diff -Nru tomcat7-7.0.52/debian/changelog tomcat7-7.0.52/debian/changelog
--- tomcat7-7.0.52/debian/changelog	2016-06-29 16:51:02.000000000 +0000
+++ tomcat7-7.0.52/debian/changelog	2016-09-16 13:28:12.000000000 +0000
@@ -1,3 +1,22 @@
+tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: privilege escalation via insecure init script
+    - debian/tomcat7.init: don't follow symlinks when handling the
+      catalina.out file.
+    - CVE-2016-1240
+  * SECURITY REGRESSION: change in behaviour after security update
+    (LP: #1609819)
+    - debian/patches/CVE-2015-5345-2.patch: fix using the new
+      mapperContextRootRedirectEnabled option in
+      java/org/apache/catalina/connector/MapperListener.java, change
+      mapperContextRootRedirectEnabled default to true in
+      java/org/apache/catalina/core/StandardContext.java,
+      webapps/docs/config/context.xml. This reverts the change in behaviour
+      following the CVE-2015-5345 security update and was also done
+      upstream in later releases.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Sep 2016 09:19:37 -0400
+
 tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
 
   * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch	2016-09-16 13:29:04.000000000 +0000
@@ -0,0 +1,48 @@
+Description: revert change in behaviour after security update
+Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1716860
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1721883
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58660
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1609819
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/MapperListener.java	2014-01-27 09:53:14.000000000 -0500
++++ tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java	2016-09-16 09:23:55.401566399 -0400
+@@ -360,7 +360,9 @@
+         String[] welcomeFiles = context.findWelcomeFiles();
+ 
+         mapper.addContextVersion(host.getName(), host, contextPath,
+-                context.getWebappVersion(), context, welcomeFiles, resources);
++                context.getWebappVersion(), context, welcomeFiles, resources,
++                context.getMapperContextRootRedirectEnabled(),
++                context.getMapperDirectoryRedirectEnabled());
+ 
+         for (Container container : context.findChildren()) {
+             registerWrapper((Wrapper) container);
+Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java	2016-09-16 08:14:53.000000000 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java	2016-09-16 09:25:34.818766485 -0400
+@@ -894,7 +894,7 @@
+     private String containerSciFilter;
+ 
+ 
+-    boolean mapperContextRootRedirectEnabled = false;
++    boolean mapperContextRootRedirectEnabled = true;
+ 
+     boolean mapperDirectoryRedirectEnabled = false;
+ 
+Index: tomcat7-7.0.52/webapps/docs/config/context.xml
+===================================================================
+--- tomcat7-7.0.52.orig/webapps/docs/config/context.xml	2016-09-16 08:14:53.000000000 -0400
++++ tomcat7-7.0.52/webapps/docs/config/context.xml	2016-09-16 09:25:07.282434088 -0400
+@@ -357,7 +357,7 @@
+         redirected (adding a trailing slash) if necessary by the Mapper rather
+         than the default Servlet. This is more efficient but has the side effect
+         of confirming that the context path exists. If not specified, the
+-        default value of <code>false</code> is used.</p>
++        default value of <code>true</code> is used.</p>
+       </attribute>
+ 
+       <attribute name="mapperDirectoryRedirectEnabled" required="false">
diff -Nru tomcat7-7.0.52/debian/patches/series tomcat7-7.0.52/debian/patches/series
--- tomcat7-7.0.52/debian/patches/series	2016-06-27 18:17:55.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/series	2016-09-16 13:22:34.000000000 +0000
@@ -31,3 +31,4 @@
 CVE-2016-0763.patch
 fix_cookie_names_in_tests.patch
 CVE-2016-3092.patch
+CVE-2015-5345-2.patch
diff -Nru tomcat7-7.0.52/debian/tomcat7.init tomcat7-7.0.52/debian/tomcat7.init
--- tomcat7-7.0.52/debian/tomcat7.init	2014-02-21 06:11:51.000000000 +0000
+++ tomcat7-7.0.52/debian/tomcat7.init	2016-09-16 13:20:03.000000000 +0000
@@ -170,8 +170,10 @@
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
 		-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"