diff -Nru curl-7.55.1/debian/changelog curl-7.55.1/debian/changelog
--- curl-7.55.1/debian/changelog	2017-10-20 15:06:14.000000000 +0000
+++ curl-7.55.1/debian/changelog	2017-11-29 20:29:49.000000000 +0000
@@ -1,3 +1,17 @@
+curl (7.55.1-1ubuntu3) bionic; urgency=medium
+
+  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
+    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
+      size in lib/curl_ntlm_core.c
+    - CVE-2017-8816
+  * SECURITY UPDATE: FTP wildcard out of bounds read
+    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
+      setcharset in lib/curl_fnmatch.c, added tests to
+      tests/data/Makefile.inc, tests/data/test1163.
+    - CVE-2017-8817
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 29 Nov 2017 15:29:49 -0500
+
 curl (7.55.1-1ubuntu2.1) artful-security; urgency=medium
 
   * SECURITY UPDATE: IMAP FETCH response out of bounds read
diff -Nru curl-7.55.1/debian/patches/CVE-2017-8816.patch curl-7.55.1/debian/patches/CVE-2017-8816.patch
--- curl-7.55.1/debian/patches/CVE-2017-8816.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.55.1/debian/patches/CVE-2017-8816.patch	2017-11-28 12:58:04.000000000 +0000
@@ -0,0 +1,51 @@
+From bef7788b09e611dd7f4a696035c3a9a040d2430f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+---
+ lib/curl_ntlm_core.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+Index: curl-7.55.1/lib/curl_ntlm_core.c
+===================================================================
+--- curl-7.55.1.orig/lib/curl_ntlm_core.c	2017-11-28 07:58:02.975441235 -0500
++++ curl-7.55.1/lib/curl_ntlm_core.c	2017-11-28 07:58:02.975441235 -0500
+@@ -622,6 +622,12 @@ CURLcode Curl_hmac_md5(const unsigned ch
+   return CURLE_OK;
+ }
+ 
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+@@ -631,10 +637,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
++  size_t identity_len;
++  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
++  /* we do the length checks below separately to avoid integer overflow risk
++     on extreme data lengths */
++  if((userlen > SIZE_T_MAX/2) ||
++     (domlen > SIZE_T_MAX/2) ||
++     ((userlen + domlen) > SIZE_T_MAX/2))
++    return CURLE_OUT_OF_MEMORY;
++
++  identity_len = (userlen + domlen) * 2;
++  identity = malloc(identity_len);
++
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+ 
diff -Nru curl-7.55.1/debian/patches/CVE-2017-8817.patch curl-7.55.1/debian/patches/CVE-2017-8817.patch
--- curl-7.55.1/debian/patches/CVE-2017-8817.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.55.1/debian/patches/CVE-2017-8817.patch	2017-11-28 12:58:46.000000000 +0000
@@ -0,0 +1,124 @@
+Backport of:
+
+From baf34f6f6916cacfdf9ac01bac27e483f68ca4f6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Nov 2017 08:52:45 +0100
+Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+---
+ lib/curl_fnmatch.c      |  9 +++------
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/test1163
+
+Index: curl-7.55.1/lib/curl_fnmatch.c
+===================================================================
+--- curl-7.55.1.orig/lib/curl_fnmatch.c	2017-11-28 07:58:11.603553476 -0500
++++ curl-7.55.1/lib/curl_fnmatch.c	2017-11-28 07:58:11.603553476 -0500
+@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
+   unsigned char c;
+   for(;;) {
+     c = **p;
++    if(!c)
++      return SETCHARSET_FAIL;
++
+     switch(state) {
+     case CURLFNM_SCHS_DEFAULT:
+       if(ISALNUM(c)) { /* ASCII value */
+@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p,
+         else
+           return SETCHARSET_FAIL;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else {
+         charset[c] = 1;
+         (*p)++;
+@@ -277,9 +277,6 @@ static int setcharset(unsigned char **p,
+       else if(c == ']') {
+         return SETCHARSET_OK;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else if(ISPRINT(c)) {
+         charset[c] = 1;
+         (*p)++;
+Index: curl-7.55.1/tests/data/Makefile.inc
+===================================================================
+--- curl-7.55.1.orig/tests/data/Makefile.inc	2017-11-28 07:58:09.119520858 -0500
++++ curl-7.55.1/tests/data/Makefile.inc	2017-11-28 07:58:32.499827818 -0500
+@@ -121,7 +121,7 @@ test1120 test1121 test1122 test1123 test
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 test1147 test1148 \
+-test1152 \
++test1152 test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+Index: curl-7.55.1/tests/data/test1163
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ curl-7.55.1/tests/data/test1163	2017-11-28 07:58:11.603553476 -0500
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++RETR
++LIST
++wildcardmatch
++ftplistparser
++flaky
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<tool>
++lib576
++</tool>
++<name>
++FTP wildcard with pattern ending with an open-bracket
++</name>
++<command>
++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
++</command>
++</client>
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD fully_simulated
++CWD DOS
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++# 78 == CURLE_REMOTE_FILE_NOT_FOUND
++<errorcode>
++78
++</errorcode>
++</verify>
++</testcase>
diff -Nru curl-7.55.1/debian/patches/series curl-7.55.1/debian/patches/series
--- curl-7.55.1/debian/patches/series	2017-10-20 15:06:14.000000000 +0000
+++ curl-7.55.1/debian/patches/series	2017-11-28 12:59:10.000000000 +0000
@@ -7,8 +7,10 @@
 11_omit-directories-from-config.patch
 12_dont-wait-on-CONNECT.patch
 CVE-2017-1000257.patch
+CVE-2017-1000254.patch
+CVE-2017-8816.patch
+CVE-2017-8817.patch
 
 # do not add patches below
-CVE-2017-1000254.patch
 90_gnutls.patch
 99_nss.patch