diff -Nru php-ssh2-0.12/debian/changelog php-ssh2-0.12/debian/changelog
--- php-ssh2-0.12/debian/changelog	2014-02-19 08:24:11.000000000 +0000
+++ php-ssh2-0.12/debian/changelog	2018-04-27 15:01:20.000000000 +0000
@@ -1,3 +1,11 @@
+php-ssh2 (0.12-1ubuntu0.1) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: fixing php_url_parse fails
+    - debian/patches/fix_php_url_fails.patch: this fix is needed after
+      php security fix CVE-2016-10397. Fix in ssh2_fopen_wrappers.c.
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 27 Apr 2018 12:00:57 -0300
+
 php-ssh2 (0.12-1build1) trusty; urgency=medium
 
   * No change rebuild for phpapi-20121212+lfs (LFS ABI break on 32-bit
diff -Nru php-ssh2-0.12/debian/control php-ssh2-0.12/debian/control
--- php-ssh2-0.12/debian/control	2013-08-11 15:33:07.000000000 +0000
+++ php-ssh2-0.12/debian/control	2018-04-27 15:01:24.000000000 +0000
@@ -1,7 +1,8 @@
 Source: php-ssh2
 Section: devel
 Priority: extra
-Maintainer: Martin Meredith <mez@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Martin Meredith <mez@debian.org>
 Uploaders: Lior Kaplan <kaplan@debian.org>
 Build-Depends: debhelper (>= 7), php5-dev, libssh2-1-dev, libtool
 Standards-Version: 3.9.4
diff -Nru php-ssh2-0.12/debian/patches/fix_php_url_fails.patch php-ssh2-0.12/debian/patches/fix_php_url_fails.patch
--- php-ssh2-0.12/debian/patches/fix_php_url_fails.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-ssh2-0.12/debian/patches/fix_php_url_fails.patch	2018-04-27 15:00:44.000000000 +0000
@@ -0,0 +1,43 @@
+Backported of:
+
+From 093906ec1c065e86ad1cd4dabbc89b1ccae11938 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Thu, 10 Nov 2016 09:16:02 +0100
+Subject: [PATCH] fix for PHP 7.0.13 where php_url_parse fails
+diff --git a/ssh2-0.12/ssh2_fopen_wrappers.c b/ssh2-0.12/ssh2_fopen_wrappers.c
+index 8ba541d..44f8f48 100644
+--- a/ssh2-0.12/ssh2_fopen_wrappers.c
++++ b/ssh2-0.12/ssh2_fopen_wrappers.c
+@@ -194,10 +194,20 @@ php_url *php_ssh2_fopen_wraper_parse_path(	char *path, char *type, php_stream_co
+ 	php_url *resource;
+ 	zval *methods = NULL, *callbacks = NULL, zsession, **tmpzval;
+ 	long resource_id;
+-	char *s, *username = NULL, *password = NULL, *pubkey_file = NULL, *privkey_file = NULL;
++	char *h, *s, *username = NULL, *password = NULL, *pubkey_file = NULL, *privkey_file = NULL;
+ 	int username_len = 0, password_len = 0;
+ 
+-	resource = php_url_parse(path);
++	h = strstr(path, "Resource id #");
++	if (h) {
++		/* Starting with 5.6.28, 7.0.13 need to be clean, else php_url_parse will fail */
++		char *tmp = estrdup(path);
++
++		strncpy(tmp + (h-path), h + sizeof("Resource id #")-1, strlen(tmp)-sizeof("Resource id #"));
++		resource = php_url_parse(tmp);
++		efree(tmp);
++	} else {
++		resource = php_url_parse(path);
++	}
+ 	if (!resource) {
+ 		return NULL;
+ 	}
+@@ -228,9 +238,6 @@ php_url *php_ssh2_fopen_wraper_parse_path(	char *path, char *type, php_stream_co
+ 
+ 	/* Look for a resource ID to reuse a session */
+ 	s = resource->host;
+-	if (strncmp(resource->host, "Resource id #", sizeof("Resource id #") - 1) == 0) {
+-		s = resource->host + sizeof("Resource id #") - 1;
+-	}
+ 	if (is_numeric_string(s, strlen(s), &resource_id, NULL, 0) == IS_LONG) {
+ 		php_ssh2_sftp_data *sftp_data;
+ 
diff -Nru php-ssh2-0.12/debian/patches/series php-ssh2-0.12/debian/patches/series
--- php-ssh2-0.12/debian/patches/series	2013-08-11 12:11:03.000000000 +0000
+++ php-ssh2-0.12/debian/patches/series	2018-04-27 15:00:44.000000000 +0000
@@ -0,0 +1 @@
+fix_php_url_fails.patch