diff -Nru rsyslog-8.2006.0/debian/changelog rsyslog-8.2006.0/debian/changelog
--- rsyslog-8.2006.0/debian/changelog	2020-06-25 05:54:01.000000000 -0700
+++ rsyslog-8.2006.0/debian/changelog	2020-06-30 10:23:05.000000000 -0700
@@ -1,3 +1,14 @@
+rsyslog (8.2006.0-2ubuntu2) groovy; urgency=medium
+
+  * Make /var/log/dmesg not be world readable (LP: #1884887)
+    - debian/dmesg.service:
+      + add additional ExecStartPost to set permissions so that only
+        root and group adm can read /var/log/dmesg
+      + modify savelog invocation to also adjust permissions on rotated
+        dmesg logs to match.
+
+ -- Steve Beattie <sbeattie@ubuntu.com>  Tue, 30 Jun 2020 10:23:05 -0700
+
 rsyslog (8.2006.0-2ubuntu1) groovy; urgency=medium
 
   [ Christian Ehrhardt ]
diff -Nru rsyslog-8.2006.0/debian/dmesg.service rsyslog-8.2006.0/debian/dmesg.service
--- rsyslog-8.2006.0/debian/dmesg.service	2020-06-25 05:54:01.000000000 -0700
+++ rsyslog-8.2006.0/debian/dmesg.service	2020-06-30 10:22:31.000000000 -0700
@@ -4,9 +4,10 @@
 [Service]
 Type=idle
 StandardOutput=file:/var/log/dmesg
-ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg
+ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg
 ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname
 ExecStartPost=/bin/chgrp adm /var/log/dmesg
+ExecStartPost=/bin/chmod 640 /var/log/dmesg
 
 [Install]
 WantedBy=multi-user.target