diff -Nru tomcat7-7.0.68/debian/changelog tomcat7-7.0.68/debian/changelog
--- tomcat7-7.0.68/debian/changelog	2016-02-18 21:28:39.000000000 +0000
+++ tomcat7-7.0.68/debian/changelog	2017-03-31 16:37:27.000000000 +0000
@@ -1,3 +1,21 @@
+tomcat7 (7.0.68-1ubuntu0.2) xenial; urgency=medium
+
+  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
+    the '%' character (LP: #1666570).
+  * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
+    2.2 (LP: #1664179).
+
+ -- Joshua Powers <josh.powers@canonical.com>  Tue, 28 Mar 2017 16:15:05 -0700
+
+tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in FileUpload
+    - debian/patches/CVE-2016-3092.patch: properly handle size in
+      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
+    - CVE-2016-3092
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 27 Jun 2016 14:13:17 -0400
+
 tomcat7 (7.0.68-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru tomcat7-7.0.68/debian/control tomcat7-7.0.68/debian/control
--- tomcat7-7.0.68/debian/control	2016-02-18 09:23:48.000000000 +0000
+++ tomcat7-7.0.68/debian/control	2017-03-31 16:37:27.000000000 +0000
@@ -1,7 +1,8 @@
 Source: tomcat7
 Section: java
 Priority: optional
-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 Uploaders: James Page <james.page@ubuntu.com>, 
  Miguel Landaeta <nomadium@debian.org>,
  tony mancill <tmancill@debian.org>,
diff -Nru tomcat7-7.0.68/debian/javaxpoms/jsp-api.pom tomcat7-7.0.68/debian/javaxpoms/jsp-api.pom
--- tomcat7-7.0.68/debian/javaxpoms/jsp-api.pom	2016-02-18 09:23:48.000000000 +0000
+++ tomcat7-7.0.68/debian/javaxpoms/jsp-api.pom	2017-03-31 16:36:25.000000000 +0000
@@ -49,7 +49,7 @@
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>servlet-api</artifactId>
-      <version>@MAVEN.DEPLOY.VERSION@</version>
+      <version>3.0</version>
       <scope>compile</scope>
     </dependency>
   </dependencies>
diff -Nru tomcat7-7.0.68/debian/patches/CVE-2016-3092.patch tomcat7-7.0.68/debian/patches/CVE-2016-3092.patch
--- tomcat7-7.0.68/debian/patches/CVE-2016-3092.patch	1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.68/debian/patches/CVE-2016-3092.patch	2017-03-31 16:36:25.000000000 +0000
@@ -0,0 +1,50 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 26 Jun 2016 19:14:54 +0200
+Subject: CVE-2016-3092
+
+A denial of service vulnerability was identified in Commons FileUpload that
+occurred when the length of the multipart boundary was just below the size of
+the buffer (4096 bytes) used to read the uploaded file. This caused the file
+upload process to take several orders of magnitude longer than if the boundary
+was the typical tens of bytes long.
+
+Upstream advisory:
+http://markmail.org/message/oyxfv73jb2g7rjg3
+
+Origin: https://svn.apache.org/r1743480
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742
+---
+ .../apache/tomcat/util/http/fileupload/MultipartStream.java  | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+Index: tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+===================================================================
+--- tomcat7-7.0.68.orig/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java	2016-06-27 14:12:36.278176085 -0400
++++ tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java	2016-06-27 14:12:36.274176038 -0400
+@@ -282,11 +282,10 @@
+             byte[] boundary,
+             int bufSize,
+             ProgressNotifier pNotifier) {
+-        this.input = input;
+-        this.bufSize = bufSize;
+-        this.buffer = new byte[bufSize];
+-        this.notifier = pNotifier;
+ 
++        if (boundary == null) {
++            throw new IllegalArgumentException("boundary may not be null");
++        }
+         // We prepend CR/LF to the boundary to chop trailing CR/LF from
+         // body-data tokens.
+         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -294,6 +293,11 @@
+             throw new IllegalArgumentException(
+                     "The buffer size specified for the MultipartStream is too small");
+         }
++        this.input = input;
++        this.bufSize = Math.max(bufSize, boundaryLength*2);
++        this.buffer = new byte[this.bufSize];
++        this.notifier = pNotifier;
++
+         this.boundary = new byte[this.boundaryLength];
+         this.keepRegion = this.boundary.length;
+ 
diff -Nru tomcat7-7.0.68/debian/patches/series tomcat7-7.0.68/debian/patches/series
--- tomcat7-7.0.68/debian/patches/series	2016-02-18 11:24:35.000000000 +0000
+++ tomcat7-7.0.68/debian/patches/series	2017-03-31 16:37:27.000000000 +0000
@@ -17,3 +17,4 @@
 0024-disable-unit-tests-depending-on-network-access.path
 0025-standard-taglibs-compatibility.patch
 0026-add-asm-to-test-classpath.patch
+CVE-2016-3092.patch
diff -Nru tomcat7-7.0.68/debian/tomcat7.postinst tomcat7-7.0.68/debian/tomcat7.postinst
--- tomcat7-7.0.68/debian/tomcat7.postinst	2016-02-18 09:23:48.000000000 +0000
+++ tomcat7-7.0.68/debian/tomcat7.postinst	2017-03-31 16:37:27.000000000 +0000
@@ -19,10 +19,11 @@
 
 	tmpfile=`mktemp /tmp/tomcat7.XXXXXXXXXX`
 	chmod 644 $tmpfile
+	DELIM=$(printf '\001')
 	cat $TEMPLATE \
 		| sed "s%^TOMCAT7_USER=.*$%TOMCAT7_USER=$TOMCAT7_USER%" \
 		| sed "s%^TOMCAT7_GROUP=.*$%TOMCAT7_GROUP=$TOMCAT7_GROUP%" \
-		| sed "s%^JAVA_OPTS=.*$%JAVA_OPTS=\"$JAVA_OPTS\"%" \
+		| sed "s${DELIM}^JAVA_OPTS=.*\$${DELIM}JAVA_OPTS=\"$JAVA_OPTS\"${DELIM}" \
 		>> $tmpfile
 	ucf --debconf-ok --sum-file /usr/share/tomcat7/defaults.md5sum $tmpfile $CONFFILE
 	rm -f $tmpfile