diff -Nru curl-7.47.0/debian/changelog curl-7.47.0/debian/changelog
--- curl-7.47.0/debian/changelog	2018-05-08 17:53:05.000000000 +0000
+++ curl-7.47.0/debian/changelog	2018-09-13 12:14:06.000000000 +0000
@@ -1,3 +1,12 @@
+curl (7.47.0-1ubuntu2.9) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Buffer overrun
+    - debian/patches/CVE-2018-14618.patch: fix in
+      lib/curl_ntlm_core.c.
+    - CVE-2018-14618
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 13 Sep 2018 09:13:35 -0300
+
 curl (7.47.0-1ubuntu2.8) xenial-security; urgency=medium
 
   * SECURITY UPDATE: RTSP bad headers buffer over-read
diff -Nru curl-7.47.0/debian/patches/CVE-2018-14618.patch curl-7.47.0/debian/patches/CVE-2018-14618.patch
--- curl-7.47.0/debian/patches/CVE-2018-14618.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.47.0/debian/patches/CVE-2018-14618.patch	2018-09-13 12:13:20.000000000 +0000
@@ -0,0 +1,58 @@
+Backported of:
+
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 13 Aug 2018 10:35:52 +0200
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
+
+... since it would cause an integer overflow if longer than (max size_t
+/ 2).
+
+This is CVE-2018-14618
+
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
+Closes #2756
+Reported-by: Zhaoyang Wu
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 4588b9b..b6fadb2 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -506,6 +506,12 @@ static void ascii_uppercase_to_unicode_le(unsigned char *dest,
+ 
+ #endif /* USE_NTLM_V2 && !USE_WINDOWS_SSPI */
+ 
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++
+ /*
+  * Set up nt hashed passwords
+  * @unittest: 1600
+@@ -515,8 +521,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data,
+                                    unsigned char *ntbuffer /* 21 bytes */)
+ {
+   size_t len = strlen(password);
+-  unsigned char *pw = malloc(len * 2);
++  unsigned char *pw;
+   CURLcode result;
++  if(len > SIZE_T_MAX/2) /* avoid integer overflow */
++    return CURLE_OUT_OF_MEMORY;
++  pw = len ? malloc(len * 2) : strdup("");
+   if(!pw)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -596,12 +605,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   return CURLE_OK;
+ }
+ 
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+-#define SIZE_T_MAX 18446744073709551615U
+-#else
+-#define SIZE_T_MAX 4294967295U
+-#endif
+-
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
diff -Nru curl-7.47.0/debian/patches/series curl-7.47.0/debian/patches/series
--- curl-7.47.0/debian/patches/series	2018-05-08 17:52:51.000000000 +0000
+++ curl-7.47.0/debian/patches/series	2018-09-13 12:13:20.000000000 +0000
@@ -40,5 +40,6 @@
 CVE-2018-1000301.patch
 
 # do not add patches below
+CVE-2018-14618.patch
 90_gnutls.patch
 99_nss.patch