diff -Nru viewvc-1.1.22/debian/changelog viewvc-1.1.22/debian/changelog
--- viewvc-1.1.22/debian/changelog	2014-07-10 19:43:18.000000000 +0000
+++ viewvc-1.1.22/debian/changelog	2017-02-10 17:35:27.000000000 +0000
@@ -1,3 +1,16 @@
+viewvc (1.1.22-1+deb8u1build0.16.04.1) xenial-security; urgency=medium
+
+  * fake sync from Debian
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Fri, 10 Feb 2017 17:35:27 +0000
+
+viewvc (1.1.22-1+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload
+  * [SECURITY] Fix "CVE-2017-5938" (escape nav_data name to avoid XSS attack)
+
+ -- Lev Lamberov <dogsleg@debian.org>  Wed, 08 Feb 2017 23:07:54 +0500
+
 viewvc (1.1.22-1) unstable; urgency=medium
 
   * New upstream release (closes: #614509).  Main changes since last release
@@ -827,4 +840,3 @@
   * Initial Release.
 
  -- Takuo KITAME <kitame@northeye.org>  Wed, 10 May 2000 05:42:29 +0900
-
diff -Nru viewvc-1.1.22/debian/patches/escape_nav_data.patch viewvc-1.1.22/debian/patches/escape_nav_data.patch
--- viewvc-1.1.22/debian/patches/escape_nav_data.patch	1970-01-01 00:00:00.000000000 +0000
+++ viewvc-1.1.22/debian/patches/escape_nav_data.patch	2017-02-08 18:07:54.000000000 +0000
@@ -0,0 +1,21 @@
+From: Lev Lamberov <dogsleg@debian.org>
+Subject: Apply upstream patch to avoid XSS attack
+
+Escape the 'name' property of navigation path components
+the same way we escape that of the 'root' path component.
+
+Fix for CVE-2017-5938.
+
+Reported upstream by: Thomas Gerbet <thomas.gerbet@enalean.com>
+
+--- a/lib/viewvc.py
++++ b/lib/viewvc.py
+@@ -970,7 +970,7 @@ def nav_path(request):
+     path_parts.append(part)
+     is_last = len(path_parts) == len(request.path_parts)
+ 
+-    item = _item(name=part, href=None)
++    item = _item(name=request.server.escape(part), href=None)
+ 
+     if not is_last or (is_dir and request.view_func is not view_directory):
+       item.href = request.get_url(view_func=view_directory,
diff -Nru viewvc-1.1.22/debian/patches/series viewvc-1.1.22/debian/patches/series
--- viewvc-1.1.22/debian/patches/series	2014-06-09 08:15:14.000000000 +0000
+++ viewvc-1.1.22/debian/patches/series	2017-02-08 17:52:53.000000000 +0000
@@ -3,3 +3,4 @@
 viewvc.conf-debian-custom.patch
 no_strings_in_raise.patch
 shebang_wsgi_scripts.patch
+escape_nav_data.patch