diff -Nru fop-1.1.dfsg/debian/changelog fop-1.1.dfsg/debian/changelog
--- fop-1.1.dfsg/debian/changelog	2013-05-21 11:21:27.000000000 +0000
+++ fop-1.1.dfsg/debian/changelog	2017-05-04 16:57:36.000000000 +0000
@@ -1,3 +1,14 @@
+fop (1:1.1.dfsg-2ubuntu1.1) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: SSRF through external DTD resolution
+    - debian/patches/CVE-2017-5661.patch: disable external DTD resolution
+      in src/java/org/apache/fop/cli/InputHandler.java,
+      src/java/org/apache/fop/servlet/FopServlet.java.
+    - Thanks to Debian for the patch backport.
+    - CVE-2017-5661
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 May 2017 12:56:32 -0400
+
 fop (1:1.1.dfsg-2ubuntu1) saucy; urgency=low
 
   * Merge from Debian unstable.  Remaining changes:
diff -Nru fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch
--- fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch	1970-01-01 00:00:00.000000000 +0000
+++ fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch	2017-05-04 16:56:29.000000000 +0000
@@ -0,0 +1,32 @@
+Description: fix for CVE-2017-5661
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1769967, http://svn.apache.org/viewvc?view=revision&revision=1769968
+Bug: https://issues.apache.org/jira/browse/FOP-2668
+Bug-Debian: https://bugs.debian.org/860567
+Reviewed-By: Antoine Beaupré
+Last-Update: 2017-04-26
+
+Index: fop-1.1.dfsg/src/java/org/apache/fop/cli/InputHandler.java
+===================================================================
+--- fop-1.1.dfsg.orig/src/java/org/apache/fop/cli/InputHandler.java	2017-05-04 12:56:26.055051440 -0400
++++ fop-1.1.dfsg/src/java/org/apache/fop/cli/InputHandler.java	2017-05-04 12:56:26.055051440 -0400
+@@ -259,6 +259,7 @@ public class InputHandler implements Err
+         SAXParserFactory spf = SAXParserFactory.newInstance();
+         spf.setFeature("http://xml.org/sax/features/namespaces", true);
+         spf.setFeature("http://apache.org/xml/features/xinclude", true);
++        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         XMLReader xr = spf.newSAXParser().getXMLReader();
+         return xr;
+     }
+Index: fop-1.1.dfsg/src/java/org/apache/fop/servlet/FopServlet.java
+===================================================================
+--- fop-1.1.dfsg.orig/src/java/org/apache/fop/servlet/FopServlet.java	2017-05-04 12:56:26.055051440 -0400
++++ fop-1.1.dfsg/src/java/org/apache/fop/servlet/FopServlet.java	2017-05-04 12:56:26.055051440 -0400
+@@ -89,6 +89,8 @@ public class FopServlet extends HttpServ
+     public void init() throws ServletException {
+         this.uriResolver = new ServletContextURIResolver(getServletContext());
+         this.transFactory = TransformerFactory.newInstance();
++        transFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
++        transFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+         this.transFactory.setURIResolver(this.uriResolver);
+         //Configure FopFactory as desired
+         this.fopFactory = FopFactory.newInstance();
diff -Nru fop-1.1.dfsg/debian/patches/series fop-1.1.dfsg/debian/patches/series
--- fop-1.1.dfsg/debian/patches/series	2013-05-16 15:42:01.000000000 +0000
+++ fop-1.1.dfsg/debian/patches/series	2017-05-04 16:56:24.000000000 +0000
@@ -1,2 +1,3 @@
 04_fixqdoxbuildfailure.patch
 fixbuildxml.patch
+CVE-2017-5661.patch