=== modified file 'debian/changelog'
--- debian/changelog	2017-04-26 18:00:41 +0000
+++ debian/changelog	2017-04-26 18:15:06 +0000
@@ -1,3 +1,14 @@
+weechat (1.5-1ubuntu1) yakkety-security; urgency=medium
+
+  * SECURITY UPDATE: remote buffer overflow crash by sending a filename
+    via DCC to the IRC plugin (LP: #1686478)
+    - debian/patches/03_fix_CVE-2017-8073.patch: Fix quote removal in
+      irc_ctcp_dcc_filename_without_quotes function in
+      src/plugins/irc/irc-ctcp.c. Patch from 1.7.1 via Debian.
+    - CVE-2017-8073
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Wed, 26 Apr 2017 14:10:49 -0400
+
 weechat (1.5-1) unstable; urgency=medium
 
   * New upstream release

=== added directory 'debian/patches'
=== added file 'debian/patches/03_fix_CVE-2017-8073.patch'
--- debian/patches/03_fix_CVE-2017-8073.patch	1970-01-01 00:00:00 +0000
+++ debian/patches/03_fix_CVE-2017-8073.patch	2017-04-26 18:13:39 +0000
@@ -0,0 +1,20 @@
+Description: Fix CVE-2017-8073 which allows a remote crash by sending a
+    filename via DCC to the IRC plugin
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Origin: https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b
+Bug-Debian: https://bugs.debian.org/861121
+Bug-Ubuntu: https://launchpad.net/bugs/1686478
+Last-Update: 2017-04-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/plugins/irc/irc-ctcp.c
++++ b/src/plugins/irc/irc-ctcp.c
+@@ -512,7 +512,7 @@
+     int length;
+ 
+     length = strlen (filename);
+-    if (length > 0)
++    if (length > 1)
+     {
+         if ((filename[0] == '\"') && (filename[length - 1] == '\"'))
+             return weechat_strndup (filename + 1, length - 2);

=== added file 'debian/patches/series'
--- debian/patches/series	1970-01-01 00:00:00 +0000
+++ debian/patches/series	2017-04-26 18:14:29 +0000
@@ -0,0 +1,1 @@
+03_fix_CVE-2017-8073.patch