diff -Nru ruby-loofah-2.0.3/debian/changelog ruby-loofah-2.0.3/debian/changelog
--- ruby-loofah-2.0.3/debian/changelog	2016-01-07 13:22:29.000000000 +0000
+++ ruby-loofah-2.0.3/debian/changelog	2020-09-14 18:24:39.000000000 +0000
@@ -1,3 +1,37 @@
+ruby-loofah (2.0.3-2+deb9u3build0.16.04.1) xenial-security; urgency=medium
+
+  * fake sync from Debian
+
+ -- Eduardo Barretto <eduardo.barretto@canonical.com>  Mon, 14 Sep 2020 15:24:39 -0300
+
+ruby-loofah (2.0.3-2+deb9u3) oldstable-security; urgency=high
+
+  * Team upload
+
+  * debian/patches
+    - add 0005-Fix-CVE-2019-15587.patch (Closes: #942894)
+      (CVE-2019-15587)
+
+ -- Hideki Yamane <henrich@debian.org>  Wed, 23 Oct 2019 16:22:51 +0900
+
+ruby-loofah (2.0.3-2+deb9u2) stretch-security; urgency=medium
+
+  * Team upload
+
+  * debian/patches
+    - add 0004-fix-CVE-2018-16468.patch: taken security fix from upstream
+      (Closes: #912398) (CVE-2018-16468)
+
+ -- Hideki Yamane <henrich@debian.org>  Mon, 31 Dec 2018 16:38:27 +0900
+
+ruby-loofah (2.0.3-2+deb9u1) stretch-security; urgency=high
+
+  * Introduce upstream patch to address a potential cross-site scripting
+    vulnerability caused by libxml2 >= 2.9.2. (Closes: #893596)
+    (CVE-2018-8048)
+
+ -- Georg Faerber <georg@riseup.net>  Sat, 24 Mar 2018 16:13:55 +0100
+
 ruby-loofah (2.0.3-2) unstable; urgency=medium
 
   * fix-tests-assert.patch: Patch to fix test failures (Closes: #808449) 
diff -Nru ruby-loofah-2.0.3/debian/patches/0004-fix-CVE-2018-16468.patch ruby-loofah-2.0.3/debian/patches/0004-fix-CVE-2018-16468.patch
--- ruby-loofah-2.0.3/debian/patches/0004-fix-CVE-2018-16468.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/0004-fix-CVE-2018-16468.patch	2019-10-23 07:22:51.000000000 +0000
@@ -0,0 +1,45 @@
+From: Hideki Yamane <henrich@debian.org>
+Date: Mon, 31 Dec 2018 16:32:19 +0900
+Subject: fix CVE-2018-16468
+
+Taken patch from upstream commit
+See https://github.com/flavorjones/loofah/commit/be0fd3ac0fad452730f10e318fa31706257fd081
+and https://github.com/flavorjones/loofah/issues/154
+---
+ lib/loofah/html5/whitelist.rb   |  2 +-
+ test/integration/test_ad_hoc.rb | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
+index 85ffe6a..0a25652 100644
+--- a/lib/loofah/html5/whitelist.rb
++++ b/lib/loofah/html5/whitelist.rb
+@@ -92,7 +92,7 @@ module Loofah
+        color-interpolation-filters color-rendering content cx cy d dx
+        dy descent display dur end fill fill-opacity fill-rule
+        filterRes filterUnits font-family
+-       font-size font-stretch font-style font-variant font-weight from fx fy g1
++       font-size font-stretch font-style font-variant font-weight fx fy g1
+        g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
+        ideographic k keyPoints keySplines keyTimes lang marker-end
+        marker-mid marker-start markerHeight markerUnits markerWidth
+diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
+index ab10581..49c04d8 100644
+--- a/test/integration/test_ad_hoc.rb
++++ b/test/integration/test_ad_hoc.rb
+@@ -199,4 +199,15 @@ mso-bidi-language:#0400;}
+         end
+       end
+     end
++
++    # see:
++    # - https://github.com/flavorjones/loofah/issues/154
++    # - https://hackerone.com/reports/429267
++    context "xss protection from svg xmlns:xlink animate attribute" do
++      it "sanitizes appropriate attributes" do
++        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
++        sanitized = Loofah.scrub_fragment(html, :escape)
++        assert_nil sanitized.at_css("animate")["from"]
++      end
++    end
+ end
diff -Nru ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch
--- ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/0005-Fix-CVE-2019-15587.patch	2019-10-23 07:22:51.000000000 +0000
@@ -0,0 +1,79 @@
+From: Hideki Yamane <henrich@debian.org>
+Date: Wed, 23 Oct 2019 15:06:50 +0900
+Subject: Fix CVE-2019-15587
+
+taken patch for test (test/integration/test_ad_hoc.rb) and modified
+lib/loofah/html5/whitelist.rb manually.
