diff --git a/debian/changelog b/debian/changelog
index b5cf471f1..f20038478 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,6 +35,70 @@ linux (3.14~rc5-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Fri, 07 Mar 2014 03:36:35 +0000
 
+linux (3.13.7-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7
+    - mm: page_alloc: exempt GFP_THISNODE allocations from zone fairness
+      (regression in 3.12)
+    - mm: include VM_MIXEDMAP flag in the VM_SPECIAL list to avoid m(un)locking
+      (regression in 3.12)
+    - ocfs2: fix quota file corruption
+    - ocfs2 syncs the wrong range...
+    - memcg: fix endless loop in __mem_cgroup_iter_next()
+      (regression in 3.13.3)
+    - net-tcp: fastopen: fix high order allocations
+    - ipv6: reuse ip6_frag_id from ip6_ufo_append_data
+    - ipv4: ipv6: better estimate tunnel header cut for correct ufo handling
+    - ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL
+      pointer
+    - mac80211: clear sequence/fragment number in QoS-null frames
+    - ath9k: Fix ETSI compliance for AR9462 2.0
+    - ath9k: protect tid->sched check
+    - cpuset: fix a locking issue in cpuset_migrate_mm()
+    - cpuset: fix a race condition in __cpuset_node_allowed_softwall()
+    - firewire: net: fix use after free
+    - firewire: don't use PREPARE_DELAYED_WORK
+    - libata: disable queued TRIM for Crucial M500 mSATA SSDs
+    - libata: use wider match for blacklisting Crucial M500
+    - NFSv4: Fix another nfs4_sequence corruptor (Closes: #734268)
+    - cpufreq: use cpufreq_cpu_get() to avoid cpufreq_get() race conditions
+    - cpufreq: Skip current frequency initialization for ->setpolicy drivers
+      (regression in 3.13)
+    - iscsi/iser-target: Use list_del_init for ->i_conn_node
+    - iser-target: Ignore completions for FRWRs in isert_cq_tx_work
+    - iser-target: Fix post_send_buf_count for RDMA READ/WRITE
+    - mm/readahead.c: fix do_readahead() for no readpage(s)
+      (regression in 3.13)
+    - fs/proc/base.c: fix GPF in /proc/$PID/map_files
+    - drm/i915: fix pch pci device enumeration (regression in 3.11)
+    - drm/i915: Reject >165MHz modes w/ DVI monitors (regression in 3.11)
+    - drm/radeon: fix runpm disabling on non-PX harder
+      (may fix #741619, #742507)
+    - PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled
+      (fixes regression in 3.13.6)
+    - [x86] vmxnet3: fix netpoll race condition
+    - mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
+    - dm space map metadata: fix refcount decrement below 0 which caused
+      corruption
+    - dm cache: fix truncation bug when copying a block to/from >2TB fast
+      device
+    - net: unix socket code abuses csum_partial
+    - SCSI: qla2xxx: Fix multiqueue MSI-X registration.
+    - [x86] fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU
+    - Btrfs: fix tree mod logging
+    - Btrfs: fix data corruption when reading/updating compressed extents
+    - intel_pstate: Add setting voltage value for baytrail P states.
+    - Fix mountpoint reference leakage in linkat
+    - bio-integrity: Fix bio_integrity_verify segment start bug
+    - memcg: reparent charges of children before processing parent
+
+  [ Ben Hutchings ]
+  * [arm] mm: Avoid ABI change in 3.13.6 (fixes FTBFS)
+  * nfqueue: Orphan frags in nfqnl_zcopy() and handle errors (CVE-2014-2568)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Tue, 25 Mar 2014 17:23:31 +0000
+
 linux (3.13.6-1) unstable; urgency=high
 
   * New upstream stable update:
diff --git a/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch b/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
new file mode 100644
index 000000000..1056f282d
--- /dev/null
+++ b/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
@@ -0,0 +1,105 @@
+Subject: [v4] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors
+From: Zoltan Kiss <zoltan.kiss@citrix.com>
+Date: Fri, 21 Mar 2014 10:31:34 +0000
+Origin: https://patchwork.ozlabs.org/patch/332544/
+
+skb_zerocopy can copy elements of the frags array between skbs, but it doesn't
+orphan them. Also, it doesn't handle errors, so this patch takes care of that
+as well, and modify the callers accordingly. skb_tx_error() is also added to
+the callers so they will signal the failed delivery towards the creator of the
+skb.
