diff -Nru tomcat8-8.0.32/debian/changelog tomcat8-8.0.32/debian/changelog
--- tomcat8-8.0.32/debian/changelog	2016-02-19 08:13:36.000000000 +0000
+++ tomcat8-8.0.32/debian/changelog	2016-09-16 13:12:05.000000000 +0000
@@ -1,3 +1,21 @@
+tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: privilege escalation via insecure init script
+    - debian/tomcat8.init: don't follow symlinks when handling the
+      catalina.out file.
+    - CVE-2016-1240
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Sep 2016 09:11:41 -0400
+
+tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in FileUpload
+    - debian/patches/CVE-2016-3092.patch: properly handle size in
+      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
+    - CVE-2016-3092
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 06 Jul 2016 07:49:29 -0400
+
 tomcat8 (8.0.32-1ubuntu1) xenial; urgency=medium
 
   * Prepare to promote tomcat8 to main (LP: #1539903).
diff -Nru tomcat8-8.0.32/debian/patches/CVE-2016-3092.patch tomcat8-8.0.32/debian/patches/CVE-2016-3092.patch
--- tomcat8-8.0.32/debian/patches/CVE-2016-3092.patch	1970-01-01 00:00:00.000000000 +0000
+++ tomcat8-8.0.32/debian/patches/CVE-2016-3092.patch	2016-07-06 11:49:23.000000000 +0000
@@ -0,0 +1,29 @@
+Description: Fixes CVE-2016-3092: Denial-of-Service vulnerability
+Origin: backport, https://svn.apache.org/r1743480
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -289,11 +289,6 @@
+             throw new IllegalArgumentException("boundary may not be null");
+         }
+ 
+-        this.input = input;
+-        this.bufSize = bufSize;
+-        this.buffer = new byte[bufSize];
+-        this.notifier = pNotifier;
+-
+         // We prepend CR/LF to the boundary to chop trailing CR/LF from
+         // body-data tokens.
+         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -301,6 +296,12 @@
+             throw new IllegalArgumentException(
+                     "The buffer size specified for the MultipartStream is too small");
+         }
++
++        this.input = input;
++        this.bufSize = Math.max(bufSize, boundaryLength*2);
++        this.buffer = new byte[this.bufSize];
++        this.notifier = pNotifier;
++
+         this.boundary = new byte[this.boundaryLength];
+         this.keepRegion = this.boundary.length;
+ 
diff -Nru tomcat8-8.0.32/debian/patches/series tomcat8-8.0.32/debian/patches/series
--- tomcat8-8.0.32/debian/patches/series	2016-02-19 08:12:43.000000000 +0000
+++ tomcat8-8.0.32/debian/patches/series	2016-07-06 11:49:23.000000000 +0000
@@ -13,3 +13,4 @@
 0019-add-distribution-to-error-page.patch
 #0020-disable-java8-support-with-jdtcompiler.patch
 0021-ubuntu-mainize-build-xml.patch
+CVE-2016-3092.patch
diff -Nru tomcat8-8.0.32/debian/tomcat8.init tomcat8-8.0.32/debian/tomcat8.init
--- tomcat8-8.0.32/debian/tomcat8.init	2016-02-10 15:08:36.000000000 +0000
+++ tomcat8-8.0.32/debian/tomcat8.init	2016-09-16 13:12:32.000000000 +0000
@@ -171,8 +171,10 @@
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT8_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \
 		-c "$TOMCAT8_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"