diff -Nru batik-1.7.ubuntu/debian/changelog batik-1.7.ubuntu/debian/changelog
--- batik-1.7.ubuntu/debian/changelog	2012-05-22 15:25:46.000000000 +0000
+++ batik-1.7.ubuntu/debian/changelog	2017-05-04 16:50:52.000000000 +0000
@@ -1,3 +1,23 @@
+batik (1.7.ubuntu-8ubuntu2.14.04.2) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: SSRF through external DTD resolution
+    - debian/patches/CVE-2017-5662.patch: disable external DTD resolution
+      in sources/org/apache/batik/dom/util/SAXDocumentFactory.java.
+    - Thanks to Debian for the patch backport.
+    - CVE-2017-5662
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 May 2017 12:48:26 -0400
+
+batik (1.7.ubuntu-8ubuntu2.14.04.1) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: XML external entity information disclosure
+    - debian/patches/cve_2015_0250.patch: disable external entities in
+      sources/org/apache/batik/dom/util/SAXDocumentFactory.java.
+    - Thanks to Debian for the patch backport.
+    - CVE-2015-0250
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 24 Mar 2015 10:51:32 -0400
+
 batik (1.7.ubuntu-8ubuntu2) quantal; urgency=low
 
   * Switch package to use default-jdk instead of openjdk-6:
diff -Nru batik-1.7.ubuntu/debian/patches/cve_2015_0250.patch batik-1.7.ubuntu/debian/patches/cve_2015_0250.patch
--- batik-1.7.ubuntu/debian/patches/cve_2015_0250.patch	1970-01-01 00:00:00.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/cve_2015_0250.patch	2015-03-24 14:51:27.000000000 +0000
@@ -0,0 +1,60 @@
+Description: Fix information disclosure by disabling external XML entity processing.
+ The upstream patch was modified slightly to apply cleanly against
+ the source package in Debian.
+Forwarded: not-needed
+Origin: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&view=patch
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897
+
+--- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
++++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+@@ -30,25 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+ 
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+ 
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+ 
+ /**
+  * This class contains methods for creating Document instances
+@@ -391,6 +392,16 @@
+     static SAXParserFactory saxFactory;
+     static {
+         saxFactory = SAXParserFactory.newInstance();
++        try {
++            saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++        } catch (SAXNotRecognizedException e) {
++            e.printStackTrace();
++        } catch (SAXNotSupportedException e) {
++            e.printStackTrace();
++        } catch (ParserConfigurationException e) {
++            e.printStackTrace();
++        }
+     }
+ 
+     /**
diff -Nru batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch
--- batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch	1970-01-01 00:00:00.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/CVE-2017-5662.patch	2017-05-04 16:48:19.000000000 +0000
@@ -0,0 +1,27 @@
+Description: fix for CVE-2017-5662
+Bug-Debian: https://bugs.debian.org/860566
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1742892 http://svn.apache.org/viewvc?view=revision&revision=1743326
+Bug: https://issues.apache.org/jira/browse/BATIK-1139
+Reviewed-By: Antoine Beaupré
+Last-Update: 2017-04-26
+
+--- batik-1.7+dfsg.orig/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
++++ batik-1.7+dfsg/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+@@ -395,6 +395,7 @@ public class SAXDocumentFactory
+         try {
+             saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+             saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++			saxFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+         } catch (SAXNotRecognizedException e) {
+             e.printStackTrace();
+         } catch (SAXNotSupportedException e) {
+@@ -437,6 +438,9 @@ public class SAXDocumentFactory
+                               true);
+             parser.setFeature("http://xml.org/sax/features/validation",
+                               isValidating);
++            parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++			parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+             parser.setProperty("http://xml.org/sax/properties/lexical-handler",
+                                this);
+             parser.parse(is);
diff -Nru batik-1.7.ubuntu/debian/patches/series batik-1.7.ubuntu/debian/patches/series
--- batik-1.7.ubuntu/debian/patches/series	2012-05-16 16:40:02.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/series	2017-05-04 16:48:19.000000000 +0000
@@ -1,2 +1,4 @@
 06_fix_paths_in_policy_files.patch
 source-1.5.patch
+cve_2015_0250.patch
+CVE-2017-5662.patch