diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog
--- owncloud-4.0.8debian/debian/changelog	2012-12-05 21:32:02.000000000 +0100
+++ owncloud-4.0.8debian/debian/changelog	2012-12-25 16:32:57.000000000 +0100
@@ -1,3 +1,14 @@
+owncloud (4.0.8debian-1.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Multiple security fixes (Closes: #696574):
+    + debian/patches/10_oc-sa-2012-006.patch:
+      - CVE-2012-5665: Auth bypass in user_webdavauth and user_ldap
+    + debian/patches/11_oc-sa-2012-007.patch:
+      - CVE-2012-5666: XSS vulnerability in bookmarks
+
+ -- Luca Falavigna <dktrkranz@debian.org>  Tue, 25 Dec 2012 16:23:19 +0100
+
 owncloud (4.0.8debian-1.2) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru owncloud-4.0.8debian/debian/patches/10_oc-sa-2012-006.patch owncloud-4.0.8debian/debian/patches/10_oc-sa-2012-006.patch
--- owncloud-4.0.8debian/debian/patches/10_oc-sa-2012-006.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/10_oc-sa-2012-006.patch	2012-12-25 16:30:05.000000000 +0100
@@ -0,0 +1,48 @@
+Index: owncloud-4.0.8debian/apps/files_encryption/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files_encryption/settings.php	2012-10-09 17:09:46.000000000 +0200
++++ owncloud-4.0.8debian/apps/files_encryption/settings.php	2012-12-25 16:29:57.110214044 +0100
+@@ -6,6 +6,8 @@
+  * See the COPYING-README file.
+  */
+ 
++OC_Util::checkAdminUser();
++
+ $tmpl = new OCP\Template( 'files_encryption', 'settings');
+ $blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg'));
+ $enabled=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true');
+Index: owncloud-4.0.8debian/apps/user_ldap/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/user_ldap/settings.php	2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/user_ldap/settings.php	2012-12-25 16:29:57.114214045 +0100
+@@ -20,6 +20,9 @@
+  * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+  *
+  */
++
++OC_Util::checkAdminUser();
++
+ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute');
+ 
+ OCP\Util::addscript('user_ldap', 'settings');
+Index: owncloud-4.0.8debian/apps/user_migrate/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/user_migrate/settings.php	2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/user_migrate/settings.php	2012-12-25 16:29:57.114214045 +0100
+@@ -22,6 +22,9 @@
+  * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+  *
+  */
++
++OC_Util::checkLoggedIn();
++
+ OCP\App::checkAppEnabled('user_migrate');
+ if (isset($_POST['user_import'])) {
+ 	$root = OC::$SERVERROOT . "/";
+@@ -86,4 +89,4 @@
+ 	// fill template
+ 	$tmpl = new OCP\Template('user_migrate', 'settings');
+ 	return $tmpl->fetchPage();
+-}
+\ No newline at end of file
++}
diff -Nru owncloud-4.0.8debian/debian/patches/11_oc-sa-2012-007.patch owncloud-4.0.8debian/debian/patches/11_oc-sa-2012-007.patch
--- owncloud-4.0.8debian/debian/patches/11_oc-sa-2012-007.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/11_oc-sa-2012-007.patch	2012-12-25 16:25:24.000000000 +0100
@@ -0,0 +1,13 @@
+Index: owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/bookmarks/js/bookmarks.js	2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js	2012-12-25 16:25:21.050223382 +0100
+@@ -141,7 +141,7 @@
+ 	var taglist = '';
+ 	for ( var i=0, len=tags.length; i<len; ++i ){
+ 		if(tags[i] != '')
+-			taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString( String(window.location), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
++			taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString(escapeHTML(String(window.location)), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
+ 	}
+ 	if(!hasProtocol(bookmark.url)) {
+ 		bookmark.url = 'http://' + bookmark.url;
diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series
--- owncloud-4.0.8debian/debian/patches/series	2012-11-25 12:39:57.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/series	2012-12-25 16:30:24.000000000 +0100
@@ -9,3 +9,5 @@
 07_oc-sa-2012-002.patch
 08_oc-sa-2012-004.patch
 09_oc-sa-2012-005.patch
+10_oc-sa-2012-006.patch
+11_oc-sa-2012-007.patch