+
+Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
+Acked-by: Thomas Graf <tgraf@redhat.com>
+[bwh: skb_zerocopy() is new in 3.14, but was moved from a static function
+ in nfnetlink_queue.  We need to patch that and its caller, but not
+ openvswitch.]
+---
+--- a/net/netfilter/nfnetlink_queue_core.c
++++ b/net/netfilter/nfnetlink_queue_core.c
+@@ -235,22 +235,23 @@ nfqnl_flush(struct nfqnl_instance *queue
+ 	spin_unlock_bh(&queue->lock);
+ }
+ 
+-static void
++static int
+ nfqnl_zcopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
+ {
+ 	int i, j = 0;
+ 	int plen = 0; /* length of skb->head fragment */
++	int ret;
+ 	struct page *page;
+ 	unsigned int offset;
+ 
+ 	/* dont bother with small payloads */
+-	if (len <= skb_tailroom(to)) {
+-		skb_copy_bits(from, 0, skb_put(to, len), len);
+-		return;
+-	}
++	if (len <= skb_tailroom(to))
++		return skb_copy_bits(from, 0, skb_put(to, len), len);
+ 
+ 	if (hlen) {
+-		skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
++		ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
++		if (unlikely(ret))
++			return ret;
+ 		len -= hlen;
+ 	} else {
+ 		plen = min_t(int, skb_headlen(from), len);
+@@ -268,6 +269,11 @@ nfqnl_zcopy(struct sk_buff *to, const st
+ 	to->len += len + plen;
+ 	to->data_len += len + plen;
+ 
++	if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
++		skb_tx_error(from);
++		return -ENOMEM;
++	}
++
+ 	for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
+ 		if (!len)
+ 			break;
+@@ -278,6 +284,8 @@ nfqnl_zcopy(struct sk_buff *to, const st
+ 		j++;
+ 	}
+ 	skb_shinfo(to)->nr_frags = j;
++
++	return 0;
+ }
+ 
+ static int
+@@ -374,13 +382,16 @@ nfqnl_build_packet_message(struct net *n
+ 
+ 	skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
+ 				  GFP_ATOMIC);
+-	if (!skb)
++	if (!skb) {
++		skb_tx_error(entskb);
+ 		return NULL;
++	}
+ 
+ 	nlh = nlmsg_put(skb, 0, 0,
+ 			NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
+ 			sizeof(struct nfgenmsg), 0);
+ 	if (!nlh) {
++		skb_tx_error(entskb);
+ 		kfree_skb(skb);
+ 		return NULL;
+ 	}
+@@ -504,13 +515,15 @@ nfqnl_build_packet_message(struct net *n
+ 		nla->nla_type = NFQA_PAYLOAD;
+ 		nla->nla_len = nla_attr_size(data_len);
+ 
+-		nfqnl_zcopy(skb, entskb, data_len, hlen);
++		if (nfqnl_zcopy(skb, entskb, data_len, hlen))
++			goto nla_put_failure;
+ 	}
+ 
+ 	nlh->nlmsg_len = skb->len;
+ 	return skb;
+ 
+ nla_put_failure:
++	skb_tx_error(entskb);
+ 	kfree_skb(skb);
+ 	net_err_ratelimited("nf_queue: error creating packet message\n");
+ 	return NULL;
diff --git a/debian/patches/series b/debian/patches/series
index 16602abd2..55c126a16 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,3 +71,4 @@ features/all/x86-memtest-WARN-if-bad-RAM-found.patch
 features/all/efi-autoload-efivars.patch
 features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
 bugfix/arm/bfa-Replace-large-udelay-with-mdelay.patch
+bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch