diff -Nru cacti-0.8.8h+ds1/debian/changelog cacti-0.8.8h+ds1/debian/changelog
--- cacti-0.8.8h+ds1/debian/changelog	2016-06-16 20:12:09.000000000 +0000
+++ cacti-0.8.8h+ds1/debian/changelog	2016-09-05 19:10:12.000000000 +0000
@@ -1,3 +1,15 @@
+cacti (0.8.8h+ds1-5) unstable; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * CVE-2016-2313-guest-auth.patch:
+    + Fix regression in the fix for CVE-2016-2313 that broke guest user
+      logins. Thanks to Matus Uhlar for the report. (Closes: #833420)
+
+  [ Paul Gevers ]
+  * Recommend default-mysql-server instead of MariaDB and MySQL
+
+ -- Paul Gevers <elbrus@debian.org>  Mon, 05 Sep 2016 21:10:12 +0200
+
 cacti (0.8.8h+ds1-4) unstable; urgency=medium
 
   * Improve autopkgtest situation and avoid failure when it is not needed
diff -Nru cacti-0.8.8h+ds1/debian/control cacti-0.8.8h+ds1/debian/control
--- cacti-0.8.8h+ds1/debian/control	2016-06-16 20:06:27.000000000 +0000
+++ cacti-0.8.8h+ds1/debian/control	2016-09-05 19:10:12.000000000 +0000
@@ -33,7 +33,7 @@
 Recommends: apache2 | lighttpd | nginx | httpd,
             inetutils-ping | iputils-ping,
             logrotate,
-            mariadb-server | mysql-server | virtual-mysql-server,
+            default-mysql-server | virtual-mysql-server,
 Suggests: php-ldap,
 	  moreutils,
 Description: web interface for graphing of monitoring systems
diff -Nru cacti-0.8.8h+ds1/debian/patches/CVE-2016-2313-guest-auth.patch cacti-0.8.8h+ds1/debian/patches/CVE-2016-2313-guest-auth.patch
--- cacti-0.8.8h+ds1/debian/patches/CVE-2016-2313-guest-auth.patch	1970-01-01 00:00:00.000000000 +0000
+++ cacti-0.8.8h+ds1/debian/patches/CVE-2016-2313-guest-auth.patch	2016-09-05 19:02:57.000000000 +0000
@@ -0,0 +1,27 @@
+From 69983495cd41bf0903fe02baeef84b1fa85f2846 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Sun, 14 Aug 2016 14:21:11 -0500
+Subject: [PATCH] fixing bug #2697
+
+web basic for guest accounts
+---
+ auth_login.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,10 +86,11 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
+-		if (!$user && read_config_option('user_template') == '0') {
+-			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++		if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but both Template and Guest Users are not defined in Cacti.  Exiting.", false, 'AUTH');
++
+ 			$username = htmlspecialchars($username);
+-			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
+ 			exit;			
+ 		}
+ 
diff -Nru cacti-0.8.8h+ds1/debian/patches/series cacti-0.8.8h+ds1/debian/patches/series
--- cacti-0.8.8h+ds1/debian/patches/series	2016-06-10 18:19:08.000000000 +0000
+++ cacti-0.8.8h+ds1/debian/patches/series	2016-09-05 19:04:27.000000000 +0000
@@ -11,3 +11,4 @@
 add_rrdtool-1.5_to_utilities.php.patch
 11_1571432_mysqli.patch
 make_cacti_sql_mode-strict_compatible.patch
+CVE-2016-2313-guest-auth.patch