diff -Nru xapian-core-1.4.5/debian/changelog xapian-core-1.4.5/debian/changelog
--- xapian-core-1.4.5/debian/changelog	2017-11-01 01:13:30.000000000 +0000
+++ xapian-core-1.4.5/debian/changelog	2018-07-06 17:12:48.000000000 +0000
@@ -1,3 +1,12 @@
+xapian-core (1.4.5-1ubuntu0.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Cross-site scripting vulnerability
+    - debian/patches/CVE-2018-0499.patch: fix this
+      in queryparser/termgenerator_internal.cc.
+    - CVE-2018-0499
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 06 Jul 2018 14:12:48 -0300
+
 xapian-core (1.4.5-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru xapian-core-1.4.5/debian/control xapian-core-1.4.5/debian/control
--- xapian-core-1.4.5/debian/control	2017-11-01 01:13:30.000000000 +0000
+++ xapian-core-1.4.5/debian/control	2018-07-06 17:12:48.000000000 +0000
@@ -1,7 +1,8 @@
 Source: xapian-core
 Section: libs
 Priority: optional
-Maintainer: Olly Betts <olly@survex.com>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Olly Betts <olly@survex.com>
 Standards-Version: 4.1.0
 Build-Depends: debhelper (>= 9), autotools-dev, zlib1g-dev, uuid-dev, dpkg (>= 1.16.1~)
 Homepage: https://xapian.org/
diff -Nru xapian-core-1.4.5/debian/control.in xapian-core-1.4.5/debian/control.in
--- xapian-core-1.4.5/debian/control.in	2017-08-31 00:34:55.000000000 +0000
+++ xapian-core-1.4.5/debian/control.in	2018-07-06 17:12:48.000000000 +0000
@@ -1,7 +1,8 @@
 Source: xapian-core
 Section: libs
 Priority: optional
-Maintainer: Olly Betts <olly@survex.com>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Olly Betts <olly@survex.com>
 Standards-Version: 4.1.0
 Build-Depends: @BUILD_DEPS@ autotools-dev, zlib1g-dev, uuid-dev, dpkg (>= 1.16.1~)
 Homepage: https://xapian.org/
diff -Nru xapian-core-1.4.5/debian/patches/CVE-2018-0499.patch xapian-core-1.4.5/debian/patches/CVE-2018-0499.patch
--- xapian-core-1.4.5/debian/patches/CVE-2018-0499.patch	1970-01-01 00:00:00.000000000 +0000
+++ xapian-core-1.4.5/debian/patches/CVE-2018-0499.patch	2018-07-06 17:12:48.000000000 +0000
@@ -0,0 +1,83 @@
+From c1986aff6771a6e3ad99bec958e5b87ed71a6838 Mon Sep 17 00:00:00 2001
+From: Olly Betts <olly@survex.com>
+Date: Thu, 28 Jun 2018 11:34:26 +1200
+Subject: [PATCH] Add missing XML escaping in MSet::snippet()
+
+We were escaping in some cases, but not all.
+diff --git a/queryparser/termgenerator_internal.cc b/queryparser/termgenerator_internal.cc
+index 7fa807d..fece985 100644
+--- a/queryparser/termgenerator_internal.cc
++++ b/queryparser/termgenerator_internal.cc
+@@ -432,6 +432,27 @@ SnipPipe::done()
+     }
+ }
+ 
++inline void
++append_escaping_xml(const char* p, const char* end, string& output)
++{
++    while (p != end) {
++	char ch = *p++;
++	switch (ch) {
++	    case '&':
++		output += "&amp;";
++		break;
++	    case '<':
++		output += "&lt;";
++		break;
++	    case '>':
++		output += "&gt;";
++		break;
++	    default:
++		output += ch;
++	}
++    }
++}
++
+ inline bool
+ SnipPipe::drain(const string & input,
+ 		const string & hi_start,
+@@ -465,7 +486,7 @@ SnipPipe::drain(const string & input,
+ 
+ 	if (punc) {
+ 	    // Include end of sentence punctuation.
+-	    output.append(input.data() + best_end, i.raw());
++	    append_escaping_xml(input.data() + best_end, i.raw(), output);
+ 	} else {
+ 	    // Append "..." or equivalent if this doesn't seem to be the start
+ 	    // of a sentence.
+@@ -523,8 +544,7 @@ SnipPipe::drain(const string & input,
+ 	while (i != Utf8Iterator()) {
+ 	    unsigned ch = *i;
+ 	    if (Unicode::is_wordchar(ch)) {
+-		const char * p = input.data() + best_begin;
+-		output.append(p, i.raw() - p);
++		append_escaping_xml(input.data() + best_begin, i.raw(), output);
+ 		best_begin = i.raw() - input.data();
+ 		break;
+ 	    }
+@@ -537,22 +557,9 @@ SnipPipe::drain(const string & input,
+ 	if (phrase_len) output += hi_start;
+     }
+ 
+-    while (best_begin != word.term_end) {
+-	char ch = input[best_begin++];
+-	switch (ch) {
+-	    case '&':
+-		output += "&amp;";
+-		break;
+-	    case '<':
+-		output += "&lt;";
+-		break;
+-	    case '>':
+-		output += "&gt;";
+-		break;
+-	    default:
+-		output += ch;
+-	}
+-    }
++    const char* p = input.data();
++    append_escaping_xml(p + best_begin, p + word.term_end, output);
++    best_begin = word.term_end;
+ 
+     if (phrase_len && --phrase_len == 0) output += hi_end;
+ 
diff -Nru xapian-core-1.4.5/debian/patches/series xapian-core-1.4.5/debian/patches/series
--- xapian-core-1.4.5/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ xapian-core-1.4.5/debian/patches/series	2018-07-06 17:12:48.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-0499.patch