diff -Nru apport-2.20.11/data/apport apport-2.20.11/data/apport
--- apport-2.20.11/data/apport	2020-02-22 04:18:25.000000000 +1030
+++ apport-2.20.11/data/apport	2020-02-27 11:45:57.000000000 +1030
@@ -32,15 +32,10 @@
     This avoids bringing down the system to its knees if there is a series of
     crashes.'''
 
-    # create lock file directory
-    try:
-        os.mkdir("/var/lock/apport", mode=0o744)
-    except FileExistsError:
-        pass
-
     # create a lock file
     try:
-        fd = os.open("/var/lock/apport/lock", os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW)
+        fd = os.open("/var/run/apport.lock",
+                     os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW, mode=0o400)
     except OSError as e:
         error_log('cannot create lock file (uid %i): %s' % (os.getuid(), str(e)))
         sys.exit(1)
@@ -704,15 +699,16 @@
             mode = 0o640
         else:
             mode = 0
-        reportfile = os.fdopen(os.open(report, os.O_RDWR | os.O_CREAT | os.O_EXCL, mode), 'w+b')
+        fd = os.open(report, os.O_RDWR | os.O_CREAT | os.O_EXCL, mode)
+        reportfile = os.fdopen(fd, 'w+b')
         assert reportfile.fileno() > sys.stderr.fileno()
 
         # Make sure the crash reporting daemon can read this report
         try:
             gid = pwd.getpwnam('whoopsie').pw_gid
-            os.chown(report, pidstat.st_uid, gid)
+            os.fchown(fd, pidstat.st_uid, gid)
         except (OSError, KeyError):
-            os.chown(report, pidstat.st_uid, pidstat.st_gid)
+            os.fchown(fd, pidstat.st_uid, pidstat.st_gid)
     except (OSError, IOError) as e:
         error_log('Could not create report file: %s' % str(e))
         sys.exit(1)
diff -Nru apport-2.20.11/debian/changelog apport-2.20.11/debian/changelog
--- apport-2.20.11/debian/changelog	2020-02-23 01:26:37.000000000 +1030
+++ apport-2.20.11/debian/changelog	2020-02-27 11:46:41.000000000 +1030
@@ -1,3 +1,18 @@
+apport (2.20.11-0ubuntu19) focal; urgency=medium
+
+  * SECURITY UPDATE: World writable lock file created in word writable
+    location (LP: #1862348)
+    - data/apport: Change location of lock file to be directly under /var/run so
+      that regular users can not directly access it or perform symlink attacks.
+    - CVE-2020-8831
+  * SECURITY UPDATE: Race condition betwee report creation and ownership
+    (LP: #1862933)
+    - data/apport: When setting owner of report file use a file-descriptor to the
+      report file instead of it's path name to ensure that users can not cause
+      Apport to change the ownership of other files via a symlink attack.
+    - CVE-2020-8833
+ -- Alex Murray <alex.murray@canonical.com>  Thu, 27 Feb 2020 11:46:41 +1030
+
 apport (2.20.11-0ubuntu18) focal; urgency=medium
 
   * data/whoopsie-upload-all: append to the crash report using fdopen and open