diff -Nru jython-2.5.3/debian/changelog jython-2.5.3/debian/changelog
--- jython-2.5.3/debian/changelog	2017-02-22 10:52:18.000000000 +0000
+++ jython-2.5.3/debian/changelog	2017-09-03 02:20:03.000000000 +0000
@@ -1,3 +1,22 @@
+jython (2.5.3-15ubuntu0.1) zesty-security; urgency=high
+
+  [ Simon Quigley ]
+  * SECURITY UPDATE: Creates executables class files with wrong permissions
+    (LP: #1714728)
+    - CVE-2013-2027
+    - 1-CVE-2013-2027.patch
+    - 2-CVE-2013-2027.patch
+    - 3-CVE-2013-2027.patch
+    - Thanks to Lubomir Rintel for the patches!
+
+  [ Markus Koschany ]
+  * SECURITY UPDATE: Unsafe deserialization may lead to arbitrary code
+    execution
+    - CVE-2016-4000
+    - CVE-2016-4000.patch
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Mon, 18 Sep 2017 00:43:55 -0500
+
 jython (2.5.3-15) unstable; urgency=medium
 
   * Set 'Class-Path' into jython.jar's manifest (closes: #855689)
diff -Nru jython-2.5.3/debian/control jython-2.5.3/debian/control
--- jython-2.5.3/debian/control	2017-02-21 18:17:02.000000000 +0000
+++ jython-2.5.3/debian/control	2017-09-03 02:20:03.000000000 +0000
@@ -1,7 +1,8 @@
 Source: jython
 Section: python
 Priority: optional
-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 Uploaders: Jakub Adam <jakub.adam@ktknet.cz>
 Build-Depends: debhelper (>= 10), dh-exec, ant, gawk, maven-repo-helper, python
 Build-Depends-Indep: default-jdk,
diff -Nru jython-2.5.3/debian/patches/1-CVE-2013-2027.patch jython-2.5.3/debian/patches/1-CVE-2013-2027.patch
--- jython-2.5.3/debian/patches/1-CVE-2013-2027.patch	1970-01-01 00:00:00.000000000 +0000
+++ jython-2.5.3/debian/patches/1-CVE-2013-2027.patch	2017-09-03 02:20:01.000000000 +0000
@@ -0,0 +1,24 @@
+Description: Make cache not accessible by anyone else
+ Sensitive information might be being cached or umask can be too relaxed, allowing writes.
+ .
+ This is patch 1/3 fixing CVE-2013-2027.
+Author: Lubomir Rintel <lubo.rintel@gooddata.com>
+Origin: https://build.opensuse.org/request/show/284056
+Bug-SUSE: https://bugzilla.suse.com/show_bug.cgi?id=916224
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1714728
+Last-Update: 2017-09-02
+--- a/src/org/python/core/packagecache/CachedJarsPackageManager.java
++++ b/src/org/python/core/packagecache/CachedJarsPackageManager.java
+@@ -672,6 +672,12 @@ public abstract class CachedJarsPackageM
+             return false;
+         }
+ 
++        aCachedir1.setReadable(false, false);
++        aCachedir1.setWritable(false, false);
++        aCachedir1.setExecutable(false, false);
++        aCachedir1.setReadable(true, true);
++        aCachedir1.setWritable(true, true);
++        aCachedir1.setExecutable(true, true);
+         this.cachedir = aCachedir1;
+ 
+         return true;
diff -Nru jython-2.5.3/debian/patches/2-CVE-2013-2027.patch jython-2.5.3/debian/patches/2-CVE-2013-2027.patch
--- jython-2.5.3/debian/patches/2-CVE-2013-2027.patch	1970-01-01 00:00:00.000000000 +0000
+++ jython-2.5.3/debian/patches/2-CVE-2013-2027.patch	2017-09-03 02:20:01.000000000 +0000
@@ -0,0 +1,27 @@
+Description: Avoid code duplication with makeCompiledFilename()
+ This is patch 2/3 fixing CVE-2013-2027.
