diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 910e02213..d956b3b3a 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -131,10 +131,12 @@ class Gencontrol(Base):
 
         if self.version.linux_modifier is None:
             try:
-                vars['abiname'] = '-%s' % self.config['abi', arch]['abiname']
+                abiname_part = '-%s' % self.config['abi', arch]['abiname']
             except KeyError:
-                vars['abiname'] = self.abiname
-            makeflags['ABINAME'] = vars['abiname']
+                abiname_part = self.abiname_part
+            makeflags['ABINAME'] = vars['abiname'] = \
+                self.version.linux_upstream + abiname_part
+            makeflags['ABINAME_PART'] = abiname_part
 
         if foreign_kernel:
             packages_headers_arch = []
@@ -178,8 +180,7 @@ class Gencontrol(Base):
                 kw_env['KW_DEFCONFIG_DIR'] = installer_def_dir
                 kw_env['KW_CONFIG_DIR'] = installer_arch_dir
                 kw_proc = subprocess.Popen(
-                    ['kernel-wedge', 'gen-control',
-                     self.abiname],
+                    ['kernel-wedge', 'gen-control', vars['abiname']],
                     stdout=subprocess.PIPE,
                     env=kw_env)
                 udeb_packages = read_control(kw_proc.stdout)
@@ -414,11 +415,11 @@ class Gencontrol(Base):
         if config_entry_image['type'] == 'plain':
             substitute_file('headers.plain.postinst',
                             'debian/linux-headers-%s%s.postinst' %
-                            (self.abiname, vars['localversion']))
+                            (vars['abiname'], vars['localversion']))
             for name in ['postinst', 'postrm', 'preinst', 'prerm', 'templates']:
                 substitute_file('image.plain.%s' % name,
                                 'debian/linux-image-%s%s.%s' %
-                                (self.abiname, vars['localversion'], name))
+                                (vars['abiname'], vars['localversion'], name))
             for path in glob.glob('debian/templates/po/*.po'):
                 substitute_file('po/' + os.path.basename(path),
                                 'debian/po/' + os.path.basename(path),
@@ -426,7 +427,7 @@ class Gencontrol(Base):
         if build_debug:
             substitute_file('image-dbg.lintian-override',
                             'debian/linux-image-%s%s-dbg.lintian-overrides' %
-                            (self.abiname, vars['localversion']))
+                            (vars['abiname'], vars['localversion']))
 
     def merge_packages(self, packages, new, arch):
         for new_package in new:
diff --git a/debian/changelog b/debian/changelog
index c805d7fa0..301aa7ac7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,37 @@ linux (3.12~rc7-1~exp1) experimental; urgency=low
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 28 Oct 2013 04:12:20 +0000
 
+linux (3.11.6-2) unstable; urgency=medium
+
+  [ Ben Hutchings ]
+  * [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet
+    available
+  * [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults
+    (fixes FTBFS)
+  * [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI
+  * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
+  * net: do not call sock_put() on TIMEWAIT sockets
+  * l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
+  * net: heap overflow in __audit_sockaddr()
+  * proc connector: fix info leaks
+  * bridge: update mdb expiration timer upon reports.
+  * Revert "bridge: only expire the mdb entry when query is received"
+  * unix_diag: fix info leak
+  * be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
+  * net: fix cipso packet validation when !NETLABEL
+  * inet: fix possible memory corruption with UDP_CORK and UFO
+  * [arm] 7851/1: check for number of arguments in syscall_get/set_arguments()
+  * ext[34]: fix double put in tmpfile
+  * dm snapshot: fix data corruption (CVE-2013-4299)
+  * i2c: ismt: initialize DMA buffer
+  * mm: fix BUG in __split_huge_page_pmd
+  * writeback: fix negative bdi max pause
+
+  [ Aurelien Jarno ]
+  * UAPI: include <asm/byteorder.h> in linux/raid/md_p.h.
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Fri, 01 Nov 2013 05:23:13 +0000
+
 linux (3.11.6-1) unstable; urgency=low
   
   * New upstream stable update:
diff --git a/debian/config/ia64/defines b/debian/config/ia64/defines
index d699fa398..34b4ae73f 100644
--- a/debian/config/ia64/defines
+++ b/debian/config/ia64/defines
@@ -3,6 +3,7 @@ flavours:
  itanium
  mckinley
 kernel-arch: ia64
+compiler: gcc-4.6
 
 [image]
 bootloaders: elilo
diff --git a/debian/config/sh4/defines b/debian/config/sh4/defines
index 7dd028a53..1661800dd 100644
--- a/debian/config/sh4/defines
+++ b/debian/config/sh4/defines
@@ -3,6 +3,7 @@ flavours:
  sh7751r
  sh7785lcr
 kernel-arch: sh
+compiler: gcc-4.7
 
