diff -Nru firewalld-0.4.0/debian/changelog firewalld-0.4.0/debian/changelog
--- firewalld-0.4.0/debian/changelog	2016-02-07 16:42:27.000000000 -0500
+++ firewalld-0.4.0/debian/changelog	2017-10-25 21:05:13.000000000 -0400
@@ -1,3 +1,13 @@
+firewalld (0.4.0-2) xenial; urgency=medium
+
+  * SECURITY UPDATE: Any logged in user could modify passthrough rules
+    and set ipset entries (LP: #1617617)
+    - debian/patches/CVE-2016-5410.patch: Enforce appropriate PolicyKit
+      authentication requirements, based on upstream 0.4.3.3 commit
+    - CVE-2016-5410
+
+ -- Lucas Kocia <lucas.kocia@gmail.com>  Wed, 25 Oct 2017 21:03:52 -0400
+
 firewalld (0.4.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru firewalld-0.4.0/debian/patches/06-CVE-2016-5410.patch firewalld-0.4.0/debian/patches/06-CVE-2016-5410.patch
--- firewalld-0.4.0/debian/patches/06-CVE-2016-5410.patch	1969-12-31 19:00:00.000000000 -0500
+++ firewalld-0.4.0/debian/patches/06-CVE-2016-5410.patch	2017-10-25 21:03:05.000000000 -0400
@@ -0,0 +1,45 @@
+--- firewalld-0.4.0/src/firewall/server/firewalld.py	2016-01-29 04:48:39.000000000 -0500
++++ myfirewalld-0.4.0/src/firewall/server/firewalld.py	2017-10-25 20:39:22.800301452 -0400
+@@ -55,8 +55,8 @@ class FirewallD(slip.dbus.service.Object
+ 
+     persistent = True
+     """ Make FirewallD persistent. """
+-    default_polkit_auth_required = PK_ACTION_INFO
+-    """ Use PK_ACTION_INFO as a default """
++    default_polkit_auth_required = PK_ACTION_CONFIG
++    """ Use PK_ACTION_CONFIG as a default """
+ 
+     @handle_exceptions
+     def __init__(self, *args, **kwargs):
+@@ -1908,6 +1908,7 @@ class FirewallD(slip.dbus.service.Object
+ 
+     # DIRECT PASSTHROUGH (tracked)
+ 
++    @slip.dbus.polkit.require_auth(PK_ACTION_DIRECT)
+     @dbus_service_method(DBUS_INTERFACE_DIRECT, in_signature='sas',
+                          out_signature='')
+     @dbus_handle_exceptions
+@@ -1921,6 +1922,7 @@ class FirewallD(slip.dbus.service.Object
+         self.fw.direct.add_passthrough(ipv, args)
+         self.PassthroughAdded(ipv, args)
+ 
++    @slip.dbus.polkit.require_auth(PK_ACTION_DIRECT)
+     @dbus_service_method(DBUS_INTERFACE_DIRECT, in_signature='sas',
+                          out_signature='')
+     @dbus_handle_exceptions
+@@ -2035,6 +2037,7 @@ class FirewallD(slip.dbus.service.Object
+ 
+     # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+ 
++    @slip.dbus.polkit.require_auth(PK_ACTION_CONFIG)
+     @dbus_service_method(DBUS_INTERFACE_IPSET, in_signature='ss',
+                          out_signature='')
+     @dbus_handle_exceptions
+@@ -2047,6 +2050,7 @@ class FirewallD(slip.dbus.service.Object
+         self.fw.ipset.add_entry(ipset, entry)
+         self.EntryAdded(ipset, entry)
+ 
++    @slip.dbus.polkit.require_auth(PK_ACTION_CONFIG)
+     @dbus_service_method(DBUS_INTERFACE_IPSET, in_signature='ss',
+                          out_signature='')
+     @dbus_handle_exceptions
diff -Nru firewalld-0.4.0/debian/patches/series firewalld-0.4.0/debian/patches/series
--- firewalld-0.4.0/debian/patches/series	2016-02-07 16:11:50.000000000 -0500
+++ firewalld-0.4.0/debian/patches/series	2017-10-25 21:03:43.000000000 -0400
@@ -1,2 +1,3 @@
 01-no-sysconfig.patch
 04-python3.patch
+06-CVE-2016-5410.patch