+Author: Lubomir Rintel <lubo.rintel@gooddata.com>
+Origin: https://build.opensuse.org/request/show/284056
+Bug-SUSE: https://bugzilla.suse.com/show_bug.cgi?id=916224
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1714728
+Last-Update: 2017-09-02
+--- a/src/org/python/core/imp.java
++++ b/src/org/python/core/imp.java
+@@ -526,7 +526,7 @@ public class imp {
+     static PyObject loadFromSource(PySystemState sys, String name, String modName, String entry) {
+         String dirName = sys.getPath(entry);
+         String sourceName = "__init__.py";
+-        String compiledName = "__init__$py.class";
++        String compiledName = makeCompiledFilename(sourceName);
+         // display names are for identification purposes (e.g. __file__): when entry is
+         // null it forces java.io.File to be a relative path (e.g. foo/bar.py instead of
+         // /tmp/foo/bar.py)
+@@ -551,7 +551,7 @@ public class imp {
+         if (!pkg) {
+             Py.writeDebug(IMPORT_LOG, "trying source " + dir.getPath());
+             sourceName = name + ".py";
+-            compiledName = name + "$py.class";
++            compiledName = makeCompiledFilename(sourceName);
+             displaySourceName = new File(displayDirName, sourceName).getPath();
+             displayCompiledName = new File(displayDirName, compiledName).getPath();
+             sourceFile = new File(dirName, sourceName);
diff -Nru jython-2.5.3/debian/patches/3-CVE-2013-2027.patch jython-2.5.3/debian/patches/3-CVE-2013-2027.patch
--- jython-2.5.3/debian/patches/3-CVE-2013-2027.patch	1970-01-01 00:00:00.000000000 +0000
+++ jython-2.5.3/debian/patches/3-CVE-2013-2027.patch	2017-09-03 02:20:03.000000000 +0000
@@ -0,0 +1,58 @@
+Description: Use cache dir for classes too
+ Instead of attempting to write them next to source files.
+ Java 6 API does not allow for setting sane permissions (i.e. same as
+ those of a source file) and relying on defaults is a security hazard
+ which can lead to information disclosure, or, in case of a too relaxed
+ umask, arbitrary code execution.
+ .
+ Also, this will likely improve performance for non-privileged users
+ which can not write to their distribution's packaged jython tree.
+ .
+ This is patch 3/3 fixing CVE-2013-2027.
+Author: Lubomir Rintel <lubo.rintel@gooddata.com>
+Origin: https://build.opensuse.org/request/show/284056
+Bug-SUSE: https://bugzilla.suse.com/show_bug.cgi?id=916224
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1714728
+Last-Update: 2017-09-02
+--- a/src/org/python/core/PySystemState.java
++++ b/src/org/python/core/PySystemState.java
+@@ -952,6 +952,12 @@ public class PySystemState extends PyObj
+                                  Py.newString(Version.getHGVersion()));
+     }
+ 
++    public static File classCache() {
++        if (cachedir == null)
++	    return null;
++        return new File(cachedir, "classes");
++    }
++
+     public static boolean isPackageCacheEnabled() {
+         return cachedir != null;
+     }
+--- a/src/org/python/core/imp.java
++++ b/src/org/python/core/imp.java
+@@ -253,7 +253,15 @@ public class imp {
+     }
+ 
+     public static String makeCompiledFilename(String filename) {
+-        return filename.substring(0, filename.length() - 3) + "$py.class";
++	String basename = filename.substring(0, filename.length() - 3)
++                        + "$py.class";
++        File cache = Py.getSystemState().classCache();
++
++        if (cache == null) {
++            return basename;
++        } else {
++            return new File(cache, basename).getPath();
++        }
+     }
+ 
+     /**
+@@ -284,6 +292,7 @@ public class imp {
+             if (man != null) {
+                 man.checkWrite(compiledFilename);
+             }
++            new File(compiledFilename).getParentFile().mkdirs();
+             fop = new FileOutputStream(compiledFilename);
+             fop.write(compiledSource);
+             fop.close();
diff -Nru jython-2.5.3/debian/patches/CVE-2016-4000.patch jython-2.5.3/debian/patches/CVE-2016-4000.patch
--- jython-2.5.3/debian/patches/CVE-2016-4000.patch	1970-01-01 00:00:00.000000000 +0000
+++ jython-2.5.3/debian/patches/CVE-2016-4000.patch	2017-09-03 02:20:01.000000000 +0000
