Comment 5 for bug 888358

Thanks for reporting this bug and attaching a series of debdiffs. As these are security uploads, they need to be sponsored by the security team.

The patches look great. Whilst reviewing, I did notice a couple of trivial things:
- debian/control: The Maintainer field update wouldn't normally be appropriate for a stable release update
- debian/changelog:
   - It is convention to wrap at 80 chars.
   - No LP: #888358, which will close these bugs.
   - The CVE numbers should be quoted on a standalone line.
   - "How the bad guys can win" is described, but a high level comment /how/ it is resolved isn't documented.
- debian/patches/*.patch: Great to see use of DEP-5 headers, although it's not clear to me if these patches are actually applied upstream or just submitted (useful to know when they can be dropped).

For an example of changelog formatting for security uploads, please see the template on:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thanks.