diff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c
--- libxml2-2.7.8.dfsg/parser.c
+++ libxml2-2.7.8.dfsg/parser.c
@@ -5483,6 +5483,7 @@
 	if (RAW != '>') {
 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
+	    xmlStopParser(ctxt);
 	} else {
 	    if (input != ctxt->input) {
 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6594,6 +6595,8 @@
 	SKIP_BLANKS;
 	if (RAW != '[') {
 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+	    xmlStopParser(ctxt);
+	    return;
 	} else {
 	    if (ctxt->input->id != id) {
 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6654,6 +6657,8 @@
 	SKIP_BLANKS;
 	if (RAW != '[') {
 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+	    xmlStopParser(ctxt);
+	    return;
 	} else {
 	    if (ctxt->input->id != id) {
 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6709,6 +6714,8 @@
 
     } else {
 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+	xmlStopParser(ctxt);
+	return;
     }
 
     if (RAW == 0)
@@ -6722,7 +6729,9 @@
 	"All markup of the conditional section is not in the same entity\n",
 				 NULL, NULL);
 	}
-        SKIP(3);
+	if ((ctxt-> instate != XML_PARSER_EOF) &&
+	    ((ctxt->input->cur + 3) <= ctxt->input->end))
+	    SKIP(3);
     }
 }
 
diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
--- libxml2-2.7.8.dfsg/debian/changelog
+++ libxml2-2.7.8.dfsg/debian/changelog
@@ -1,3 +1,23 @@
+libxml2 (2.7.8.dfsg-5.1ubuntu4.12) precise-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service via XEE attack
+    - include/libxml/tree.h, tree.c, xmlreader.c: enforce the reader to run
+      in constant memory.
+    - patch obtained from Debian's 2.7.8.dfsg-2+squeeze12 package.
+    - CVE-2015-1819
+  * SECURITY UPDATE: denial of service via out-of-bounds read
+    - parser.c: stop parsing on entities boundaries errors.
+    - https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31
+    - https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+    - CVE-2015-7941
+  * SECURITY UPDATE: overflow in conditional sections
+    - parser.c: properly check input.
+    - https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d
+    - https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450
+    - CVE-2015-7942
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 13 Nov 2015 09:28:57 -0500
+
 libxml2 (2.7.8.dfsg-5.1ubuntu4.11) precise-security; urgency=medium
 
   * SECURITY UPDATE: denial of service via entity expansion
only in patch2:
unchanged:
--- libxml2-2.7.8.dfsg.orig/tree.c
+++ libxml2-2.7.8.dfsg/tree.c
@@ -678,11 +678,13 @@
  * XML_BUFFER_ALLOC_EXACT - use exact sizes, keeps memory usage down
  * XML_BUFFER_ALLOC_DOUBLEIT - double buffer when extra needed,
  *                             improves performance
+ * XML_BUFFER_ALLOC_BOUNDED - limit the upper size of the buffer
  */
 void
 xmlSetBufferAllocationScheme(xmlBufferAllocationScheme scheme) {
     if ((scheme == XML_BUFFER_ALLOC_EXACT) ||
-        (scheme == XML_BUFFER_ALLOC_DOUBLEIT))
+        (scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+        (scheme == XML_BUFFER_ALLOC_BOUNDED))
 	xmlBufferAllocScheme = scheme;
 }
 
@@ -7099,6 +7101,19 @@
     size = buf->use + len + 100;
 #endif
 
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+	/*
+	 * Used to provide parsing limits
+	 */
+	if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
+	    xmlTreeErrMemory("buffer error: text too long");
+	    return(0);
+	}
+	if (size >= XML_MAX_TEXT_LENGTH)
+	    size = XML_MAX_TEXT_LENGTH;
+    }
+
     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
         size_t start_buf = buf->content - buf->contentIO;
 
@@ -7209,7 +7224,15 @@
         return(0);
 
     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
-
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+	/*
+	 * Used to provide parsing limits
+	 */
+	if (size >= XML_MAX_TEXT_LENGTH) {
+	    xmlTreeErrMemory("buffer error: text too long");
+	    return(0);
+	}
+    }
     /* Don't resize if we don't have to */
     if (size < buf->size)
         return 1;
@@ -7388,6 +7411,15 @@
     }
     needSize = buf->use + len + 2;
     if (needSize > buf->size){
+	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+	    /*
+	     * Used to provide parsing limits
+	     */
+	    if (needSize >= XML_MAX_TEXT_LENGTH) {
+		    xmlTreeErrMemory("buffer error: text too long");
+		    return(-1);
+	    }
+	}
         if (!xmlBufferResize(buf, needSize)){
 	    xmlTreeErrMemory("growing buffer");
             return XML_ERR_NO_MEMORY;
only in patch2:
unchanged:
--- libxml2-2.7.8.dfsg.orig/xmlreader.c
+++ libxml2-2.7.8.dfsg/xmlreader.c
@@ -2062,6 +2062,8 @@
 		"xmlNewTextReader : malloc failed\n");
 	return(NULL);
     }
+    /* no operation on a reader should require a huge buffer */
+    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
     if (ret->sax == NULL) {
 	xmlBufferFree(ret->buffer);
@@ -3585,6 +3587,7 @@
 	    return(((xmlNsPtr) node)->href);
         case XML_ATTRIBUTE_NODE:{
 	    xmlAttrPtr attr = (xmlAttrPtr) node;
+	    const xmlChar *ret;
 
 	    if ((attr->children != NULL) &&
 	        (attr->children->type == XML_TEXT_NODE) &&
@@ -3599,8 +3602,20 @@
 		    return (NULL);
 		}
 	        reader->buffer->use = 0;
+		xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
 	        xmlNodeBufGetContent(reader->buffer, node);
-		return(reader->buffer->content);
+		if (!reader->buffer)
+		    ret = NULL;
+		else
+		    ret = reader->buffer->content;
+		if (ret == NULL) {
+		    /* error on the buffer best to reallocate */
+		    xmlBufferFree(reader->buffer);
+		    reader->buffer = xmlBufferCreateSize(100);
+		    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
+		    ret = BAD_CAST "";
+		}
+		return(ret);
 	    }
 	    break;
 	}
@@ -4977,6 +4992,8 @@
                         "xmlTextReaderSetup : malloc failed\n");
         return (-1);
     }
+    /* no operation on a reader should require a huge buffer */
+    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
     xmlSAXVersion(reader->sax, 2);
     reader->startElement = reader->sax->startElement;
     reader->sax->startElement = xmlTextReaderStartElement;
only in patch2:
unchanged:
--- libxml2-2.7.8.dfsg.orig/include/libxml/tree.h
+++ libxml2-2.7.8.dfsg/include/libxml/tree.h
@@ -74,7 +74,9 @@
     XML_BUFFER_ALLOC_DOUBLEIT,	/* double each time one need to grow */
     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
-    XML_BUFFER_ALLOC_IO		/* special allocation scheme used for I/O */
+    XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
+    _XML_BUFFER_ALLOC_HYBRID, 	/* DUMMY: exact up to a threshold, and doubleit thereafter */
+    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
 } xmlBufferAllocationScheme;
 
 /**