diff -Nru ubuntu-release-upgrader-0.220.9/debian/changelog ubuntu-release-upgrader-0.220.10/debian/changelog
--- ubuntu-release-upgrader-0.220.9/debian/changelog	2016-11-30 17:54:20.000000000 +0000
+++ ubuntu-release-upgrader-0.220.10/debian/changelog	2018-04-09 14:03:22.000000000 +0000
@@ -1,3 +1,9 @@
+ubuntu-release-upgrader (1:0.220.10) trusty-security; urgency=medium
+
+  * Properly drop permissions when opening a browser. (LP: #1174007)
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 09 Apr 2018 10:01:24 -0400
+
 ubuntu-release-upgrader (1:0.220.9) trusty-proposed; urgency=medium
 
   * No change rebuild so the dist-upgrader tarball will be signed with the new
diff -Nru ubuntu-release-upgrader-0.220.9/DistUpgrade/ReleaseNotesViewer.py ubuntu-release-upgrader-0.220.10/DistUpgrade/ReleaseNotesViewer.py
--- ubuntu-release-upgrader-0.220.9/DistUpgrade/ReleaseNotesViewer.py	2014-11-13 22:08:13.000000000 +0000
+++ ubuntu-release-upgrader-0.220.10/DistUpgrade/ReleaseNotesViewer.py	2018-04-09 14:03:07.000000000 +0000
@@ -44,6 +44,9 @@
     # Avoid to run the browser as user root
     if os.getuid() == 0 and 'SUDO_USER' in os.environ:
         command = ['sudo', '-u', os.environ['SUDO_USER']] + command
+    elif os.getuid() == 0 and 'PKEXEC_UID' in os.environ:
+        command = ['sudo', '-H', '-u',
+                   '#' + os.environ['PKEXEC_UID']] + command
     subprocess.Popen(command)