diff -Nru ruby-loofah-2.0.3/debian/changelog ruby-loofah-2.0.3/debian/changelog
--- ruby-loofah-2.0.3/debian/changelog	2019-02-04 10:29:53.000000000 +0000
+++ ruby-loofah-2.0.3/debian/changelog	2020-09-14 18:24:39.000000000 +0000
@@ -1,8 +1,18 @@
-ruby-loofah (2.0.3-2+deb9u2build0.16.04.1) xenial-security; urgency=medium
+ruby-loofah (2.0.3-2+deb9u3build0.16.04.1) xenial-security; urgency=medium
 
   * fake sync from Debian
 
- -- Mike Salvatore <mike.salvatore@canonical.com>  Mon, 04 Feb 2019 05:29:53 -0500
+ -- Eduardo Barretto <eduardo.barretto@canonical.com>  Mon, 14 Sep 2020 15:24:39 -0300
+
+ruby-loofah (2.0.3-2+deb9u3) oldstable-security; urgency=high
+
+  * Team upload
+
+  * debian/patches
+    - add 0005-Fix-CVE-2019-15587.patch (Closes: #942894)
+      (CVE-2019-15587)
+
+ -- Hideki Yamane <henrich@debian.org>  Wed, 23 Oct 2019 16:22:51 +0900
 
 ruby-loofah (2.0.3-2+deb9u2) stretch-security; urgency=medium
 
diff -Nru ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch
--- ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch	2019-10-23 07:22:51.000000000 +0000
@@ -0,0 +1,79 @@
+From: Hideki Yamane <henrich@debian.org>
+Date: Wed, 23 Oct 2019 15:06:50 +0900
+Subject: Fix CVE-2019-15587
+
+taken patch for test (test/integration/test_ad_hoc.rb) and modified
+lib/loofah/html5/whitelist.rb manually.
+---
+ lib/loofah/html5/whitelist.rb   |  6 +++---
+ test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+Index: ruby-loofah/lib/loofah/html5/whitelist.rb
+===================================================================
+--- ruby-loofah.orig/lib/loofah/html5/whitelist.rb
++++ ruby-loofah/lib/loofah/html5/whitelist.rb
+@@ -88,7 +88,7 @@ module Loofah
+ 
+       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
+        arabic-form ascent attributeName attributeType baseProfile bbox begin
+-       by calcMode cap-height class clip-path clip-rule color
++       calcMode cap-height class clip-path clip-rule color
+        color-interpolation-filters color-rendering content cx cy d dx
+        dy descent display dur end fill fill-opacity fill-rule
+        filterRes filterUnits font-family
+@@ -105,9 +105,9 @@ module Loofah
+        stemv stop-color stop-opacity strikethrough-position
+        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
+        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
+-       stroke-width systemLanguage target text-anchor to transform type u1
++       stroke-width systemLanguage target text-anchor transform type u1
+        u2 underline-position underline-thickness unicode unicode-range
+-       units-per-em values version viewBox visibility width widths x
++       units-per-em version viewBox visibility width widths x
+        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
+        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
+        xmlns:xlink y y1 y2 zoomAndPan]
+Index: ruby-loofah/test/integration/test_ad_hoc.rb
+===================================================================
+--- ruby-loofah.orig/test/integration/test_ad_hoc.rb
++++ ruby-loofah/test/integration/test_ad_hoc.rb
+@@ -200,14 +200,32 @@ mso-bidi-language:#0400;}
+       end
+     end
+ 
+-    # see:
+-    # - https://github.com/flavorjones/loofah/issues/154
+-    # - https://hackerone.com/reports/429267
+-    context "xss protection from svg xmlns:xlink animate attribute" do
+-      it "sanitizes appropriate attributes" do
+-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
++    context "xss protection from svg animate attributes" do
++      # see recommendation from https://html5sec.org/#137
++      # to sanitize "to", "from", "values", and "by" attributes
++
++      it "sanitizes 'from', 'to', and 'by' attributes" do
++        # for CVE-2018-16468
++        # see:
++        # - https://github.com/flavorjones/loofah/issues/154
++        # - https://hackerone.com/reports/429267
++        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
++
+         sanitized = Loofah.scrub_fragment(html, :escape)
+         assert_nil sanitized.at_css("animate")["from"]
++        assert_nil sanitized.at_css("animate")["to"]
++        assert_nil sanitized.at_css("animate")["by"]
++      end
++
++      it "sanitizes 'values' attribute" do
++        # for CVE-2019-15587
++        # see:
++        # - https://github.com/flavorjones/loofah/issues/171
++        # - https://hackerone.com/reports/709009
++        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
++
++        sanitized = Loofah.scrub_fragment(html, :escape)
++        assert_nil sanitized.at_css("animate")["values"]
+       end
+     end
+ end
diff -Nru ruby-loofah-2.0.3/debian/patches/series ruby-loofah-2.0.3/debian/patches/series
--- ruby-loofah-2.0.3/debian/patches/series	2018-12-31 07:38:27.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/series	2019-10-23 07:22:51.000000000 +0000
@@ -2,3 +2,4 @@
 fix-tests-assert.patch
 dont_require_lib_files.patch
 0004-fix-CVE-2018-16468.patch
+0005-Fix-CVE-2019-15587.patch