@@ -0,0 +1,94 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 16 Jun 2017 21:29:16 +0200
+Subject: CVE-2016-4000
+
+I decided to leave out the changes in test_new.py because they didn't seem
+important to me.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859
+Bug-Upstream: http://bugs.jython.org/issue2454
+Origin: https://hg.python.org/jython/rev/d06e29d100c0
+---
+ Lib/test/test_java_integration.py   | 24 +++++++++++++++++++++---
+ src/org/python/core/PyBytecode.java |  6 ++++++
+ src/org/python/core/PyFunction.java |  4 ++++
+ 3 files changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py
+index 37f158f..2314470 100644
+--- a/Lib/test/test_java_integration.py
++++ b/Lib/test/test_java_integration.py
+@@ -9,8 +9,9 @@ import re
+ from collections import deque
+ from test import test_support
+ 
+-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System,
+-        Runtime, Math, Byte)
++from java.lang import (
++    ClassCastException, ExceptionInInitializerError, UnsupportedOperationException,
++    String, Runnable, System, Runtime, Math, Byte)
+ from java.math import BigDecimal, BigInteger
+ from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream,
+                      FileNotFoundException, FileOutputStream, FileWriter, ObjectInputStream,
+@@ -526,13 +527,30 @@ class SerializationTest(unittest.TestCase):
+         self.assertEqual(date_list, roundtrip_serialization(date_list))
+ 
+     def test_java_serialization_pycode(self):
+-
+         def universal_answer():
+             return 42
+ 
+         serialized_code = roundtrip_serialization(universal_answer.func_code)
+         self.assertEqual(eval(serialized_code), universal_answer())
+ 
++    def test_java_serialization_pyfunction(self):
++        # Not directly supported due to lack of general utility
++        # (globals will usually be in the function object in
++        # func_globals), and problems with unserialization
++        # vulnerabilities. Users can always subclass from PyFunction
++        # for specific cases, as seen in PyCascading
++        import new
++        def f():
++            return 6 * 7 + max(0, 1, 2)
++        # However, using the new module, it's possible to create a
++        # function with no globals, which means the globals will come
++        # from the current context
++        g = new.function(f.func_code, {}, "g")
++        # But still forbid Java deserialization of this function
++        # object. Use pickling or other support instead.
++        with self.assertRaises(UnsupportedOperationException):
++            roundtrip_serialization(g)
++
+     def test_builtin_names(self):
+         import __builtin__
+         names = [x for x in dir(__builtin__)]
+diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java
+index 9418fe8..ba12e4c 100644
+--- a/src/org/python/core/PyBytecode.java
++++ b/src/org/python/core/PyBytecode.java
+@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCode {
+ 
+         debug = defaultDebug;
+ 
++        if (argcount < 0) {
++            throw Py.ValueError("code: argcount must not be negative");
++        } else if (nlocals < 0) {
++            throw Py.ValueError("code: nlocals must not be negative");
++        }
++
+         co_argcount = nargs = argcount;
+         co_varnames = varnames;
+         co_nlocals = nlocals; // maybe assert = varnames.length;
+diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java
+index 18de08d..8042163 100644
+--- a/src/org/python/core/PyFunction.java
++++ b/src/org/python/core/PyFunction.java
+@@ -450,4 +450,8 @@ public class PyFunction extends PyObject implements InvocationHandler {
+ 
+     @Override
+     public boolean isSequenceType() { return false; }
++
++    private Object readResolve() {
++        throw new UnsupportedOperationException();
++    }
+ }
diff -Nru jython-2.5.3/debian/patches/series jython-2.5.3/debian/patches/series
--- jython-2.5.3/debian/patches/series	2017-02-21 20:02:07.000000000 +0000
+++ jython-2.5.3/debian/patches/series	2017-09-03 02:20:03.000000000 +0000
@@ -2,3 +2,7 @@
 02-jnr_refactoring.patch
 03-default-cachedir.patch
 04-runtime-classpath.patch
+1-CVE-2013-2027.patch
+2-CVE-2013-2027.patch
+3-CVE-2013-2027.patch
+CVE-2016-4000.patch