diff -Nru gajim-0.16/debian/changelog gajim-0.16/debian/changelog
--- gajim-0.16/debian/changelog	2014-10-17 17:05:30.000000000 +0200
+++ gajim-0.16/debian/changelog	2016-02-23 12:35:12.000000000 +0100
@@ -1,3 +1,9 @@
+gajim (0.16-1+deb8u1) jessie-security; urgency=high
+
+  * debian/patches/fix-cve-2015-8688.patch: backport a fix for CVE-2015-8688.
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu>  Tue, 23 Feb 2016 12:33:56 +0100
+
 gajim (0.16-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #729042, #757570)
diff -Nru gajim-0.16/debian/patches/fix-cve-2015-8688.patch gajim-0.16/debian/patches/fix-cve-2015-8688.patch
--- gajim-0.16/debian/patches/fix-cve-2015-8688.patch	1970-01-01 01:00:00.000000000 +0100
+++ gajim-0.16/debian/patches/fix-cve-2015-8688.patch	2016-02-23 12:31:15.000000000 +0100
@@ -0,0 +1,37 @@
+Description: Fix security issue CVE-2015-8688
+ This is a backport of a fix for the  security issue CVE-2015-8688:
+ Gajim before 0.16.5 allows remote attackers to modify the roster and intercept
+ messages via a crafted roster-push IQ stanza.
+Author: Yann Leboulanger <asterix@lafaule.org>
+Origin: upstream, https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/
+Bug-Debian: http://bugs.debian.org/809900
+Last-Update: 2016-02-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: gajim/src/common/connection_handlers_events.py
+===================================================================
+--- gajim.orig/src/common/connection_handlers_events.py
++++ gajim/src/common/connection_handlers_events.py
+@@ -408,6 +408,10 @@ class RosterSetReceivedEvent(nec.Network
+     base_network_events = []
+ 
+     def generate(self):
++        frm = helpers.get_jid_from_iq(self.stanza)
++        our_jid = gajim.get_jid_from_account(self.conn.name)
++        if frm and frm != our_jid and frm != gajim.get_server_from_jid(our_jid):
++            return
+         self.version = self.stanza.getTagAttr('query', 'ver')
+         self.items = {}
+         for item in self.stanza.getTag('query').getChildren():
+@@ -424,6 +428,11 @@ class RosterSetReceivedEvent(nec.Network
+                 groups.append(group.getData())
+             self.items[jid] = {'name': name, 'sub': sub, 'ask': ask,
+                 'groups': groups}
++        if len(self.items) > 1:
++            reply = nbxmpp.Iq(typ='error', attrs={'id': self.stanza.getID()},
++                to=self.stanza.getFrom(), frm=self.stanza.getTo(), xmlns=None)
++            self.conn.connection.send(reply)
++            return
+         if self.conn.connection and self.conn.connected > 1:
+             reply = nbxmpp.Iq(typ='result', attrs={'id': self.stanza.getID()},
+                 to=self.stanza.getFrom(), frm=self.stanza.getTo(), xmlns=None)
diff -Nru gajim-0.16/debian/patches/series gajim-0.16/debian/patches/series
--- gajim-0.16/debian/patches/series	2014-10-17 16:37:58.000000000 +0200
+++ gajim-0.16/debian/patches/series	2016-02-23 12:19:13.000000000 +0100
@@ -1 +1,2 @@
 fix-manpages.patch
+fix-cve-2015-8688.patch