diff -Nru expat-2.1.0/debian/changelog expat-2.1.0/debian/changelog
--- expat-2.1.0/debian/changelog	2017-06-27 13:05:33.000000000 +0000
+++ expat-2.1.0/debian/changelog	2019-06-26 15:10:31.000000000 +0000
@@ -1,3 +1,13 @@
+expat (2.1.0-7ubuntu0.16.04.4) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Denial of service
+    - debian/patches/CVE-2018-20843.patch: adds a break in
+      setElementTypePrefix avoiding consume a high amount of RAM
+      and CPU in lib/xmlparser.c
+    - CVE-2018-20843
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 26 Jun 2019 12:09:36 -0300
+
 expat (2.1.0-7ubuntu0.16.04.3) xenial-security; urgency=medium
 
   * SECURITY UPDATE: external entity infinite loop
diff -Nru expat-2.1.0/debian/patches/CVE-2018-20843.patch expat-2.1.0/debian/patches/CVE-2018-20843.patch
--- expat-2.1.0/debian/patches/CVE-2018-20843.patch	1970-01-01 00:00:00.000000000 +0000
+++ expat-2.1.0/debian/patches/CVE-2018-20843.patch	2019-06-26 15:09:30.000000000 +0000
@@ -0,0 +1,18 @@
+From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 12 Jun 2019 15:42:22 +0200
+Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
+ (#186)
+Index: expat-2.1.0/lib/xmlparse.c
+===================================================================
+--- expat-2.1.0.orig/lib/xmlparse.c
++++ expat-2.1.0/lib/xmlparse.c
+@@ -5473,7 +5473,7 @@ setElementTypePrefix(XML_Parser parser,
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff -Nru expat-2.1.0/debian/patches/series expat-2.1.0/debian/patches/series
--- expat-2.1.0/debian/patches/series	2017-06-27 13:05:27.000000000 +0000
+++ expat-2.1.0/debian/patches/series	2019-06-26 15:09:30.000000000 +0000
@@ -10,3 +10,4 @@
 CVE-2016-5300-2.patch
 CVE-2012-6702-2.patch
 CVE-2017-9233.patch
+CVE-2018-20843.patch