diff -Nru libxstream-java-1.4.8/debian/changelog libxstream-java-1.4.8/debian/changelog
--- libxstream-java-1.4.8/debian/changelog	2015-04-29 16:25:00.000000000 +0000
+++ libxstream-java-1.4.8/debian/changelog	2018-07-11 23:43:10.000000000 +0000
@@ -1,3 +1,11 @@
+libxstream-java (1.4.8-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: handle void type class (LP: #1780844)
+    - d/p/CVE-2017-7957.patch: Prevent deserialization of void.
+    - CVE-2017-7957
+
+ -- Dan Streetman <ddstreet@canonical.com>  Mon, 09 Jul 2018 15:21:51 -0400
+
 libxstream-java (1.4.8-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru libxstream-java-1.4.8/debian/control libxstream-java-1.4.8/debian/control
--- libxstream-java-1.4.8/debian/control	2015-04-29 15:53:25.000000000 +0000
+++ libxstream-java-1.4.8/debian/control	2018-07-11 23:43:15.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libxstream-java
 Section: java
 Priority: optional
-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 Uploaders: Torsten Werner <twerner@debian.org>,
            Varun Hiremath <varun@debian.org>,
            Damien Raude-Morvan <drazzib@debian.org>,
diff -Nru libxstream-java-1.4.8/debian/patches/CVE-2017-7957.patch libxstream-java-1.4.8/debian/patches/CVE-2017-7957.patch
--- libxstream-java-1.4.8/debian/patches/CVE-2017-7957.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxstream-java-1.4.8/debian/patches/CVE-2017-7957.patch	2018-07-11 23:43:10.000000000 +0000
@@ -0,0 +1,139 @@
+Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1780844
+Author: joehni <joerg.schaible@gmx.de
+
+Backport of:
+
+From b3570be2f39234e61f99f9a20640756ea71b1b40 Mon Sep 17 00:00:00 2001
+From: joehni <joerg.schaible@gmx.de>
+Date: Mon, 3 Apr 2017 14:40:04 +0200
+Subject: [PATCH] Prevent deserialization of void.
+
+---
+ .../SunLimitedUnsafeReflectionProvider.java   | 22 ++++++++++-------
+ .../security/PrimitiveTypePermission.java     |  8 ++++---
+ .../acceptance/SecurityVulnerabilityTest.java | 24 ++++++++++++++++++-
+ 3 files changed, 41 insertions(+), 13 deletions(-)
+
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
+  * All rights reserved.
+  *
+  * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
+@@ -9,6 +9,8 @@
+ 
+ import java.lang.reflect.Field;
+ 
++import com.thoughtworks.xstream.converters.ConversionException;
++
+ import sun.misc.Unsafe;
+ 
+ 
+@@ -72,14 +74,18 @@
+         if (exception != null) {
+             throw new ObjectAccessException("Cannot construct " + type.getName(), exception);
+         }
+-        try {
+-            return unsafe.allocateInstance(type);
+-        } catch (SecurityException e) {
+-            throw new ObjectAccessException("Cannot construct " + type.getName(), e);
+-        } catch (InstantiationException e) {
+-            throw new ObjectAccessException("Cannot construct " + type.getName(), e);
+-        } catch (IllegalArgumentException e) {
+-            throw new ObjectAccessException("Cannot construct " + type.getName(), e);
++        if (type == void.class || type == Void.class) {
++            throw new ConversionException("Type void cannot have an instance");
++        } else {
++            try {
++                return unsafe.allocateInstance(type);
++            } catch (SecurityException e) {
++                throw new ObjectAccessException("Cannot construct " + type.getName(), e);
++            } catch (InstantiationException e) {
++                throw new ObjectAccessException("Cannot construct " + type.getName(), e);
++            } catch (IllegalArgumentException e) {
++                throw new ObjectAccessException("Cannot construct " + type.getName(), e);
++            }
+         }
+     }
+ 
+--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014 XStream Committers.
++ * Copyright (C) 2014, 2017 XStream Committers.
+  * All rights reserved.
+  *
+  * Created on 09. January 2014 by Joerg Schaible
+@@ -8,8 +8,9 @@
+ 
+ import com.thoughtworks.xstream.core.util.Primitives;
+ 
++
+ /**
+- * Permission for any primitive type and its boxed counterpart (incl. void).
++ * Permission for any primitive type and its boxed counterpart (excl. void).
+  * 
+  * @author J&ouml;rg Schaible
+  * @since 1.4.7
+@@ -21,7 +22,8 @@
+     public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
+ 
+     public boolean allows(Class type) {
+-        return type != null && type.isPrimitive() || Primitives.isBoxed(type);
++        return type != null && type != void.class && type != Void.class && type.isPrimitive()
++            || Primitives.isBoxed(type);
+     }
+ 
+     public int hashCode() {
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -13,9 +13,12 @@
+ import java.beans.EventHandler;
+ 
+ import com.thoughtworks.xstream.XStreamException;
++import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+ 
++
+ /**
+  * @author J&ouml;rg Schaible
+  */
+@@ -80,4 +83,23 @@
+             BUFFER.append("Executed!");
+         }
+     }
++
++    public void testDeniedInstanceOfVoid() {
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            // OK
++        }
++    }
++
++    public void testAllowedInstanceOfVoid() {
++        xstream.allowTypes(void.class, Void.class);
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ConversionException.class.getName() + " expected");
++        } catch (final ConversionException e) {
++            assertEquals("void", e.get("construction-type"));
++        }
++    }
+ }
diff -Nru libxstream-java-1.4.8/debian/patches/series libxstream-java-1.4.8/debian/patches/series
--- libxstream-java-1.4.8/debian/patches/series	2015-04-29 16:17:57.000000000 +0000
+++ libxstream-java-1.4.8/debian/patches/series	2018-07-11 23:43:10.000000000 +0000
@@ -1 +1,2 @@
 01-java7-compatibility.patch
+CVE-2017-7957.patch