diff -Nru glibc-2.23/debian/changelog glibc-2.23/debian/changelog
--- glibc-2.23/debian/changelog	2020-06-04 17:57:49.000000000 +0000
+++ glibc-2.23/debian/changelog	2021-04-21 17:09:19.000000000 +0000
@@ -1,3 +1,18 @@
+glibc (2.23-0ubuntu11.3) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: DoS via regular expression
+    - debian/patches/CVE-2009-5155.patch: diagnose invalid back-reference
+      in posix/regcomp.c, remove invalid test in posix/PCRE.tests.
+    - CVE-2009-5155
+  * SECURITY UPDATE: signed comparison vulnerability exists in ARM memcpy
+    - debian/patches/CVE-2020-6096-1.patch: fix multiarch memcpy for
+      negative length in sysdeps/arm/armv7/multiarch/memcpy_impl.S.
+    - debian/patches/CVE-2020-6096-2.patch: fix memcpy and memmove for
+      negative length in sysdeps/arm/memcpy.S, sysdeps/arm/memmove.S.
+    - CVE-2020-6096
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 20 Apr 2021 14:52:26 -0400
+
 glibc (2.23-0ubuntu11.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Use-after-free in clntudp_call
diff -Nru glibc-2.23/debian/patches/any/CVE-2009-5155.patch glibc-2.23/debian/patches/any/CVE-2009-5155.patch
--- glibc-2.23/debian/patches/any/CVE-2009-5155.patch	1970-01-01 00:00:00.000000000 +0000
+++ glibc-2.23/debian/patches/any/CVE-2009-5155.patch	2021-04-21 13:27:18.000000000 +0000
@@ -0,0 +1,90 @@
+Backport of:
+
+(also added test change from glibc eb04c21373e2a2885f3d52ff192b0499afe3c672)
+
+From 5513b40999149090987a0341c018d05d3eea1272 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sat, 19 Sep 2015 13:53:34 -0700
+Subject: Diagnose ERE '()|\1'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
+* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
+track of the set of previously-completed subexpressions available
+before the first alternative, and restore this set just before
+parsing each subsequent alternative.  This lets us diagnose the
+invalid back-reference in the ERE '()|\1'.
+---
+ ChangeLog     | 8 ++++++++
+ lib/regcomp.c | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index f846aac70..7c8356600 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,13 @@
+# 2015-09-19  Paul Eggert  <eggert@cs.ucla.edu>
+# 
+#+	Diagnose ERE '()|\1'
+#+	Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
+#+	* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
+#+	track of the set of previously-completed subexpressions available
+#+	before the first alternative, and restore this set just before
+#+	parsing each subsequent alternative.  This lets us diagnose the
+#+	invalid back-reference in the ERE '()|\1'.
+#+
+# 	regex: merge patches from libc
+# 
+# 	2015-09-08  Joseph Myers  <joseph@codesourcery.com>
+--- a/posix/regcomp.c
++++ b/posix/regcomp.c
+@@ -2134,6 +2134,7 @@ parse_reg_exp (re_string_t *regexp, rege
+ {
+   re_dfa_t *dfa = (re_dfa_t *) preg->buffer;
+   bin_tree_t *tree, *branch = NULL;
++  bitset_word_t initial_bkref_map = dfa->completed_bkref_map;
+   tree = parse_branch (regexp, preg, token, syntax, nest, err);
+   if (BE (*err != REG_NOERROR && tree == NULL, 0))
+     return NULL;
+@@ -2144,6 +2145,8 @@ parse_reg_exp (re_string_t *regexp, rege
+       if (token->type != OP_ALT && token->type != END_OF_RE
+ 	  && (nest == 0 || token->type != OP_CLOSE_SUBEXP))
+ 	{
++	  bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map;
++	  dfa->completed_bkref_map = initial_bkref_map;
+ 	  branch = parse_branch (regexp, preg, token, syntax, nest, err);
+ 	  if (BE (*err != REG_NOERROR && branch == NULL, 0))
+ 	    {
+@@ -2151,6 +2154,7 @@ parse_reg_exp (re_string_t *regexp, rege
+ 		postorder (tree, free_tree, NULL);
+ 	      return NULL;
+ 	    }
++	  dfa->completed_bkref_map |= accumulated_bkref_map;
+ 	}
+       else
+ 	branch = NULL;
+--- a/posix/PCRE.tests
++++ b/posix/PCRE.tests
+@@ -1774,19 +1774,6 @@ No match
+  0: abcabc
+  1: abc
+ 
+-/(a)|\1/
+-    a
+- 0: a
+- 1: a
+-    *** Failers
+- 0: a
+- 1: a
+-    ab
+- 0: a
+- 1: a
+-    x
+-No match
+-
+ /abc/i
+     ABC
+  0: ABC
diff -Nru glibc-2.23/debian/patches/any/CVE-2020-6096-1.patch glibc-2.23/debian/patches/any/CVE-2020-6096-1.patch
--- glibc-2.23/debian/patches/any/CVE-2020-6096-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ glibc-2.23/debian/patches/any/CVE-2020-6096-1.patch	2021-04-20 18:41:44.000000000 +0000
@@ -0,0 +1,104 @@
+Backport of:
+
+From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
+From: Alexander Anisimov <a.anisimov@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:31 +0200
+Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
+ [BZ #25620]
+
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy.
