diff -Nru miniupnpc-1.9.20140610/debian/changelog miniupnpc-1.9.20140610/debian/changelog
--- miniupnpc-1.9.20140610/debian/changelog	2017-06-15 18:46:27.000000000 +0000
+++ miniupnpc-1.9.20140610/debian/changelog	2018-02-07 18:44:03.000000000 +0000
@@ -1,3 +1,14 @@
+miniupnpc (1.9.20140610-4ubuntu2) bionic; urgency=medium
+
+  * SECURITY UPDATE: multiple overflows
+    - debian/patches/CVE-2017-1000494-1.patch: properly initialize data
+      structure for SOAP parsing in upnpreplyparse.c.
+    - debian/patches/CVE-2017-1000494-2.patch: fix heap buffer overflow in
+      minixml.c.
+    - CVE-2017-1000494
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 07 Feb 2018 13:44:03 -0500
+
 miniupnpc (1.9.20140610-4ubuntu1) artful; urgency=medium
 
   * Merge from Debian unstable. Remaining changes:
diff -Nru miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-1.patch miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-1.patch
--- miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-1.patch	2018-01-31 18:32:42.000000000 +0000
@@ -0,0 +1,31 @@
+Backport of:
+
+From 7aeb624b44f86d335841242ff427433190e7168a Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Dec 2017 14:27:27 +0100
+Subject: [PATCH] properly initialize data structure for SOAP parsing in
+ ParseNameValue()
+
+topelt field was not properly initialized.
+
+should fix #268
+---
+ miniupnpc/upnpreplyparse.c | 9 ++++-----
+ miniupnpd/upnpreplyparse.c | 9 ++++-----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+Index: miniupnpc-1.9.20140610/upnpreplyparse.c
+===================================================================
+--- miniupnpc-1.9.20140610.orig/upnpreplyparse.c	2018-01-31 13:27:00.801969170 -0500
++++ miniupnpc-1.9.20140610/upnpreplyparse.c	2018-01-31 13:32:10.657265044 -0500
+@@ -90,9 +90,7 @@ ParseNameValue(const char * buffer, int
+                struct NameValueParserData * data)
+ {
+     struct xmlparser parser;
+-    LIST_INIT(&(data->head));
+-	data->portListing = NULL;
+-	data->portListingLength = 0;
++    memset(data, 0, sizeof(struct NameValueParserData));
+     /* init xmlparser object */
+     parser.xmlstart = buffer;
+     parser.xmlsize = bufsize;
diff -Nru miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-2.patch miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-2.patch
--- miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpc-1.9.20140610/debian/patches/CVE-2017-1000494-2.patch	2018-01-31 18:32:51.000000000 +0000
@@ -0,0 +1,25 @@
+From a0573e251817ec090a8c9f9f41b56d720c835a6c Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Dec 2017 14:59:29 +0100
+Subject: [PATCH] minixml.c: fix heap buffer overflow
+
+should fix #268
+---
+ miniupnpc/minixml.c | 8 +++++---
+ miniupnpd/minixml.c | 8 +++++---
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/minixml.c b/minixml.c
+index 1f222734..ed2d3c75 100644
+--- a/minixml.c
++++ b/minixml.c
+@@ -161,7 +162,8 @@ static void parseelt(struct xmlparser * p)
+ 						if (p->xml >= p->xmlend)
+ 							return;
+ 					}
+-					if(memcmp(p->xml, "<![CDATA[", 9) == 0)
++					/* CDATA are at least 9 + 3 characters long : <![CDATA[ ]]> */
++					if((p->xmlend >= (p->xml + (9 + 3))) && (memcmp(p->xml, "<![CDATA[", 9) == 0))
+ 					{
+ 						/* CDATA handling */
+ 						p->xml += 9;
diff -Nru miniupnpc-1.9.20140610/debian/patches/series miniupnpc-1.9.20140610/debian/patches/series
--- miniupnpc-1.9.20140610/debian/patches/series	2017-05-19 15:46:54.000000000 +0000
+++ miniupnpc-1.9.20140610/debian/patches/series	2018-01-31 18:32:51.000000000 +0000
@@ -3,3 +3,5 @@
 CVE-2017-8798_integer_signedness_error.patch
 define_DEFAULT_SOURCE.patch
 overflow.patch
+CVE-2017-1000494-1.patch
+CVE-2017-1000494-2.patch