diff -Nru network-manager-vpnc-1.1.93/debian/changelog network-manager-vpnc-1.1.93/debian/changelog
--- network-manager-vpnc-1.1.93/debian/changelog	2016-04-05 23:32:57.000000000 +0000
+++ network-manager-vpnc-1.1.93/debian/changelog	2018-07-26 22:28:45.000000000 +0000
@@ -1,3 +1,13 @@
+network-manager-vpnc (1.1.93-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Privilege escalation attack
+    - debian/patches/CVE-2018-10900.patch: Disallow newlines in configuration
+      values. If we didn't it would allow the user to inject arbitrary
+      configuration directives with potential security implications.
+    - CVE-2018-10900
+
+ -- Mike Salvatore <mike.salvatore@canonical.com>  Thu, 26 Jul 2018 18:28:45 -0400
+
 network-manager-vpnc (1.1.93-1) unstable; urgency=medium
 
   * New upstream release (1.2 rc1).
diff -Nru network-manager-vpnc-1.1.93/debian/control network-manager-vpnc-1.1.93/debian/control
--- network-manager-vpnc-1.1.93/debian/control	2016-04-05 23:32:57.000000000 +0000
+++ network-manager-vpnc-1.1.93/debian/control	2018-07-26 22:29:04.000000000 +0000
@@ -1,7 +1,8 @@
 Source: network-manager-vpnc
 Section: net
 Priority: optional
-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
 Uploaders: Michael Biebl <biebl@debian.org>
 Build-Depends: debhelper (>= 9),
                dh-autoreconf,
diff -Nru network-manager-vpnc-1.1.93/debian/patches/CVE-2018-10900.patch network-manager-vpnc-1.1.93/debian/patches/CVE-2018-10900.patch
--- network-manager-vpnc-1.1.93/debian/patches/CVE-2018-10900.patch	1970-01-01 00:00:00.000000000 +0000
+++ network-manager-vpnc-1.1.93/debian/patches/CVE-2018-10900.patch	2018-07-27 13:12:18.000000000 +0000
@@ -0,0 +1,43 @@
+Backport of:
+
+From 07ac18a32b4e361a27ef48ac757d36cbb46e8e12 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Fri, 13 Jul 2018 18:51:04 +0200
+Subject: [PATCH] service: disallow newlinies in configuration values
+ (CVE-2018-10900)
+
+The vpnc configuration format doesn't allow those. vpnc(8):
+
+  The values start exactly one space after the keywords, and run to the end
+  of line. This lets you put any kind of weird character (except CR, LF and
+  NUL) in your strings
+
+We have no choice but to reject them. If we didn't it would allow the
+user to inject arbitrary configuration directives with potential
+security implications.
+
+https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
+
+Reported by: Denis Andzakovic
+---
+ src/nm-vpnc-service.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/src/nm-vpnc-service.c
++++ b/src/nm-vpnc-service.c
+@@ -180,7 +180,14 @@ validate_one_property (const char *key,
+ 	case ITEM_TYPE_IGNORED:
+ 		break; /* technically valid, but unused */
+ 	case ITEM_TYPE_STRING:
+-		break; /* valid */
++		if (strchr (value, '\n') || strchr (value, '\r')) {
++			g_set_error (info->error,
++			             NM_VPN_PLUGIN_ERROR,
++			             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
++			             _("property '%s' contains a newline character"),
++			             key);
++		}
++		break;
+ 	case ITEM_TYPE_PATH:
+ 		if (   !value
+ 		    || !strlen (value)
diff -Nru network-manager-vpnc-1.1.93/debian/patches/series network-manager-vpnc-1.1.93/debian/patches/series
--- network-manager-vpnc-1.1.93/debian/patches/series	2016-04-05 23:32:57.000000000 +0000
+++ network-manager-vpnc-1.1.93/debian/patches/series	2018-07-26 22:27:45.000000000 +0000
@@ -1 +1,2 @@
 # Debian patches for network-manager-vpnc
+CVE-2018-10900.patch