diff -u gajim-0.15.1/debian/changelog gajim-0.15.1/debian/changelog
--- gajim-0.15.1/debian/changelog
+++ gajim-0.15.1/debian/changelog
@@ -1,3 +1,9 @@
+gajim (0.15.1-4.1+deb7u1) wheezy-security; urgency=high
+
+  * debian/patches/05_fix-cve-2015-8688.diff: backport a fix for CVE-2015-8688.
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu>  Tue, 23 Feb 2016 15:23:21 +0100
+
 gajim (0.15.1-4.1) stable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u gajim-0.15.1/debian/patches/00list gajim-0.15.1/debian/patches/00list
--- gajim-0.15.1/debian/patches/00list
+++ gajim-0.15.1/debian/patches/00list
@@ -5,0 +6 @@
+05_fix-cve-2015-8688.diff
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/05_fix-cve-2015-8688.diff
+++ gajim-0.15.1/debian/patches/05_fix-cve-2015-8688.diff
@@ -0,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_fix-cve-2015-8688.dpatch by  <tanguy+debian@ortolo.eu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix security issue CVE-2015-8688
+#
+# Description: Fix security issue CVE-2015-8688
+#  This is a backport of a fix for the  security issue CVE-2015-8688:
+#  Gajim before 0.16.5 allows remote attackers to modify the roster and intercept
+#  messages via a crafted roster-push IQ stanza.
+# Author: Yann Leboulanger <asterix@lafaule.org>
+# Origin: upstream, https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/
+# Bug-Debian: http://bugs.debian.org/809900
+# Last-Update: 2016-02-23
+# ---
+# This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+@DPATCH@
+
+Index: gajim/src/common/connection_handlers_events.py
+===================================================================
+--- gajim.orig/src/common/connection_handlers_events.py
++++ gajim/src/common/connection_handlers_events.py
+@@ -408,6 +408,10 @@ class RosterSetReceivedEvent(nec.Network
+     base_network_events = []
+ 
+     def generate(self):
++        frm = helpers.get_jid_from_iq(self.stanza)
++        our_jid = gajim.get_jid_from_account(self.conn.name)
++        if frm and frm != our_jid and frm != gajim.get_server_from_jid(our_jid):
++            return
+         self.version = self.stanza.getTagAttr('query', 'ver')
+         self.items = {}
+         for item in self.stanza.getTag('query').getChildren():
+@@ -424,6 +428,11 @@ class RosterSetReceivedEvent(nec.Network
+                 groups.append(group.getData())
+             self.items[jid] = {'name': name, 'sub': sub, 'ask': ask,
+                 'groups': groups}
++        if len(self.items) > 1:
++            reply = nbxmpp.Iq(typ='error', attrs={'id': self.stanza.getID()},
++                to=self.stanza.getFrom(), frm=self.stanza.getTo(), xmlns=None)
++            self.conn.connection.send(reply)
++            return
+         if self.conn.connection and self.conn.connected > 1:
+             reply = nbxmpp.Iq(typ='result', attrs={'id': self.stanza.getID()},
+                 to=self.stanza.getFrom(), frm=self.stanza.getTo(), xmlns=None)