diff -Nru xerces-c-3.2.3+debian/debian/changelog xerces-c-3.2.3+debian/debian/changelog
--- xerces-c-3.2.3+debian/debian/changelog	2020-07-28 16:20:57.000000000 +0000
+++ xerces-c-3.2.3+debian/debian/changelog	2020-12-14 16:43:13.000000000 +0000
@@ -1,8 +1,21 @@
-xerces-c (3.2.3+debian-1build1) groovy; urgency=medium
+xerces-c (3.2.3+debian-3) unstable; urgency=medium
 
-  * No-change rebuild against libicu67
+  * Fix MemHandlerTest1 on 32-bit systems to compensate for CVE-2018-1311 fix
 
- -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 28 Jul 2020 16:20:57 +0000
+ -- William Blough <bblough@debian.org>  Mon, 14 Dec 2020 11:43:13 -0500
+
+xerces-c (3.2.3+debian-2) unstable; urgency=medium
+
+  [ Sylvain Beucler ]
+  * CVE-2018-1311 mitigation: fix use-after-free vulnerability when
+    processing external DTD, at the expense of a memory leak.  Users may
+    mitigate both by setting the XERCES_DISABLE_DTD environment variable.
+
+  [ William Blough ]
+  * Update d/watch to v4
+  * Update standards version to 4.5.1 (no changes)
+
+ -- William Blough <bblough@debian.org>  Fri, 11 Dec 2020 11:22:23 -0500
 
 xerces-c (3.2.3+debian-1) unstable; urgency=medium
 
diff -Nru xerces-c-3.2.3+debian/debian/control xerces-c-3.2.3+debian/debian/control
--- xerces-c-3.2.3+debian/debian/control	2020-07-28 16:20:57.000000000 +0000
+++ xerces-c-3.2.3+debian/debian/control	2020-12-14 16:43:13.000000000 +0000
@@ -10,9 +10,8 @@
                      libstylebook-java,
                      libxalan2-java,
                      libxerces2-java
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: William Blough <bblough@debian.org>
-Standards-Version: 4.5.0
+Maintainer: William Blough <bblough@debian.org>
+Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/bblough/xerces-c
 Vcs-Git: https://salsa.debian.org/bblough/xerces-c.git
 Homepage: https://xerces.apache.org/xerces-c/
diff -Nru xerces-c-3.2.3+debian/debian/patches/CVE-2018-1311-mitigation.patch xerces-c-3.2.3+debian/debian/patches/CVE-2018-1311-mitigation.patch
--- xerces-c-3.2.3+debian/debian/patches/CVE-2018-1311-mitigation.patch	1970-01-01 00:00:00.000000000 +0000
+++ xerces-c-3.2.3+debian/debian/patches/CVE-2018-1311-mitigation.patch	2020-12-14 16:43:13.000000000 +0000
@@ -0,0 +1,52 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311
+
+--- a/src/xercesc/internal/IGXMLScanner.cpp
++++ b/src/xercesc/internal/IGXMLScanner.cpp
+@@ -1532,7 +1532,6 @@ void IGXMLScanner::scanDocTypeDecl()
+             DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
+             declDTD->setSystemId(sysId);
+             declDTD->setIsExternal(true);
+-            Janitor<DTDEntityDecl> janDecl(declDTD);
+ 
+             // Mark this one as a throw at end
+             reader->setThrowAtEnd(true);
+@@ -3095,7 +3094,6 @@ Grammar* IGXMLScanner::loadDTDGrammar(co
+     DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
+     declDTD->setSystemId(src.getSystemId());
+     declDTD->setIsExternal(true);
+-    Janitor<DTDEntityDecl> janDecl(declDTD);
+ 
+     // Mark this one as a throw at end
+     newReader->setThrowAtEnd(true);
+--- a/tests/expected/MemHandlerTest1.log
++++ b/tests/expected/MemHandlerTest1.log
+@@ -1,4 +1,4 @@
+-At destruction, domBuilderMemMonitor has 0 bytes.
+-At destruction, sax2MemMonitor has 0 bytes.
+-At destruction, sax1MemMonitor has 0 bytes.
++At destruction, domBuilderMemMonitor has 276 bytes.
++At destruction, sax2MemMonitor has 276 bytes.
++At destruction, sax1MemMonitor has 276 bytes.
+ At destruction, staticMemMonitor has 0 bytes.
+--- /dev/null
++++ b/tests/expected/MemHandlerTest1_32.log
+@@ -0,0 +1,4 @@
++At destruction, domBuilderMemMonitor has 180 bytes.
++At destruction, sax2MemMonitor has 180 bytes.
++At destruction, sax1MemMonitor has 180 bytes.
++At destruction, staticMemMonitor has 0 bytes.
+--- a/scripts/run-test.in
++++ b/scripts/run-test.in
+@@ -46,6 +46,11 @@ run_test() {
+     sed -i -e 's;\( *[0-9][0-9]* *ms *\);{timing removed};' "$output"
+ 
+     exp=$(cat "${srcdir}/expected/${name}.log")
++
++    if [ "${name}" = "MemHandlerTest1" ] && [ "$(dpkg-architecture -q DEB_HOST_ARCH_BITS)" -eq 32 ]; then
++        exp=$(cat "${srcdir}/expected/${name}_32.log")
++    fi
++
+     obs=$(cat "$output")
+ 
+     echo "------"
diff -Nru xerces-c-3.2.3+debian/debian/patches/series xerces-c-3.2.3+debian/debian/patches/series
--- xerces-c-3.2.3+debian/debian/patches/series	2020-04-11 19:34:02.000000000 +0000
+++ xerces-c-3.2.3+debian/debian/patches/series	2020-12-14 16:43:13.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-1311-mitigation.patch
diff -Nru xerces-c-3.2.3+debian/debian/watch xerces-c-3.2.3+debian/debian/watch
--- xerces-c-3.2.3+debian/debian/watch	2020-04-11 19:34:02.000000000 +0000
+++ xerces-c-3.2.3+debian/debian/watch	2020-12-14 16:43:13.000000000 +0000
@@ -1,4 +1,4 @@
-version=3
+version=4
 
 opts=pgpsigurlmangle=s/$/.asc/,dversionmangle=s/\+debian// \
 https://www.apache.org/dist/xerces/c/3/sources/xerces-c-([\d\.]*)\.tar\.gz