diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/changelog rtmpdump-2.4+20151223.gitfa8646d/debian/changelog
--- rtmpdump-2.4+20151223.gitfa8646d/debian/changelog	2016-02-17 22:27:27.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/changelog	2017-05-05 12:00:14.000000000 +0000
@@ -1,3 +1,22 @@
+rtmpdump (2.4+20151223.gitfa8646d-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in AMF3ReadString function
+    - debian/patches/CVE-2015-8270.patch: init str on unsupported
+      references in librtmp/amf.c.
+    - CVE-2015-8270
+  * SECURITY UPDATE: arbitrary code execution in AMF3CD_AddProp function
+    - debian/patches/CVE-2015-8271-1.patch: check for input buffer underrun
+      in librtmp/amf.c.
+    - debian/patches/CVE-2015-8271-2.patch: more input buffer checks in
+      librtmp/amf.c.
+    - CVE-2015-8271
+  * SECURITY UPDATE: denial of service via null pointer dereference
+    - debian/patches/CVE-2015-8272.patch: ignore requests without playpath
+      in rtmpsrv.c.
+    - CVE-2015-8272
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 05 May 2017 07:55:16 -0400
+
 rtmpdump (2.4+20151223.gitfa8646d-1build1) xenial; urgency=medium
 
   * No-change rebuild for gnutls transition.
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/control rtmpdump-2.4+20151223.gitfa8646d/debian/control
--- rtmpdump-2.4+20151223.gitfa8646d/debian/control	2016-01-18 20:39:42.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/control	2017-05-05 12:00:38.000000000 +0000
@@ -1,6 +1,7 @@
 Source: rtmpdump
 Priority: optional
-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
 Uploaders: Reinhard Tartler <siretart@tauware.de>,
            Sebastian Dröge <slomo@debian.org>,
            Sebastian Ramacher <sramacher@debian.org>
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8270.patch rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8270.patch
--- rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8270.patch	1970-01-01 00:00:00.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8270.patch	2017-05-05 11:55:00.000000000 +0000
@@ -0,0 +1,26 @@
+From 10b580aabcec1621b25518271ba1ab2b018be88e Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@highlandsun.com>
+Date: Mon, 14 Dec 2015 17:49:19 +0000
+Subject: [PATCH] Fix AMF3ReadString
+
+Init str on unsupported references
+---
+ librtmp/amf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/librtmp/amf.c b/librtmp/amf.c
+index 73d1486..9261217 100644
+--- a/librtmp/amf.c
++++ b/librtmp/amf.c
+@@ -471,6 +471,8 @@ AMF3ReadString(const char *data, AVal *str)
+       RTMP_Log(RTMP_LOGDEBUG,
+ 	  "%s, string reference, index: %d, not supported, ignoring!",
+ 	  __FUNCTION__, refIndex);
++	  str->av_val = NULL;
++	  str->av_len = 0;
+       return len;
+     }
+   else
+-- 
+1.9.1
+
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-1.patch rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-1.patch
--- rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-1.patch	2017-05-05 11:55:04.000000000 +0000
@@ -0,0 +1,73 @@
+From 39ec7eda489717d503bc4cbfaa591c93205695b6 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@highlandsun.com>
+Date: Mon, 14 Dec 2015 18:31:18 +0000
+Subject: [PATCH] Fix AMF3_Decode
+
+check for input buffer underrun
+---
+ librtmp/amf.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/librtmp/amf.c b/librtmp/amf.c
+index 9261217..d315145 100644
+--- a/librtmp/amf.c
++++ b/librtmp/amf.c
+@@ -1055,12 +1055,12 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+       else
+ 	{
+ 	  int32_t classExtRef = (classRef >> 1);
+-	  int i;
++	  int i, cdnum;
+ 
+ 	  cd.cd_externalizable = (classExtRef & 0x1) == 1;
+ 	  cd.cd_dynamic = ((classExtRef >> 1) & 0x1) == 1;
+ 
+-	  cd.cd_num = classExtRef >> 2;
++	  cdnum = classExtRef >> 2;
+ 
+ 	  /* class name */
+ 
+@@ -1075,7 +1075,7 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+ 	      cd.cd_name.av_val, cd.cd_externalizable, cd.cd_dynamic,
+ 	      cd.cd_num);
+ 
+-	  for (i = 0; i < cd.cd_num; i++)
++	  for (i = 0; i < cdnum; i++)
+ 	    {
+ 	      AVal memberName;
+ 	      len = AMF3ReadString(pBuffer, &memberName);
+@@ -1083,6 +1083,13 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+ 	      AMF3CD_AddProp(&cd, &memberName);
+ 	      nSize -= len;
+ 	      pBuffer += len;
++	      if (nSize <=0)
++		{
++invalid:
++		  RTMP_Log(RTMP_LOGDEBUG, "%s, invalid class encoding!",
++		    __FUNCTION__);
++		  return nOriginalSize;
++		}
+ 	    }
+ 	}
+ 
+@@ -1123,6 +1130,8 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+ 
+ 	      pBuffer += nRes;
+ 	      nSize -= nRes;
