diff -Nru proftpd-dfsg-1.3.4a/debian/changelog proftpd-dfsg-1.3.4a/debian/changelog
--- proftpd-dfsg-1.3.4a/debian/changelog	2011-11-21 12:30:16.000000000 +0000
+++ proftpd-dfsg-1.3.4a/debian/changelog	2016-12-08 00:24:13.000000000 +0000
@@ -1,3 +1,14 @@
+proftpd-dfsg (1.3.4a-1ubuntu0.1) precise-security; urgency=low
+
+  * SECURITY UPDATE: The mod_copy module in ProFTPD 1.3.4a allows remote
+    attackers to read and write to arbitrary files via the site cpfr and
+    site cpto commands. (LP: #1462311)
+    - debian/patches/CVE-2015-3306.patch: adjust contrib/mod_copy.c to
+      check authentication status. Based on upstream patch.
+    - CVE-2015-3306
+
+ -- Brian Morton <bmorton@dvidshub.net>  Sat, 4 Dec 2016 15:16:02 -0500
+
 proftpd-dfsg (1.3.4a-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru proftpd-dfsg-1.3.4a/debian/control proftpd-dfsg-1.3.4a/debian/control
--- proftpd-dfsg-1.3.4a/debian/control	2011-11-21 12:42:03.000000000 +0000
+++ proftpd-dfsg-1.3.4a/debian/control	2016-12-08 00:24:59.000000000 +0000
@@ -1,7 +1,8 @@
 Source: proftpd-dfsg
 Section: net
 Priority: optional
-Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
 Uploaders: Francesco Paolo Lovergine <frankie@debian.org>
 Standards-Version: 3.9.2
 Build-Depends: libmysqlclient-dev, libpam-dev, debhelper (>= 7), zlib1g-dev, 
diff -Nru proftpd-dfsg-1.3.4a/debian/control.in proftpd-dfsg-1.3.4a/debian/control.in
--- proftpd-dfsg-1.3.4a/debian/control.in	2011-11-21 12:30:16.000000000 +0000
+++ proftpd-dfsg-1.3.4a/debian/control.in	2016-12-08 00:24:22.000000000 +0000
@@ -1,7 +1,8 @@
 Source: proftpd-dfsg
 Section: net
 Priority: optional
-Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
 Uploaders: Francesco Paolo Lovergine <frankie@debian.org>
 Standards-Version: 3.9.2
 Build-Depends: libmysqlclient-dev, libpam-dev, debhelper (>= 7), zlib1g-dev, 
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/CVE-2015-3306 proftpd-dfsg-1.3.4a/debian/patches/CVE-2015-3306
--- proftpd-dfsg-1.3.4a/debian/patches/CVE-2015-3306	1970-01-01 00:00:00.000000000 +0000
+++ proftpd-dfsg-1.3.4a/debian/patches/CVE-2015-3306	2016-12-08 00:22:54.000000000 +0000
@@ -0,0 +1,59 @@
+Description: Fix unauthenticated read/write of files with mod_copy
+ CVE-2015-3306: The mod_copy module in ProFTPD 1.3.4a allows remote
+ attackers to read and write to arbitrary files via the site cpfr
+ and site cpto commands.
+Origin: upstream, http://bugs.proftpd.org/show_bug.cgi?id=4169
+Bug: http://bugs.proftpd.org/show_bug.cgi?id=4169
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311
+Forwarded: not-needed
+Author: Brian Morton <bmorton@dvidshub.net>
+Last-Update: 2016-12-04
+
+--- proftpd-dfsg-1.3.4a.orig/contrib/mod_copy.c
++++ proftpd-dfsg-1.3.4a/contrib/mod_copy.c
+@@ -535,12 +535,22 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+   register unsigned int i;
+   int res;
+   char *path = "";
++  unsigned char *authenticated = NULL;
+
+   if (cmd->argc < 3 ||
+       strncasecmp(cmd->argv[1], "CPFR", 5) != 0) {
+     return PR_DECLINED(cmd);
+   }
+
++  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
++  if (authenticated == NULL ||
++      *authenticated == FALSE) {
++    pr_response_add_err(R_530, _("Please login with USER and PASS"));
++
++    errno = EPERM;
++    return PR_ERROR(cmd);
++  }
++
+   CHECK_CMD_MIN_ARGS(cmd, 3);
+
+   /* Construct the target file name by concatenating all the parameters after
+@@ -590,12 +600,22 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+ MODRET copy_cpto(cmd_rec *cmd) {
+   register unsigned int i;
+   char *from, *to = "";
++  unsigned char *authenticated = NULL;
+
+   if (cmd->argc < 3 ||
+       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
+     return PR_DECLINED(cmd);
+   }
+
++  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
++  if (authenticated == NULL ||
++      *authenticated == FALSE) {
++    pr_response_add_err(R_530, _("Please login with USER and PASS"));
++
++    errno = EPERM;
++    return PR_ERROR(cmd);
++  }
++
+   CHECK_CMD_MIN_ARGS(cmd, 3);
+
+   from = pr_table_get(session.notes, "mod_copy.cpfr-path", NULL);
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/series proftpd-dfsg-1.3.4a/debian/patches/series
--- proftpd-dfsg-1.3.4a/debian/patches/series	2011-11-21 12:30:16.000000000 +0000
+++ proftpd-dfsg-1.3.4a/debian/patches/series	2016-12-08 00:22:54.000000000 +0000
@@ -10,3 +10,4 @@
 odbc
 silent
 use_hypen_in_manpage
+CVE-2015-3306