diff -Nru connman-1.21/debian/changelog connman-1.21/debian/changelog
--- connman-1.21/debian/changelog	2016-02-22 07:06:46.000000000 +0000
+++ connman-1.21/debian/changelog	2017-08-29 20:59:55.000000000 +0000
@@ -1,14 +1,15 @@
-connman (1.21-1.2build2) xenial; urgency=medium
+connman (1.21-1.2+deb8u1build0.16.04.1) xenial-security; urgency=medium
 
-  * No-change rebuild for iptables transition.
+  * fake sync from Debian
 
- -- Matthias Klose <doko@ubuntu.com>  Mon, 22 Feb 2016 08:06:18 +0100
+ -- Steve Beattie <sbeattie@ubuntu.com>  Tue, 29 Aug 2017 13:59:55 -0700
 
-connman (1.21-1.2build1) xenial; urgency=medium
+connman (1.21-1.2+deb8u1) jessie-security; urgency=high
 
-  * No-change rebuild for gnutls transition.
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844) 
 
- -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 22:23:54 +0000
+ -- Luciano Bello <luciano@debian.org>  Wed, 23 Aug 2017 10:29:30 -0400
 
 connman (1.21-1.2) unstable; urgency=medium
 
diff -Nru connman-1.21/debian/patches/CVE-2017-12865.patch connman-1.21/debian/patches/CVE-2017-12865.patch
--- connman-1.21/debian/patches/CVE-2017-12865.patch	1970-01-01 00:00:00.000000000 +0000
+++ connman-1.21/debian/patches/CVE-2017-12865.patch	2017-08-23 14:27:08.000000000 +0000
@@ -0,0 +1,80 @@
+From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+Origin: upstream, https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71
+X-CVE: CVE-2017-12865 
+Bug-Debian: http://bugs.debian.org/872844
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -834,7 +834,7 @@ static struct cache_entry *cache_check(g
+ static int get_name(int counter,
+ 		unsigned char *pkt, unsigned char *start, unsigned char *max,
+ 		unsigned char *output, int output_max, int *output_len,
+-		unsigned char **end, char *name, int *name_len)
++		unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+ 	unsigned char *p;
+ 
+@@ -855,7 +855,7 @@ static int get_name(int counter,
+ 
+ 			return get_name(counter + 1, pkt, pkt + offset, max,
+ 					output, output_max, output_len, end,
+-					name, name_len);
++					name, max_name, name_len);
+ 		} else {
+ 			unsigned label_len = *p;
+ 
+@@ -865,6 +865,9 @@ static int get_name(int counter,
+ 			if (*output_len > output_max)
+ 				return -ENOBUFS;
+ 
++			if ((*name_len + 1 + label_len + 1) > max_name)
++				return -ENOBUFS;
++
+ 			/*
+ 			 * We need the original name in order to check
+ 			 * if this answer is the correct one.
+@@ -896,14 +899,14 @@ static int parse_rr(unsigned char *buf,
+ 			unsigned char *response, unsigned int *response_size,
+ 			uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+ 			unsigned char **end,
+-			char *name)
++			char *name, size_t max_name)
+ {
+ 	struct domain_rr *rr;
+ 	int err, offset;
+ 	int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+ 	err = get_name(0, buf, start, max, response, max_rsp,
+-		&output_len, end, name, &name_len);
++			&output_len, end, name, max_name, &name_len);
+ 	if (err < 0)
+ 		return err;
+ 
+@@ -1029,7 +1032,8 @@ static int parse_response(unsigned char
+ 		memset(rsp, 0, sizeof(rsp));
+ 
+ 		ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+-			type, class, ttl, &rdlen, &next, name);
++			type, class, ttl, &rdlen, &next, name,
++			sizeof(name) - 1);
+ 		if (ret != 0) {
+ 			err = ret;
+ 			goto out;
+@@ -1095,7 +1099,7 @@ static int parse_response(unsigned char
+ 			 */
+ 			ret = get_name(0, buf, next - rdlen, buf + buflen,
+ 					rsp, rsp_len, &output_len, &end,
+-					name, &name_len);
++					name, sizeof(name) - 1, &name_len);
+ 			if (ret != 0) {
+ 				/* just ignore the error at this point */
+ 				ptr = next;
diff -Nru connman-1.21/debian/patches/series connman-1.21/debian/patches/series
--- connman-1.21/debian/patches/series	2014-02-12 03:11:26.000000000 +0000
+++ connman-1.21/debian/patches/series	2017-08-23 14:11:16.000000000 +0000
@@ -1,3 +1,4 @@
 01-init-script-lsb-headers.patch
 02-test-pbkdf2-sha1-maximum-salt-len-should-be-32-instead.patch
 0001-remove-After-syslog.target-obsolete.patch
+CVE-2017-12865.patch