diff -Nru jinja2-2.10/debian/changelog jinja2-2.10/debian/changelog
--- jinja2-2.10/debian/changelog	2017-11-30 09:54:37.000000000 +0000
+++ jinja2-2.10/debian/changelog	2019-05-14 17:28:19.000000000 +0000
@@ -1,3 +1,12 @@
+jinja2 (2.10-1ubuntu0.18.04.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: sandbox escape via str.format_map
+    - debian/patches/CVE-2019-10906.patch: properly sandbox format_map in
+      jinja2/sandbox.py, tests/test_security.py.
+    - CVE-2019-10906
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 14 May 2019 13:28:19 -0400
+
 jinja2 (2.10-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru jinja2-2.10/debian/control jinja2-2.10/debian/control
--- jinja2-2.10/debian/control	2017-11-30 09:54:37.000000000 +0000
+++ jinja2-2.10/debian/control	2019-05-14 17:28:19.000000000 +0000
@@ -1,7 +1,8 @@
 Source: jinja2
 Section: python
 Priority: optional
-Maintainer: Piotr Ożarowski <piotr@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Piotr Ożarowski <piotr@debian.org>
 Uploaders: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
 Build-Depends: debhelper (>= 9), dh-python,
  python-all (>= 2.6.6-3), python3-all,
diff -Nru jinja2-2.10/debian/patches/CVE-2019-10906.patch jinja2-2.10/debian/patches/CVE-2019-10906.patch
--- jinja2-2.10/debian/patches/CVE-2019-10906.patch	1970-01-01 00:00:00.000000000 +0000
+++ jinja2-2.10/debian/patches/CVE-2019-10906.patch	2019-05-14 17:28:10.000000000 +0000
@@ -0,0 +1,86 @@
+From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
+From: Armin Ronacher <armin.ronacher@active-4.com>
+Date: Sat, 6 Apr 2019 10:50:47 -0700
+Subject: [PATCH] sandbox str.format_map
+
+---
+ jinja2/sandbox.py      | 17 ++++++++++++++---
+ tests/test_security.py | 19 +++++++++++++++++++
+ 2 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py
+index 93fb9d45..752e8128 100644
+--- a/jinja2/sandbox.py
++++ b/jinja2/sandbox.py
+@@ -137,7 +137,7 @@ def __len__(self):
+ def inspect_format_method(callable):
+     if not isinstance(callable, (types.MethodType,
+                                  types.BuiltinMethodType)) or \
+-       callable.__name__ != 'format':
++       callable.__name__ not in ('format', 'format_map'):
+         return None
+     obj = callable.__self__
+     if isinstance(obj, string_types):
+@@ -402,7 +402,7 @@ def unsafe_undefined(self, obj, attribute):
+             obj.__class__.__name__
+         ), name=attribute, obj=obj, exc=SecurityError)
+ 
+-    def format_string(self, s, args, kwargs):
++    def format_string(self, s, args, kwargs, format_func=None):
+         """If a format call is detected, then this is routed through this
+         method so that our safety sandbox can be used for it.
+         """
+@@ -410,6 +410,17 @@ def format_string(self, s, args, kwargs):
+             formatter = SandboxedEscapeFormatter(self, s.escape)
+         else:
+             formatter = SandboxedFormatter(self)
++
++        if format_func is not None and format_func.__name__ == 'format_map':
++            if len(args) != 1 or kwargs:
++                raise TypeError(
++                    'format_map() takes exactly one argument %d given'
++                    % (len(args) + (kwargs is not None))
++                )
++
++            kwargs = args[0]
++            args = None
++
+         kwargs = _MagicFormatMapping(args, kwargs)
+         rv = formatter.vformat(s, args, kwargs)
+         return type(s)(rv)
+@@ -418,7 +429,7 @@ def call(__self, __context, __obj, *args, **kwargs):
+         """Call an object from sandboxed code."""
+         fmt = inspect_format_method(__obj)
+         if fmt is not None:
+-            return __self.format_string(fmt, args, kwargs)
++            return __self.format_string(fmt, args, kwargs, __obj)
+ 
+         # the double prefixes are to avoid double keyword argument
+         # errors when proxying the call.
+diff --git a/tests/test_security.py b/tests/test_security.py
+index 8e4222e5..5c8639c4 100644
+--- a/tests/test_security.py
++++ b/tests/test_security.py
+@@ -187,3 +187,22 @@ def test_safe_format_all_okay(self):
+         env = SandboxedEnvironment()
+         t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}')
+         assert t.render() == 'a42b&lt;foo&gt;'
++
++
++@pytest.mark.sandbox
++@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method')
++class TestStringFormatMap(object):
++    def test_basic_format_safety(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
++        assert t.render() == 'ab'
++
++    def test_basic_format_all_okay(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
++        assert t.render() == 'a42b'
++
++    def test_safe_format_all_okay(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}')
++        assert t.render() == 'a42b&lt;foo&gt;'
diff -Nru jinja2-2.10/debian/patches/series jinja2-2.10/debian/patches/series
--- jinja2-2.10/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ jinja2-2.10/debian/patches/series	2019-05-14 17:28:10.000000000 +0000
@@ -0,0 +1 @@
+CVE-2019-10906.patch