diff -Nru freeradius-2.1.12+dfsg/debian/changelog freeradius-2.1.12+dfsg/debian/changelog
--- freeradius-2.1.12+dfsg/debian/changelog	2013-12-28 20:40:58.000000000 +0000
+++ freeradius-2.1.12+dfsg/debian/changelog	2014-02-24 14:15:32.000000000 +0000
@@ -1,3 +1,13 @@
+freeradius (2.1.12+dfsg-1.2ubuntu8) trusty; urgency=medium
+
+  * SECURITY UPDATE: denial of service and possible code execution via
+    buffer overflow in rlm_pap module
+    - debian/patches/CVE-2013-2015.patch: properly handle buffer size in
+      src/modules/rlm_pap/rlm_pap.c.
+    - CVE-2014-2015
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 24 Feb 2014 09:13:43 -0500
+
 freeradius (2.1.12+dfsg-1.2ubuntu7) trusty; urgency=medium
 
   * Patch auto tools files to build on ppc64el.
diff -Nru freeradius-2.1.12+dfsg/debian/patches/CVE-2014-2015.patch freeradius-2.1.12+dfsg/debian/patches/CVE-2014-2015.patch
--- freeradius-2.1.12+dfsg/debian/patches/CVE-2014-2015.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-2.1.12+dfsg/debian/patches/CVE-2014-2015.patch	2014-02-24 14:13:38.000000000 +0000
@@ -0,0 +1,32 @@
+From 0d606cfc29ab2e91764854e733d4525e6c667eb9 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Thu, 13 Feb 2014 09:29:35 -0500
+Subject: [PATCH] Increase buffer size.  Use output buffer size as limit for
+ hex2bin
+
+---
+ src/modules/rlm_pap/rlm_pap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: freeradius-2.1.12+dfsg/src/modules/rlm_pap/rlm_pap.c
+===================================================================
+--- freeradius-2.1.12+dfsg.orig/src/modules/rlm_pap/rlm_pap.c	2014-02-24 09:13:36.279874125 -0500
++++ freeradius-2.1.12+dfsg/src/modules/rlm_pap/rlm_pap.c	2014-02-24 09:13:36.271874125 -0500
+@@ -244,7 +244,7 @@
+ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ {
+ 	size_t decoded;
+-	uint8_t buffer[64];
++	uint8_t buffer[256];
+ 
+ 	if (min_length >= sizeof(buffer)) return; /* paranoia */
+ 
+@@ -252,7 +252,7 @@
+ 	 *	Hex encoding.
+ 	 */
+ 	if (vp->length >= (2 * min_length)) {
+-		decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
++		decoded = fr_hex2bin(vp->vp_strvalue, buffer, sizeof(buffer));
+ 		if (decoded == (vp->length >> 1)) {
+ 			RDEBUG2("Normalizing %s from hex encoding", vp->name);
+ 			memcpy(vp->vp_octets, buffer, decoded);
diff -Nru freeradius-2.1.12+dfsg/debian/patches/series freeradius-2.1.12+dfsg/debian/patches/series
--- freeradius-2.1.12+dfsg/debian/patches/series	2013-12-28 20:35:50.000000000 +0000
+++ freeradius-2.1.12+dfsg/debian/patches/series	2014-02-24 14:13:34.000000000 +0000
@@ -14,3 +14,4 @@
 ftbfs-libeap
 ftbfs-libfreeradius
 ppc64le.diff
+CVE-2014-2015.patch