diff --git a/debian/changelog b/debian/changelog
index a67d2fe..a05a1d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,37 @@
+php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium
+
+  * Merge with Debian unstable. Remaining changes:
+    - d/control, d/control.in: Conflict with mod-php from php7.2 and
+      php7.3 to ensure safe upgrade path for apache2.
+      (Fixes LP #1850933)
+    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
+      Fixes failure when upgrading from previous versions of mod-php.
+      (LP 1865218)
+    - SECURITY UPDATE: Denial of service through oversized memory allocated
+      + debian/patches/CVE-2019-11048.patch: changes types int to size_t
+        in main/rfc1867.c.
+      + CVE-2019-11048
+  * Dropped:
+    - SECURITY UPDATE: Read one byte of uninitialized memory
+      + debian/patches/CVE-2020-7064.patch: check length in
+        exif_process_TIFF_in_JPEG to avoid read uninitialized memory
+        ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
+      + CVE-2020-7064
+      [Fixed in 7.4.5-1]
+    - SECURITY UPDATE: Memory corruption, crash and potentially code execution
+      + debian/patches/CVE-2020-7065.patch: make sure that negative values are
+	properly compared in ext/mbstring/php_unicode.c,
+	ext/mbstring/tests/bug70371.phpt.
+      + CVE-2020-7065
+      [Fixed in 7.4.5-1]
+    - SECURITY UPDATE: Truncated url due \0
+      + debian/patches/CVE-2020-7066.patch: check for get_headers
+	not accepting \0 in ext/standard/url.c.
+      + CVE-2020-7066
+      [Fixed in 7.4.5-1]
+
+ -- Bryce Harrington <bryce@canonical.com>  Thu, 16 Jul 2020 13:20:11 -0700
+
 php7.4 (7.4.5-1) unstable; urgency=medium
 
   * New upstream version 7.4.5
@@ -13,6 +47,62 @@ php7.4 (7.4.4-1) unstable; urgency=medium
 
  -- Ondřej Surý <ondrej@debian.org>  Fri, 20 Mar 2020 14:45:16 +0100
 
+php7.4 (7.4.3-4ubuntu4) groovy; urgency=medium
+
+  * SECURITY UPDATE: Denial of service through oversized memory allocated
+    - debian/patches/CVE-2019-11048.patch: changes types int to size_t
+      in main/rfc1867.c.
+    - CVE-2019-11048
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 25 May 2020 09:41:37 -0300
+
+php7.4 (7.4.3-4ubuntu3) groovy; urgency=medium
+
+  * libapache2-mod-php.postinst.extra: Disable other mod-php versions.
+    Fixes failure when upgrading from previous versions of mod-php.
+    (LP: #1865218)
+
+ -- Bryce Harrington <bryce@canonical.com>  Tue, 21 Apr 2020 23:04:30 +0000
+
+php7.4 (7.4.3-4ubuntu2) focal; urgency=medium
+
+  * SECURITY UPDATE: Read one byte of uninitialized memory
+    - debian/patches/CVE-2020-7064.patch: check length in
+      exif_process_TIFF_in_JPEG to avoid read uninitialized memory
+      ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
+    - CVE-2020-7064
+  * SECURITY UPDATE: Memory corruption, crash and potentially code execution
+    - debian/patches/CVE-2020-7065.patch: make sure that negative values are
+      properly compared in ext/mbstring/php_unicode.c,
+      ext/mbstring/tests/bug70371.phpt.
+    - CVE-2020-7065
+  * SECURITY UPDATE: Truncated url due \0
+    - debian/patches/CVE-2020-7066.patch: check for get_headers
+      not accepting \0 in ext/standard/url.c.
+    - CVE-2020-7066
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 13 Apr 2020 09:32:06 -0300
+
+php7.4 (7.4.3-4ubuntu1) focal; urgency=medium
+
+  * d/control, d/control.in: Conflict with mod-php from php7.2 and
+    php7.3 to ensure safe upgrade path for apache2.
+    (Fixes LP: #1850933)
+
+ -- Bryce Harrington <bryce@canonical.com>  Thu, 26 Mar 2020 20:24:23 +0000
+
+php7.4 (7.4.3-4build2) focal; urgency=medium
+
+  * No-change rebuild for icu soname change.
+
+ -- Matthias Klose <doko@ubuntu.com>  Tue, 03 Mar 2020 21:34:56 +0100
+
+php7.4 (7.4.3-4build1) focal; urgency=medium
+
+  * No-change rebuild to enable build for i386
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 25 Feb 2020 14:37:54 -0800
+
 php7.4 (7.4.3-4) unstable; urgency=medium
 
   * Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
diff --git a/debian/control b/debian/control
index 3ca9223..8e60773 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
 Source: php7.4
 Section: php
 Priority: optional
-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
 Uploaders: Ondřej Surý <ondrej@debian.org>,
            Lior Kaplan <kaplan@debian.org>
 Build-Depends: apache2-dev (>= 2.4),
@@ -95,6 +96,8 @@ Depends: libmagic1,
          ${shlibs:Depends}
 Provides: libapache2-mod-php,
           ${php:Provides}
+Conflicts: libapache2-mod-php7.3,
+	   libapache2-mod-php7.2
 Recommends: apache2
 Suggests: php-pear
 Description: server-side, HTML-embedded scripting language (Apache 2 module)
diff --git a/debian/control.in b/debian/control.in
index 9681703..4432404 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -1,7 +1,8 @@
 Source: php@PHP_VERSION@
 Section: php
 Priority: optional
-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
 Uploaders: Ondřej Surý <ondrej@debian.org>,
            Lior Kaplan <kaplan@debian.org>
 Build-Depends: apache2-dev (>= 2.4),
@@ -95,6 +96,8 @@ Depends: libmagic1,
          ${shlibs:Depends}
 Provides: libapache2-mod-php,
           ${php:Provides}
+Conflicts: libapache2-mod-php7.3,
+	   libapache2-mod-php7.2
 Recommends: apache2
 Suggests: php-pear
 Description: server-side, HTML-embedded scripting language (Apache 2 module)
diff --git a/debian/libapache2-mod-php.postinst.extra b/debian/libapache2-mod-php.postinst.extra
index 923e475..6c6ef99 100644
--- a/debian/libapache2-mod-php.postinst.extra
+++ b/debian/libapache2-mod-php.postinst.extra
@@ -13,9 +13,14 @@ if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
 	fi
 
 	PHP_MODULE=$(a2query -m | sed -n 's/^\(php[\.0-9]*\) (enabled.*)/\1/p')
-        if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then
-	    apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: $PHP_MODULE module already enabled, not enabling PHP @PHP_VERSION@"
-	    return 1
+	if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then
+	    local a2invoke_ret=0
+	    apache2_msg "info" "$DPKG_MAINTSCRIPT_PACKAGE: Disabling old $PHP_MODULE in favor of using PHP @PHP_VERSION@"
+	    apache2_invoke dismod $PHP_MODULE || a2invoke_ret=1
+	    if [ "${a2invoke_ret}" -ne 0 ]; then
+		apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: (${a2invoke_ret}) failed to disable old $PHP_MODULE"
+		return 1
+	    fi
 	fi
 
 	mpm=$(a2query -M)
diff --git a/debian/patches/CVE-2019-11048.patch b/debian/patches/CVE-2019-11048.patch
new file mode 100644
index 0000000..e6e73d5
--- /dev/null
+++ b/debian/patches/CVE-2019-11048.patch
@@ -0,0 +1,65 @@
+From a3924ab6542a358a3099de992b63b932a9570add Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 11 May 2020 14:20:47 -0700
+Subject: [PATCH] Merge branch 'PHP-7.3' into PHP-7.4
+
+* PHP-7.3:
+  Fix #78876: Long variables cause OOM and temp files are not cleaned
+  Fix #78875: Long filenames cause OOM and temp files are not cleaned
+  Update NEWS for 7.2.31
+  Update CREDITS for PHP 7.2.30
+  Update NEWS for PHP 7.2.30
+---
+ main/rfc1867.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 1ee7b925a1b9..8bdc409296ae 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -606,7 +606,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+ 
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
+ {
+ 	size_t len, max;
+ 	char *bound;
+@@ -645,7 +645,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ 		self->buf_begin += len;
+ 	}
+ 
+-	return (int)len;
++	return len;
+ }
+ 
+ /*
+@@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
+ {
+ 	char buf[FILLUNIT], *out=NULL;
+-	int total_bytes=0, read_bytes=0;
++	size_t total_bytes=0, read_bytes=0;
+ 
+ 	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
+ 		out = erealloc(out, total_bytes + read_bytes + 1);
+@@ -682,7 +682,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 	char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ 	char *lbuf = NULL, *abuf = NULL;
+ 	zend_string *temp_filename = NULL;
+-	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++	size_t array_len = 0;
+ 	int64_t total_bytes = 0, max_file_size = 0;
+ 	int skip_upload = 0, anonindex = 0, is_anonymous;
+ 	HashTable *uploaded_files = NULL;
+@@ -1116,7 +1117,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 			is_arr_upload =	(start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
+ 
+ 			if (is_arr_upload) {
+-				array_len = (int)strlen(start_arr);
++				array_len = strlen(start_arr);
+ 				if (array_index) {
+ 					efree(array_index);
+ 				}
diff --git a/debian/patches/series b/debian/patches/series
index 1784689..4d4e247 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,3 +38,4 @@
 0038-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch
 0039-Fix-ext-date-lib-parse_tz-PATH_MAX-HURD-FTBFS.patch
 0040-Amend-C-11-for-intl-compilation-on-older-distributio.patch
+CVE-2019-11048.patch