47.0/debian/patches/series	2019-09-09 04:10:33.000000000 +0000
@@ -47,6 +47,8 @@
 CVE-2019-3822.patch
 CVE-2019-3823.patch
 CVE-2019-5436.patch
+CVE-2019-5481.patch
+CVE-2019-5482.patch
 
 # do not add patches below
 90_gnutls.patch