+---
+ lib/loofah/html5/whitelist.rb   |  6 +++---
+ test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+Index: ruby-loofah/lib/loofah/html5/whitelist.rb
+===================================================================
+--- ruby-loofah.orig/lib/loofah/html5/whitelist.rb
++++ ruby-loofah/lib/loofah/html5/whitelist.rb
+@@ -88,7 +88,7 @@ module Loofah
+ 
+       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
+        arabic-form ascent attributeName attributeType baseProfile bbox begin
+-       by calcMode cap-height class clip-path clip-rule color
++       calcMode cap-height class clip-path clip-rule color
+        color-interpolation-filters color-rendering content cx cy d dx
+        dy descent display dur end fill fill-opacity fill-rule
+        filterRes filterUnits font-family
+@@ -105,9 +105,9 @@ module Loofah
+        stemv stop-color stop-opacity strikethrough-position
+        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
+        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
+-       stroke-width systemLanguage target text-anchor to transform type u1
++       stroke-width systemLanguage target text-anchor transform type u1
+        u2 underline-position underline-thickness unicode unicode-range
+-       units-per-em values version viewBox visibility width widths x
++       units-per-em version viewBox visibility width widths x
+        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
+        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
+        xmlns:xlink y y1 y2 zoomAndPan]
+Index: ruby-loofah/test/integration/test_ad_hoc.rb
+===================================================================
+--- ruby-loofah.orig/test/integration/test_ad_hoc.rb
++++ ruby-loofah/test/integration/test_ad_hoc.rb
+@@ -200,14 +200,32 @@ mso-bidi-language:#0400;}
+       end
+     end
+ 
+-    # see:
+-    # - https://github.com/flavorjones/loofah/issues/154
+-    # - https://hackerone.com/reports/429267
+-    context "xss protection from svg xmlns:xlink animate attribute" do
+-      it "sanitizes appropriate attributes" do
+-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
++    context "xss protection from svg animate attributes" do
++      # see recommendation from https://html5sec.org/#137
++      # to sanitize "to", "from", "values", and "by" attributes
++
++      it "sanitizes 'from', 'to', and 'by' attributes" do
++        # for CVE-2018-16468
++        # see:
++        # - https://github.com/flavorjones/loofah/issues/154
++        # - https://hackerone.com/reports/429267
++        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
++
+         sanitized = Loofah.scrub_fragment(html, :escape)
+         assert_nil sanitized.at_css("animate")["from"]
++        assert_nil sanitized.at_css("animate")["to"]
++        assert_nil sanitized.at_css("animate")["by"]
++      end
++
++      it "sanitizes 'values' attribute" do
++        # for CVE-2019-15587
++        # see:
++        # - https://github.com/flavorjones/loofah/issues/171
++        # - https://hackerone.com/reports/709009
++        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
++
++        sanitized = Loofah.scrub_fragment(html, :escape)
++        assert_nil sanitized.at_css("animate")["values"]
+       end
+     end
+ end
diff -Nru ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch
--- ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch	2019-10-23 07:22:51.000000000 +0000
@@ -0,0 +1,99 @@
+Description: Patch to address potential XSS vuln (CVE-2018-8048)
+  libxml2 >= 2.9.2 fails to escape comments within some attributes. It
+  wants to ensure these comments can be treated as "server-side
+  includes", but as a result fails to ensure that serialization is
+  well-formed, resulting in an opportunity for XSS injection of code
+  into a final re-parsed document (presumably in a browser).