++	      if (nSize <=0)
++	        goto invalid;
+ 	    }
+ 	  if (cd.cd_dynamic)
+ 	    {
+@@ -1135,6 +1144,8 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+ 
+ 		  pBuffer += nRes;
+ 		  nSize -= nRes;
++		  if (nSize <=0)
++		    goto invalid;
+ 
+ 		  len = prop.p_name.av_len;
+ 		}
+-- 
+1.9.1
+
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-2.patch rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-2.patch
--- rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8271-2.patch	2017-05-05 11:55:08.000000000 +0000
@@ -0,0 +1,76 @@
+From 530f9bb2a02a78c1198fb2bf0293a12d225e4691 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@highlandsun.com>
+Date: Mon, 14 Dec 2015 20:59:16 +0000
+Subject: [PATCH] More for input buffer checks
+
+Fix 39ec7eda489717d503bc4cbfaa591c93205695b6
+move the check to allow valid loop termination
+---
+ librtmp/amf.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/librtmp/amf.c b/librtmp/amf.c
+index d315145..1c5f99f 100644
+--- a/librtmp/amf.c
++++ b/librtmp/amf.c
+@@ -1078,11 +1078,6 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
+ 	  for (i = 0; i < cdnum; i++)
+ 	    {
+ 	      AVal memberName;
+-	      len = AMF3ReadString(pBuffer, &memberName);
+-	      RTMP_Log(RTMP_LOGDEBUG, "Member: %s", memberName.av_val);
+-	      AMF3CD_AddProp(&cd, &memberName);
+-	      nSize -= len;
+-	      pBuffer += len;
+ 	      if (nSize <=0)
+ 		{
+ invalid:
+@@ -1090,6 +1085,11 @@ invalid:
+ 		    __FUNCTION__);
+ 		  return nOriginalSize;
+ 		}
++	      len = AMF3ReadString(pBuffer, &memberName);
++	      RTMP_Log(RTMP_LOGDEBUG, "Member: %s", memberName.av_val);
++	      AMF3CD_AddProp(&cd, &memberName);
++	      nSize -= len;
++	      pBuffer += len;
+ 	    }
+ 	}
+ 
+@@ -1120,6 +1120,8 @@ invalid:
+ 	  int nRes, i;
+ 	  for (i = 0; i < cd.cd_num; i++)	/* non-dynamic */
+ 	    {
++	      if (nSize <=0)
++	        goto invalid;
+ 	      nRes = AMF3Prop_Decode(&prop, pBuffer, nSize, FALSE);
+ 	      if (nRes == -1)
+ 		RTMP_Log(RTMP_LOGDEBUG, "%s, failed to decode AMF3 property!",
+@@ -1130,8 +1132,6 @@ invalid:
+ 
+ 	      pBuffer += nRes;
+ 	      nSize -= nRes;
+-	      if (nSize <=0)
+-	        goto invalid;
+ 	    }
+ 	  if (cd.cd_dynamic)
+ 	    {
+@@ -1139,13 +1139,13 @@ invalid:
+ 
+ 	      do
+ 		{
++		  if (nSize <=0)
++		    goto invalid;
+ 		  nRes = AMF3Prop_Decode(&prop, pBuffer, nSize, TRUE);
+ 		  AMF_AddProp(obj, &prop);
+ 
+ 		  pBuffer += nRes;
+ 		  nSize -= nRes;
+-		  if (nSize <=0)
+-		    goto invalid;
+ 
+ 		  len = prop.p_name.av_len;
+ 		}
+-- 
+1.9.1
+
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8272.patch rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8272.patch
--- rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8272.patch	1970-01-01 00:00:00.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/patches/CVE-2015-8272.patch	2017-05-05 11:55:12.000000000 +0000
@@ -0,0 +1,38 @@
+From 4312322107a94c81d3ec5b98f91bc6b923551dc5 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@highlandsun.com>
+Date: Mon, 14 Dec 2015 18:43:14 +0000
+Subject: [PATCH] Ignore requests without playpath
+
+---
+ rtmpsrv.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/rtmpsrv.c b/rtmpsrv.c
+index a9e9045..5df4d3a 100644
+--- a/rtmpsrv.c
++++ b/rtmpsrv.c
+@@ -404,10 +404,10 @@ countAMF(AMFObject *obj, int *argc)
+ static char *
+ dumpAMF(AMFObject *obj, char *ptr, AVal *argv, int *argc)
+ {
+-  int i, len, ac = *argc;
++  int i, ac = *argc;
+   const char opt[] = "NBSO Z";
+ 
+-  for (i=0, len=0; i < obj->o_num; i++)
++  for (i=0; i < obj->o_num; i++)
+     {
+       AMFObjectProperty *p = &obj->o_props[i];
+       argv[ac].av_val = ptr+1;
+@@ -595,6 +595,8 @@ ServeInvoke(STREAMING_SERVER *server, RTMP * r, RTMPPacket *packet, unsigned int
+       uint32_t now;
+       RTMPPacket pc = {0};
+       AMFProp_GetString(AMF_GetProp(&obj, NULL, 3), &r->Link.playpath);
++      if (!r->Link.playpath.av_len)
++        return 0;
+       /*
+       r->Link.seekTime = AMFProp_GetNumber(AMF_GetProp(&obj, NULL, 4));
+       if (obj.o_num > 5)
+-- 
+1.9.1
+
diff -Nru rtmpdump-2.4+20151223.gitfa8646d/debian/patches/series rtmpdump-2.4+20151223.gitfa8646d/debian/patches/series
--- rtmpdump-2.4+20151223.gitfa8646d/debian/patches/series	2015-03-29 13:38:53.000000000 +0000
+++ rtmpdump-2.4+20151223.gitfa8646d/debian/patches/series	2017-05-05 11:55:12.000000000 +0000
@@ -1,3 +1,7 @@
 01_unbreak_makefile.diff
 02_gnutls_requires.private.diff
 03_suppress_warning.diff
+CVE-2015-8270.patch
+CVE-2015-8271-1.patch
+CVE-2015-8271-2.patch
+CVE-2015-8272.patch