diff -Nru twisted-16.0.0/debian/changelog twisted-16.0.0/debian/changelog
--- twisted-16.0.0/debian/changelog	2018-03-01 14:49:08.000000000 +0000
+++ twisted-16.0.0/debian/changelog	2018-03-01 18:31:21.000000000 +0000
@@ -1,11 +1,12 @@
-twisted (16.0.0-1ubuntu0.1) xenial-security; urgency=medium
+twisted (16.0.0-1ubuntu0.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: HTTProxy issue
     - debian/patches/CVE-2016-1000111.patch: fix implementation
-      in twisted/web/twcgi.py.
+      in twisted/web/twcgi.py and add some test in
+      twisted/web/test/test_cgi.py.
     - CVE-2016-1000111
 
- -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 01 Mar 2018 11:47:15 -0300
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 01 Mar 2018 15:19:01 -0300
 
 twisted (16.0.0-1) unstable; urgency=medium
 
diff -Nru twisted-16.0.0/debian/patches/CVE-2016-1000111.patch twisted-16.0.0/debian/patches/CVE-2016-1000111.patch
--- twisted-16.0.0/debian/patches/CVE-2016-1000111.patch	2018-03-01 14:47:06.000000000 +0000
+++ twisted-16.0.0/debian/patches/CVE-2016-1000111.patch	2018-03-01 18:18:40.000000000 +0000
@@ -1,17 +1,103 @@
+Backported of:
+
 From e155c8c9e3dc72a7a47608e4dbd729577c552de2 Mon Sep 17 00:00:00 2001
 From: "Amber Brown (HawkOwl)" <hawkowl@atleastfornow.net>
 Date: Wed, 10 Aug 2016 20:03:11 +0800
 Subject: [PATCH] fix the implementation
 
+
 ---
- twisted/web/twcgi.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ twisted/web/test/test_cgi.py     | 43 ++++++++++++++++++++++++++++++++++++++--
+ twisted/web/topfiles/8623.bugfix |  1 +
+ twisted/web/twcgi.py             |  2 +-
+ 3 files changed, 43 insertions(+), 3 deletions(-)
+ create mode 100644 twisted/web/topfiles/8623.bugfix
 
+diff --git a/twisted/web/test/test_cgi.py b/twisted/web/test/test_cgi.py
+index 6f803be..3534b89 100755
+--- a/twisted/web/test/test_cgi.py
++++ b/twisted/web/test/test_cgi.py
+@@ -5,13 +5,17 @@
+ Tests for L{twisted.web.twcgi}.
+ """
+ 
+-import sys, os
++import sys
++import os
++import json
++
++from io import BytesIO
+ 
+ from twisted.trial import unittest
+ from twisted.internet import reactor, interfaces, error
+ from twisted.python import util, failure, log
+ from twisted.web.http import NOT_FOUND, INTERNAL_SERVER_ERROR
+-from twisted.web import client, twcgi, server, resource
++from twisted.web import client, twcgi, server, resource, http_headers
+ from twisted.web.test._util import _render
+ from twisted.web.test.test_web import DummyRequest
+ 
+@@ -73,6 +77,15 @@ print
+ print "cgi output"
+ '''
+ 
++HEADER_OUTPUT_CGI = '''\
++import json
++import os
++print("")
++print("")
++vals = {x:y for x,y in os.environ.items() if x.startswith("HTTP_")}
++print(json.dumps(vals))
++'''
++
+ class PythonScript(twcgi.FilteredScript):
+     filter = sys.executable
+ 
+@@ -154,6 +167,32 @@ class CGITests(unittest.TestCase):
+         return factory.deferred
+ 
+ 
++    def test_noProxyPassthrough(self):
++        """
++        The CGI script is never called with the Proxy header passed through.
++        """
++        cgiFilename = self.writeCGI(HEADER_OUTPUT_CGI)
++
++        portnum = self.startServer(cgiFilename)
++        url = "http://localhost:%d/cgi" % (portnum,)
++
++        agent = client.Agent(reactor)
++
++        headers = http_headers.Headers({"Proxy": ["foo"],
++                                        "X-Innocent-Header": ["bar"]})
++        d = agent.request("GET", url, headers=headers)
++
++        def checkResponse(response):
++            headers = json.loads(response)
++            self.assertEqual(
++                set(headers.keys()),
++                {"HTTP_HOST", "HTTP_CONNECTION", "HTTP_X_INNOCENT_HEADER"})
++
++        d.addCallback(client.readBody)
++        d.addCallback(checkResponse)
++        return d
++
++
+     def test_duplicateHeaderCGI(self):
+         """
+         If a CGI script emits two instances of the same header, both are sent in
+diff --git a/twisted/web/topfiles/8623.bugfix b/twisted/web/topfiles/8623.bugfix
+new file mode 100644
+index 0000000..b8aaac6
+--- /dev/null
++++ b/twisted/web/topfiles/8623.bugfix
+@@ -0,0 +1 @@
++twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to CGI scripts, as a mitigation to CVE-2016-1000111.
 diff --git a/twisted/web/twcgi.py b/twisted/web/twcgi.py
-index 7b4c7d9824..e4accfd104 100644
+index 88cdfc0..a98c30a 100644
 --- a/twisted/web/twcgi.py
 +++ b/twisted/web/twcgi.py
-@@ -116,7 +116,7 @@ def render(self, request):
+@@ -116,7 +116,7 @@ class CGIScript(resource.Resource):
          # Propagate HTTP headers
          for title, header in request.getAllHeaders().items():
              envname = title.replace('-', '_').upper()
@@ -20,3 +106,6 @@
                  envname = "HTTP_" + envname
              env[envname] = header
          # Propagate our environment
+-- 
+2.7.4
+