diff -Nru znc-1.6.3/debian/changelog znc-1.6.3/debian/changelog
--- znc-1.6.3/debian/changelog	2016-02-25 19:54:13.000000000 +1030
+++ znc-1.6.3/debian/changelog	2018-07-26 14:44:13.000000000 +0930
@@ -1,3 +1,20 @@
+znc (1.6.3-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
+    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
+      network configuration change directives. Based on upstream patch.
+    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
+      writing out configuration file. Based on upstream patch.
+    - CVE-2018-14055
+  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
+    skins (LP: #1781925)
+    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
+      in skin names to ensure path traversal is not possible. Based on
+      upstream patch.
+    - CVE-2018-14056
+
+ -- Alex Murray <alex.murray@canonical.com>  Wed, 25 Jul 2018 16:08:05 +0930
+
 znc (1.6.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru znc-1.6.3/debian/control znc-1.6.3/debian/control
--- znc-1.6.3/debian/control	2016-02-25 19:54:13.000000000 +1030
+++ znc-1.6.3/debian/control	2018-07-25 16:25:14.000000000 +0930
@@ -10,7 +10,8 @@
  libsasl2-dev,
  swig3.0,
  python3-dev
-Maintainer: Patrick Matthäi <pmatthaei@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Patrick Matthäi <pmatthaei@debian.org>
 Standards-Version: 3.9.7
 Homepage: http://znc.sourceforge.net/
 
diff -Nru znc-1.6.3/debian/patches/CVE-2018-14055-1.patch znc-1.6.3/debian/patches/CVE-2018-14055-1.patch
--- znc-1.6.3/debian/patches/CVE-2018-14055-1.patch	1970-01-01 09:30:00.000000000 +0930
+++ znc-1.6.3/debian/patches/CVE-2018-14055-1.patch	2018-07-25 16:17:47.000000000 +0930
@@ -0,0 +1,39 @@
+From d22fef8620cdd87490754f607e7153979731c69d Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 22:50:47 +0100
+Subject: [PATCH] Better cleanup lines coming from network.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Client.cpp  | 3 ++-
+ src/IRCSock.cpp | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: znc-1.6.3/src/Client.cpp
+===================================================================
+--- znc-1.6.3.orig/src/Client.cpp
++++ znc-1.6.3/src/Client.cpp
+@@ -91,7 +91,8 @@ void CClient::SendRequiredPasswordNotice
+ void CClient::ReadLine(const CString& sData) {
+ 	CString sLine = sData;
+ 
+-	sLine.TrimRight("\n\r");
++	sLine.Replace("\n", "");
++	sLine.Replace("\r", "");
+ 
+ 	DEBUG("(" << GetFullName() << ") CLI -> ZNC [" << sLine << "]");
+ 
+Index: znc-1.6.3/src/IRCSock.cpp
+===================================================================
+--- znc-1.6.3.orig/src/IRCSock.cpp
++++ znc-1.6.3/src/IRCSock.cpp
+@@ -132,7 +132,8 @@ void CIRCSock::Quit(const CString& sQuit
+ void CIRCSock::ReadLine(const CString& sData) {
+ 	CString sLine = sData;
+ 
+-	sLine.TrimRight("\n\r");
++	sLine.Replace("\n", "");
++	sLine.Replace("\r", "");
+ 
+ 	DEBUG("(" << m_pNetwork->GetUser()->GetUserName() << "/" << m_pNetwork->GetName() << ") IRC -> ZNC [" << sLine << "]");
+ 
diff -Nru znc-1.6.3/debian/patches/CVE-2018-14055-2.patch znc-1.6.3/debian/patches/CVE-2018-14055-2.patch
--- znc-1.6.3/debian/patches/CVE-2018-14055-2.patch	1970-01-01 09:30:00.000000000 +0930
+++ znc-1.6.3/debian/patches/CVE-2018-14055-2.patch	2018-07-25 16:21:47.000000000 +0930
@@ -0,0 +1,44 @@
+From a7bfbd93812950b7444841431e8e297e62cb524e Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 23:26:44 +0100
+Subject: [PATCH] Don't let attackers inject rogue values into znc.conf
+
+Because of this vulnerability, existing ZNC users could get Admin
+permissions.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Config.cpp | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+Index: znc-1.6.3/src/Config.cpp
+===================================================================
+--- znc-1.6.3.orig/src/Config.cpp
++++ znc-1.6.3/src/Config.cpp
+@@ -183,9 +183,13 @@ bool CConfig::Parse(CFile& file, CString
+ void CConfig::Write(CFile& File, unsigned int iIndentation) {
+ 	CString sIndentation = CString(iIndentation, '\t');
+ 
++	auto SingleLine = [](const CString& s) {
++		return s.Replace_n("\r", "").Replace_n("\n", "");
++	};
++
+ 	for (EntryMapIterator it = m_ConfigEntries.begin(); it != m_ConfigEntries.end(); ++it) {
+ 		for (VCString::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+-			File.Write(sIndentation + it->first + " = " + *it2 + "\n");
++			File.Write(SingleLine(sIndentation + it->first + " = " + *it2) + "\n");
+ 		}
+ 	}
+ 
+@@ -193,9 +197,9 @@ void CConfig::Write(CFile& File, unsigne
+ 		for (SubConfig::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+ 			File.Write("\n");
+ 
+-			File.Write(sIndentation + "<" + it->first + " " + it2->first + ">\n");
++			File.Write(SingleLine(sIndentation + "<" + it->first + " " + it2->first + ">") + "\n");
+ 			it2->second.m_pSubConfig->Write(File, iIndentation + 1);
+-			File.Write(sIndentation + "</" + it->first + ">\n");
++			File.Write(SingleLine(sIndentation + "</" + it->first + ">") + "\n");
+ 		}
+ 	}
+ }
diff -Nru znc-1.6.3/debian/patches/CVE-2018-14056.patch znc-1.6.3/debian/patches/CVE-2018-14056.patch
--- znc-1.6.3/debian/patches/CVE-2018-14056.patch	1970-01-01 09:30:00.000000000 +0930
+++ znc-1.6.3/debian/patches/CVE-2018-14056.patch	2018-07-25 16:24:03.000000000 +0930
@@ -0,0 +1,34 @@
+From a4a5aeeb17d32937d8c7d743dae9a4cc755ce773 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Sat, 14 Jul 2018 00:12:28 +0100
+Subject: [PATCH] Don't let web skin name ../../../../ access files outside of
+ usual skins directories.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/WebModules.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+Index: znc-1.6.3/src/WebModules.cpp
+===================================================================
+--- znc-1.6.3.orig/src/WebModules.cpp
++++ znc-1.6.3/src/WebModules.cpp
+@@ -521,13 +521,15 @@ CWebSock::EPageReqResult CWebSock::Print
+ }
+ 
+ CString CWebSock::GetSkinPath(const CString& sSkinName) {
+-	CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName;
++	const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_");
++
++	CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin;
+ 
+ 	if (!CFile::IsDir(sRet)) {
+-		sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName;
++		sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin;
+ 
+ 		if (!CFile::IsDir(sRet)) {
+-			sRet = CString(_SKINDIR_) + "/" + sSkinName;
++			sRet = CString(_SKINDIR_) + "/" + sSkin;
+ 		}
+ 	}
+ 
diff -Nru znc-1.6.3/debian/patches/series znc-1.6.3/debian/patches/series
--- znc-1.6.3/debian/patches/series	1970-01-01 09:30:00.000000000 +0930
+++ znc-1.6.3/debian/patches/series	2018-07-25 16:22:08.000000000 +0930
@@ -0,0 +1,3 @@
+CVE-2018-14055-1.patch
+CVE-2018-14055-2.patch
+CVE-2018-14056.patch