+This commit fixes the armv7 version.
+---
+ sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
++++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+@@ -299,7 +299,7 @@ ENTRY(memcpy)
+ 
+ 	mov	dst, dstin	/* Preserve dstin, we need to return it.  */
+ 	cmp	count, #64
+-	bge	.Lcpy_not_short
++	bhs	.Lcpy_not_short
+ 	/* Deal with small copies quickly by dropping straight into the
+ 	   exit block.  */
+ 
+@@ -404,10 +404,10 @@ ENTRY(memcpy)
+ 
+ 1:
+ 	subs	tmp2, count, #64	/* Use tmp2 for count.  */
+-	blt	.Ltail63aligned
++	blo	.Ltail63aligned
+ 
+ 	cmp	tmp2, #512
+-	bge	.Lcpy_body_long
++	bhs	.Lcpy_body_long
+ 
+ .Lcpy_body_medium:			/* Count in tmp2.  */
+ #ifdef USE_VFP
+@@ -447,7 +447,7 @@ ENTRY(memcpy)
+ 	sfi_breg dst, \
+ 	vstr	d1, [\B, #56]
+ 	add	dst, dst, #64
+-	bge	1b
++	bhs	1b
+ 	tst	tmp2, #0x3f
+ 	beq	.Ldone
+ 
+@@ -499,7 +499,7 @@ ENTRY(memcpy)
+ 	sfi_breg dst, \
+ 	strd	A_l, A_h, [\B, #64]!
+ 	subs	tmp2, tmp2, #64
+-	bge	1b
++	bhs	1b
+ 	tst	tmp2, #0x3f
+ 	bne	1f
+ 	ldr	tmp2,[sp], #FRAME_SIZE
+@@ -585,7 +585,7 @@ ENTRY(memcpy)
+ 	add	src, src, #32
+ 
+ 	subs	tmp2, tmp2, #prefetch_lines * 64 * 2
+-	blt	2f
++	blo	2f
+ 1:
+ 	cpy_line_vfp	d3, 0
+ 	cpy_line_vfp	d4, 64
+@@ -597,7 +597,7 @@ ENTRY(memcpy)
+ 	add	dst, dst, #2 * 64
+ 	add	src, src, #2 * 64
+ 	subs	tmp2, tmp2, #prefetch_lines * 64
+-	bge	1b
++	bhs	1b
+ 
+ 2:
+ 	cpy_tail_vfp	d3, 0
+@@ -760,8 +760,8 @@ ENTRY(memcpy)
+ 1:
+ 	sfi_pld	src, #(3 * 64)
+ 	subs	count, count, #64
+-	ldrmi	tmp2, [sp], #FRAME_SIZE
+-	bmi	.Ltail63unaligned
++	ldrlo	tmp2, [sp], #FRAME_SIZE
++	blo	.Ltail63unaligned
+ 	sfi_pld	src, #(4 * 64)
+ 
+ #ifdef USE_NEON
+@@ -786,7 +786,7 @@ ENTRY(memcpy)
+ 	sfi_breg src, neon_load_multi d0-d3, \B
+ 	sfi_breg src, neon_load_multi d4-d7, \B
+ 	subs	count, count, #64
+-	bmi	2f
++	blo	2f
+ 1:
+ 	sfi_pld	src, #(4 * 64)
+ 	sfi_breg dst, neon_store_multi d0-d3, \B
+@@ -794,7 +794,7 @@ ENTRY(memcpy)
+ 	sfi_breg dst, neon_store_multi d4-d7, \B
+ 	sfi_breg src, neon_load_multi d4-d7, \B
+ 	subs	count, count, #64
+-	bpl	1b
++	bhs	1b
+ 2:
+ 	sfi_breg dst, neon_store_multi d0-d3, \B
+ 	sfi_breg dst, neon_store_multi d4-d7, \B
diff -Nru glibc-2.23/debian/patches/any/CVE-2020-6096-2.patch glibc-2.23/debian/patches/any/CVE-2020-6096-2.patch
--- glibc-2.23/debian/patches/any/CVE-2020-6096-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ glibc-2.23/debian/patches/any/CVE-2020-6096-2.patch	2021-04-20 18:48:57.000000000 +0000
@@ -0,0 +1,184 @@
+Backport of:
+
+From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
+From: Evgeny Eremin <e.eremin@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:19 +0200
+Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
+ length [BZ #25620]
+
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy and memmove.