+Origin: upstream
+Debian-Bug: #893596
+Applied-Upstream: https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7
+Last-Update: 2018-03-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/loofah.rb
++++ b/lib/loofah.rb
+@@ -6,6 +6,7 @@
+ require 'loofah/elements'
+ 
+ require 'loofah/html5/whitelist'
++require 'loofah/html5/libxml2_workarounds'
+ require 'loofah/html5/scrub'
+ 
+ require 'loofah/scrubber'
+--- /dev/null
++++ b/lib/loofah/html5/libxml2_workarounds.rb
+@@ -0,0 +1,12 @@
++require 'set'
++module Loofah
++  module LibxmlWorkarounds
++    BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
++        href
++        action
++        src
++        name
++      ]
++    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
++  end
++end
+--- a/lib/loofah/html5/scrub.rb
++++ b/lib/loofah/html5/scrub.rb
+@@ -54,6 +54,7 @@
+           node.attribute_nodes.each do |attr_node|
+             node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+           end
++          force_correct_attribute_escaping! node
+         end
+ 
+         def scrub_css_attribute node
+@@ -89,6 +90,18 @@
+           style = clean.join(' ')
+         end
+ 
++        def force_correct_attribute_escaping! node
++          return unless Nokogiri::VersionInfo.instance.libxml2?
++          node.attribute_nodes.each do |attr_node|
++            next unless LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES.include?(attr_node.name)
++            tag_name = LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG[attr_node.name]
++            next unless tag_name.nil? || tag_name == node.name
++            encoding = attr_node.value.encoding
++            attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
++              '%' + m.unpack('H2' * m.bytesize).join('%').upcase
++            end.force_encoding(encoding)
++          end
++        end
+       end
+ 
+     end
+--- a/test/integration/test_ad_hoc.rb
++++ b/test/integration/test_ad_hoc.rb
+@@ -173,4 +173,30 @@
+     html = "<p>Foo</p>\n<p>Bar</p>"
+     assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
+   end
++	[
++      {tag: "a",   attr: "href"},
++      {tag: "div", attr: "href"},
++      {tag: "a",   attr: "action"},
++      {tag: "div", attr: "action"},
++      {tag: "a",   attr: "src"},
++      {tag: "div", attr: "src"},
++      {tag: "a",   attr: "name"},
++      {tag: "div", attr: "name", unescaped: true},
++    ].each do |config|
++      define_method "test_uri_escaping_of_#{config[:attr]}_attr_in_#{config[:tag]}_tag" do
++        html = %{<#{config[:tag]} #{config[:attr]}='examp<!--" unsafeattr=foo()>-->le.com'>test</#{config[:tag]}>}
++        reparsed = Loofah.fragment(Loofah.fragment(html).scrub!(:prune).to_html)
++        attributes = reparsed.at_css(config[:tag]).attribute_nodes
++        assert_equal [config[:attr]], attributes.collect(&:name)
++        if Nokogiri::VersionInfo.new.libxml2?
++          if config[:unescaped]
++            assert_equal %{examp<!--" unsafeattr=foo()>-->le.com}, attributes.first.value
++          else
++            assert_equal %{examp<!--%22%20unsafeattr=foo()>-->le.com}, attributes.first.value
++          end
++        else
++          assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
++        end
++      end
++    end
+ end
diff -Nru ruby-loofah-2.0.3/debian/patches/series ruby-loofah-2.0.3/debian/patches/series
--- ruby-loofah-2.0.3/debian/patches/series	2016-01-07 13:18:08.000000000 +0000
+++ ruby-loofah-2.0.3/debian/patches/series	2019-10-23 07:22:51.000000000 +0000
@@ -1,2 +1,5 @@
+CVE-2018-8048.patch
 fix-tests-assert.patch
 dont_require_lib_files.patch
+0004-fix-CVE-2018-16468.patch
+0005-Fix-CVE-2019-15587.patch