diff -Nru dokuwiki-0.0.20091225c/debian/changelog dokuwiki-0.0.20091225c/debian/changelog
--- dokuwiki-0.0.20091225c/debian/changelog	2011-06-29 01:50:12.000000000 +0200
+++ dokuwiki-0.0.20091225c/debian/changelog	2014-10-29 14:44:37.000000000 +0100
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20091225c-10+squeeze3) UNRELEASED; urgency=medium
+
+  * debian/patches:
+     + fix_ldap_auth_bypass_CVE-2014-8763.diff: fix an authentication bypass
+       flaw when using Active Directory for LDAP authentication.
+       (CVE-2014-8763, CVE-2014-8764)
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu>  Wed, 29 Oct 2014 14:17:00 +0100
+
 dokuwiki (0.0.20091225c-10+squeeze2) stable; urgency=low
 
   * debian/patches/rss_security.diff: Backport an upstream security fix for
diff -Nru dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff
--- dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff	2014-10-29 14:44:51.000000000 +0100
@@ -0,0 +1,27 @@
+From: Andreas Gohr <andi@splitbrain.org>
+Subject: Clean user credentials from control chars to prevent auth bypass
+
+ This is to prevent zero byte attacks on external auth systems as described in
+ http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
+ (CVE-2014-8763, CVE-2014-8764)
+Origin: backport, https://github.com/splitbrain/dokuwiki/commit/395c2f0ff3e87977ea2573587a11f4ef294433f2
+Bug-Debian: http://bugs.debian.org/766545
+Last-Update: 2014-10-28
+---
+ inc/auth.php | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: dokuwiki/inc/auth.php
+===================================================================
+--- dokuwiki.orig/inc/auth.php
++++ dokuwiki/inc/auth.php
+@@ -75,7 +75,8 @@ if($conf['useacl']){
+         }
+ 
+         // apply cleaning
+-        $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']);
++        $_REQUEST['u'] = $auth->cleanUser(stripctl($_REQUEST['u']));
++        $_REQUEST['p'] = stripctl($_REQUEST['p']);
+ 
+         if(isset($_REQUEST['authtok'])){
+             // when an authentication token is given, trust the session
diff -Nru dokuwiki-0.0.20091225c/debian/patches/series dokuwiki-0.0.20091225c/debian/patches/series
--- dokuwiki-0.0.20091225c/debian/patches/series	2011-06-26 13:23:13.000000000 +0200
+++ dokuwiki-0.0.20091225c/debian/patches/series	2014-10-29 14:25:01.000000000 +0100
@@ -10,3 +10,4 @@
 license_jpegmeta.diff
 cc-by-nd-url.diff
 fhs.diff
+fix_ldap_auth_bypass_CVE-2014-8763.diff