+This commit fixes the generic arm implementation of memcpy amd memmove.
+---
+ sysdeps/arm/memcpy.S  | 24 ++++++++++--------------
+ sysdeps/arm/memmove.S | 24 ++++++++++--------------
+ 2 files changed, 20 insertions(+), 28 deletions(-)
+
+--- a/sysdeps/arm/memcpy.S
++++ b/sysdeps/arm/memcpy.S
+@@ -68,7 +68,7 @@ ENTRY(memcpy)
+ 		cfi_remember_state
+ 
+ 		subs	r2, r2, #4
+-		blt	8f
++		blo	8f
+ 		ands	ip, r0, #3
+ 	PLD(	sfi_pld	r1, #0			)
+ 		bne	9f
+@@ -82,7 +82,7 @@ ENTRY(memcpy)
+ 		cfi_rel_offset (r6, 4)
+ 		cfi_rel_offset (r7, 8)
+ 		cfi_rel_offset (r8, 12)
+-		blt	5f
++		blo	5f
+ 
+ 	CALGN(	ands	ip, r1, #31		)
+ 	CALGN(	rsb	r3, ip, #32		)
+@@ -98,9 +98,9 @@ ENTRY(memcpy)
+ #endif
+ 
+ 	PLD(	sfi_pld	r1, #0			)
+-2:	PLD(	subs	r2, r2, #96		)
++2:	PLD(	cmp	r2, #96			)
+ 	PLD(	sfi_pld	r1, #28			)
+-	PLD(	blt	4f			)
++	PLD(	blo	4f			)
+ 	PLD(	sfi_pld	r1, #60			)
+ 	PLD(	sfi_pld	r1, #92			)
+ 
+@@ -110,9 +110,7 @@ ENTRY(memcpy)
+ 		subs	r2, r2, #32
+ 		sfi_breg r0, \
+ 		stmia	\B!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-		bge	3b
+-	PLD(	cmn	r2, #96			)
+-	PLD(	bge	4b			)
++		bhs	3b
+ 
+ 5:		ands	ip, r2, #28
+ 		rsb	ip, ip, #32
+@@ -250,7 +248,7 @@ ENTRY(memcpy)
+ 		subs	r2, r2, ip
+ 		sfi_breg r0, \
+ 		strb	lr, [\B], #1
+-		blt	8b
++		blo	8b
+ 		ands	ip, r1, #3
+ 		beq	1b
+ 
+@@ -265,7 +263,7 @@ ENTRY(memcpy)
+ 		.macro	forward_copy_shift pull push
+ 
+ 		subs	r2, r2, #28
+-		blt	14f
++		blo	14f
+ 
+ 	CALGN(	ands	ip, r1, #31		)
+ 	CALGN(	rsb	ip, ip, #32		)
+@@ -282,9 +280,9 @@ ENTRY(memcpy)
+ 		cfi_rel_offset (r10, 16)
+ 
+ 	PLD(	sfi_pld	r1, #0			)
+-	PLD(	subs	r2, r2, #96		)
++	PLD(	cmp	r2, #96			)
+ 	PLD(	sfi_pld	r1, #28			)
+-	PLD(	blt	13f			)
++	PLD(	blo	13f			)
+ 	PLD(	sfi_pld	r1, #60			)
+ 	PLD(	sfi_pld	r1, #92			)
+ 
+@@ -312,9 +310,7 @@ ENTRY(memcpy)
+ 		orr	ip, ip, lr, PUSH #\push
+ 		sfi_breg r0, \
+ 		stmia	\B!, {r3, r4, r5, r6, r7, r8, r10, ip}
+-		bge	12b
+-	PLD(	cmn	r2, #96			)
+-	PLD(	bge	13b			)
++		bhs	12b
+ 
+ 		pop	{r5 - r8, r10}
+ 		cfi_adjust_cfa_offset (-20)
+--- a/sysdeps/arm/memmove.S
++++ b/sysdeps/arm/memmove.S
+@@ -85,7 +85,7 @@ ENTRY(memmove)
+ 		add	r1, r1, r2
