diff -Nru kopete-16.12.1/debian/changelog kopete-16.12.1/debian/changelog
--- kopete-16.12.1/debian/changelog	2017-02-08 14:45:05.000000000 -0600
+++ kopete-16.12.1/debian/changelog	2017-02-11 18:19:49.000000000 -0600
@@ -1,3 +1,12 @@
+kopete (4:16.12.1-0ubuntu3) zesty-security; urgency=medium
+
+  * SECURITY UPDATE: User Impersonation Vulnerability in Jabber protocol
+    (LP: #1663950)
+   - CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
+   - CVE-2017-5593
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Sat, 11 Feb 2017 18:19:49 -0600
+
 kopete (4:16.12.1-0ubuntu2) zesty; urgency=medium
 
   * Removal of libjasper as per Debian lead.  This removes
diff -Nru kopete-16.12.1/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch kopete-16.12.1/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
--- kopete-16.12.1/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch	1969-12-31 18:00:00.000000000 -0600
+++ kopete-16.12.1/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch	2017-02-11 18:18:01.000000000 -0600
@@ -0,0 +1,119 @@
+Description: User Impersonation Vulnerability in Jabber protocol
+ An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP
+ clients allows a remote attacker to impersonate any user, including contacts,
+ in the vulnerable application's display. This allows for various kinds of
+ social engineering attacks.
+ .
+ This patch can be removed in kopete 16.12.3 and on.
+Author: Pali Rohár <pali.rohar@gmail.com>
+Origin: upstream
+Bug: https://bugs.kde.org/show_bug.cgi?id=376348
+Applied-Upstream: 6243764c4fd0985320d4a10b48051cc418d584ad
+Last-Update: 2017-02-11
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- /dev/null
++++ b/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
+@@ -0,0 +1,52 @@
++diff --git a/src/xmpp/xmpp-im/xmpp_tasks.cpp b/src/xmpp/xmpp-im/xmpp_tasks.cpp
++index 0e74b71..0837548 100644
++--- a/src/xmpp/xmpp-im/xmpp_tasks.cpp
+++++ b/src/xmpp/xmpp-im/xmpp_tasks.cpp
++@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
++ 	QDomElement forward;
++ 	Message::CarbonDir cd = Message::NoCarbon;
++
+++	Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
++ 	// Check for Carbon
++ 	QDomNodeList list = e1.childNodes();
++ 	for (int i = 0; i < list.size(); ++i) {
++ 		QDomElement el = list.at(i).toElement();
++
++-		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
+++		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
+++		    && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
+++		    && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
++ 			QDomElement el1 = el.firstChildElement();
++-			if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+++			if (el1.tagName() == QLatin1String("forwarded")
+++			    && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++ 				QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
++ 				if (!el2.isNull()) {
++ 					forward = el2;
++@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
++ 				}
++ 			}
++ 		}
++-		else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+++		else if (el.tagName() == QLatin1String("forwarded")
+++			 && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++ 			forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
++ 			// TODO <delay> element support
++ 			if (!forward.isNull()) {
++@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
++ 		}
++ 	}
++
++-	QString from = e1.attribute(QLatin1String("from"));
++ 	Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
++ 	if(s.isNull()) {
++ 		//printf("take: bad stanza??\n");
++@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
++ 		return false;
++ 	}
++ 	if (!forward.isNull()) {
++-		m.setForwardedFrom(Jid(from));
+++		m.setForwardedFrom(fromJid);
++ 		m.setCarbonDirection(cd);
++ 	}
++
+--- a/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
++++ b/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
+@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElem
+ 	QDomElement forward;
+ 	Message::CarbonDir cd = Message::NoCarbon;
+ 
++	Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
+ 	// Check for Carbon
+ 	QDomNodeList list = e1.childNodes();
+ 	for (int i = 0; i < list.size(); ++i) {
+ 		QDomElement el = list.at(i).toElement();
+ 
+-		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
++		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
++		    && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
++		    && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
+ 			QDomElement el1 = el.firstChildElement();
+-			if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++			if (el1.tagName() == QLatin1String("forwarded")
++			    && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ 				QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
+ 				if (!el2.isNull()) {
+ 					forward = el2;
+@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElem
+ 				}
+ 			}
+ 		}
+-		else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++		else if (el.tagName() == QLatin1String("forwarded")
++			 && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ 			forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
+ 			// TODO <delay> element support
+ 			if (!forward.isNull()) {
+@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElem
+ 		}
+ 	}
+ 
+-	QString from = e1.attribute(QLatin1String("from"));
+ 	Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
+ 	if(s.isNull()) {
+ 		//printf("take: bad stanza??\n");
+@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElem
+ 		return false;
+ 	}
+ 	if (!forward.isNull()) {
+-		m.setForwardedFrom(Jid(from));
++		m.setForwardedFrom(fromJid);
+ 		m.setCarbonDirection(cd);
+ 	}
+ 
diff -Nru kopete-16.12.1/debian/patches/series kopete-16.12.1/debian/patches/series
--- kopete-16.12.1/debian/patches/series	2017-02-08 14:45:05.000000000 -0600
+++ kopete-16.12.1/debian/patches/series	2017-02-11 18:02:19.000000000 -0600
@@ -1 +1,2 @@
 disable_failing_test.diff
+CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch