diff -Nru nagios3-3.5.1.dfsg/debian/changelog nagios3-3.5.1.dfsg/debian/changelog
--- nagios3-3.5.1.dfsg/debian/changelog	2017-03-31 20:27:41.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/changelog	2017-05-12 16:07:04.000000000 +0100
@@ -1,3 +1,11 @@
+nagios3 (3.5.1.dfsg-2.1ubuntu3.2) yakkety; urgency=medium
+
+  * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix
+    permissions for hostgroups reports.  Thanks to John C. Frickson
+    <jfrickson@nagios.com>.  Closes LP: #1686768.
+
+ -- Aaron B. Russell <aaron@unadopted.co.uk>  Fri, 12 May 2017 16:06:50 +0100
+
 nagios3 (3.5.1.dfsg-2.1ubuntu3.1) yakkety-security; urgency=medium
 
   * SECURITY UPDATE: off-by-one errors leading to DoS or info disclosure
diff -Nru nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch
--- nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch	1970-01-01 01:00:00.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch	2017-05-12 16:06:32.000000000 +0100
@@ -0,0 +1,57 @@
+Description: Fix permissions for hostgroups reports
+ .
+ Fixes a bug where users could view other servers in the hostgroup
+ even if those servers were not associated to the user's contactgroup.
+ http://tracker.nagios.org/view.php?id=619 (LP: #1686768).
+ .
+Author: John C. Frickson <jfrickson@nagios.com>
+Origin: upstream, https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07f
+Bug: http://tracker.nagios.org/view.php?id=619
+Bug-Ubuntu: https://launchpad.net/bugs/1686768
+
+--- nagios3-3.5.1.dfsg.orig/cgi/status.c
++++ nagios3-3.5.1.dfsg/cgi/status.c
+@@ -3606,6 +3606,10 @@ void show_hostgroup_overview(hostgroup *
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the host status */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)
+@@ -3989,6 +3993,10 @@ void show_hostgroup_host_totals_summary(
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the host status */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)
+@@ -4160,6 +4168,10 @@ void show_hostgroup_service_totals_summa
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* see if this service is associated with a host in the specified hostgroup */
+ 		if(is_host_member_of_hostgroup(temp_hostgroup, temp_host) == FALSE)
+ 			continue;
+@@ -4515,6 +4527,10 @@ void show_hostgroup_grid(hostgroup *temp
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* grab macros */
+ 		grab_host_macros_r(mac, temp_host);
+ 
diff -Nru nagios3-3.5.1.dfsg/debian/patches/series nagios3-3.5.1.dfsg/debian/patches/series
--- nagios3-3.5.1.dfsg/debian/patches/series	2017-03-31 20:27:37.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/patches/series	2017-05-12 16:06:20.000000000 +0100
@@ -12,3 +12,4 @@
 CVE-2013-7xxx.patch
 CVE-2014-1878.patch
 CVE-2016-9566.patch
+fix_permissions_for_hostgroups_reports.patch