+ 		add	r0, r0, r2
+ 		subs	r2, r2, #4
+-		blt	8f
++		blo	8f
+ 		ands	ip, r0, #3
+ 	PLD(	sfi_pld	r1, #-4			)
+ 		bne	9f
+@@ -99,7 +99,7 @@ ENTRY(memmove)
+ 		cfi_rel_offset (r6, 4)
+ 		cfi_rel_offset (r7, 8)
+ 		cfi_rel_offset (r8, 12)
+-		blt	5f
++		blo     5f
+ 
+ 	CALGN(	ands	ip, r1, #31		)
+ 	CALGN(	sbcsne	r4, ip, r2		)  @ C is always set here
+@@ -114,9 +114,9 @@ ENTRY(memmove)
+ #endif
+ 
+ 	PLD(	sfi_pld	r1, #-4			)
+-2:	PLD(	subs	r2, r2, #96		)
++2:	PLD(	cmp	r2, #96			)
+ 	PLD(	sfi_pld	r1, #-32		)
+-	PLD(	blt	4f			)
++	PLD(    blo     4f                      )
+ 	PLD(	sfi_pld	r1, #-64		)
+ 	PLD(	sfi_pld	r1, #-96		)
+ 
+@@ -126,9 +126,7 @@ ENTRY(memmove)
+ 		subs	r2, r2, #32
+ 		sfi_breg r0, \
+ 		stmdb	\B!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-		bge	3b
+-	PLD(	cmn	r2, #96			)
+-	PLD(	bge	4b			)
++		bhs     3b
+ 
+ 5:		ands	ip, r2, #28
+ 		rsb	ip, ip, #32
+@@ -265,7 +263,7 @@ ENTRY(memmove)
+ 		subs	r2, r2, ip
+ 		sfi_breg r0, \
+ 		strb	lr, [\B, #-1]!
+-		blt	8b
++		blo	8b
+ 		ands	ip, r1, #3
+ 		beq	1b
+ 
+@@ -280,7 +278,7 @@ ENTRY(memmove)
+ 		.macro	backward_copy_shift push pull
+ 
+ 		subs	r2, r2, #28
+-		blt	14f
++		blo	14f
+ 
+ 	CALGN(	ands	ip, r1, #31		)
+ 	CALGN(	rsb	ip, ip, #32		)
+@@ -297,9 +295,9 @@ ENTRY(memmove)
+ 		cfi_rel_offset (r10, 16)
+ 
+ 	PLD(	sfi_pld	r1, #-4			)
+-	PLD(	subs	r2, r2, #96		)
++	PLD(	cmp	r2, #96			)
+ 	PLD(	sfi_pld	r1, #-32		)
+-	PLD(	blt	13f			)
++	PLD(	blo	13f			)
+ 	PLD(	sfi_pld	r1, #-64		)
+ 	PLD(	sfi_pld	r1, #-96		)
+ 
+@@ -327,9 +325,7 @@ ENTRY(memmove)
+ 		orr     r4, r4, r3, PULL #\pull
+ 		sfi_breg r0, \
+ 		stmdb   \B!, {r4 - r8, r10, ip, lr}
+-		bge	12b
+-	PLD(	cmn	r2, #96			)
+-	PLD(	bge	13b			)
++		bhs	12b
+ 
+ 		pop	{r5 - r8, r10}
+ 		cfi_adjust_cfa_offset (-20)
diff -Nru glibc-2.23/debian/patches/series glibc-2.23/debian/patches/series
--- glibc-2.23/debian/patches/series	2020-06-04 17:56:19.000000000 +0000
+++ glibc-2.23/debian/patches/series	2021-04-21 11:09:52.000000000 +0000
@@ -262,3 +262,6 @@
 any/CVE-2020-1751.patch
 any/CVE-2020-1752.patch
 any/CVE-2020-10029.patch
+any/CVE-2009-5155.patch
+any/CVE-2020-6096-1.patch
+any/CVE-2020-6096-2.patch