 [image]
 suggests: fdutils
diff --git a/debian/patches/bugfix/all/CVE-2013-4348.patch b/debian/patches/bugfix/all/CVE-2013-4348.patch
new file mode 100644
index 000000000..4a0dbd2f1
--- /dev/null
+++ b/debian/patches/bugfix/all/CVE-2013-4348.patch
@@ -0,0 +1,82 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 31 Oct 2013 02:24:12 +0000
+Subject: net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
+
+Jason Wang <jasowang@redhat.com> writes:
+(via linux-distros@vs.openwall.org etc.)
+> There's a deadloop path in skb_flow_dissect():
+> 
+> bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow)
+> {
+> ..
+> 
+> ip:
+>         iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
+>         if (!iph)
+>             return false;
+> 
+>         if (ip_is_fragment(iph))
+>             ip_proto = 0;
+>         else
+>             ip_proto = iph->protocol;
+>         iph_to_flow_copy_addrs(flow, iph);
+>         nhoff += iph->ihl * 4;
+>         break;
+> ..
+> 
+> Here the code does not check whether iph->ihl is zero which may cause
+> deadloop if a malicous IPIP packet whose ihl is zero. See the above
+> codes for IPIP. Since the pointer was not move ahead.
+> 
+> ..
+>     case IPPROTO_IPIP:
+>         proto = htons(ETH_P_IP);
+>         goto ip;
+> ..
+> }
+> 
+> skb_flow_dissect() were used by several places:
+> - packet scheduler that want classify flows
+> - skb_get_rxhash() that will be used by RPS, vxlan, multiqueue
+> tap,macvtap packet fanout
+> - skb_probe_transport_header() which was used for probing transport
+> header for DODGY packets
+> - __skb_get_poff() which will be used by socket filter
+> 
+> So this could be used to DOS both local and remote machine.
+> 
+> I was able to
+> 
+> - DOS the local host machine
+> - DOS the local host machine by run the reproducer in guest
+> - DOS one guest with RPS enabled by running the reproducer in another
+> guest in the same host.
+> 
+> I believe it could be also used to DOS a remote machine, but I didn't try.
+> 
+> The issue were introduced by commit
+> 0744dd00c1b1be99a25b62b1b48df440e82e57e0 (net: introduce
+> skb_flow_dissect()).
+> 
+> The fix looks easy, just fail when iph->ihl is zero.
+
+Accepting any positive value means we can still be made to loop nearly
+skb->len / 4 times in some cases.  But all values < 5 are invalid, so
+let's reject them and reduce that to skb->len / 20.
+
+We should probably set a constant limit on the loop count as well, but
+I'm not sure what the limit should be.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -40,7 +40,7 @@ again:
+ 		struct iphdr _iph;
+ ip:
+ 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
+-		if (!iph)
++		if (!iph || iph->ihl < 5)
+ 			return false;
+ 
+ 		if (ip_is_fragment(iph))
diff --git a/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch b/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
new file mode 100644
index 000000000..6bdc3737e
--- /dev/null
+++ b/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
@@ -0,0 +1,30 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Tue, 29 Oct 2013 11:55:17 +0100
+Subject: [PATCH] UAPI: include <asm/byteorder.h> in linux/raid/md_p.h
+Forwarded: http://comments.gmane.org/gmane.linux.kernel/1586604
+
+linux/raid/md_p.h is using conditionals depending on endianess and fails
+with an error if neither of __BIG_ENDIAN, __LITTLE_ENDIAN or
+__BYTE_ORDER are defined, but it doesn't include any header which can
+define these constants. This make this header unusable alone.
+
+This patch adds a #include <asm/byteorder.h> at the beginning of this
+header to make it usable alone. This is needed to compile klibc on MIPS.
+
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ include/uapi/linux/raid/md_p.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/uapi/linux/raid/md_p.h b/include/uapi/linux/raid/md_p.h
+index fe1a540..f7cf7f3 100644
+--- a/include/uapi/linux/raid/md_p.h
++++ b/include/uapi/linux/raid/md_p.h
+@@ -16,6 +16,7 @@
+ #define _MD_P_H
+ 
+ #include <linux/types.h>
++#include <asm/byteorder.h>
+ 
+ /*
+  * RAID superblock.
diff --git a/debian/patches/series b/debian/patches/series
index e9c8de5cb..6d87cc672 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -74,3 +74,5 @@ bugfix/all/crypto-ansi_cprng-Fix-off-by-one-error-in-non-block-.patch
 features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
 bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
 debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
+bugfix/all/CVE-2013-4348.patch