diff -Nru barbican-6.0.1/debian/changelog barbican-6.0.1/debian/changelog
--- barbican-6.0.1/debian/changelog	2022-04-26 04:29:49.000000000 +0000
+++ barbican-6.0.1/debian/changelog	2022-10-26 04:32:36.000000000 +0000
@@ -1,8 +1,17 @@
-barbican (1:6.0.1-0ubuntu1.1~cloud0) xenial-queens; urgency=medium
+barbican (1:6.0.1-0ubuntu1.2~cloud0) xenial-queens; urgency=medium
 
   * New update for the Ubuntu Cloud Archive.
 
- -- Openstack Ubuntu Testing Bot <openstack-testing-bot@ubuntu.com>  Tue, 26 Apr 2022 04:29:49 +0000
+ -- Openstack Ubuntu Testing Bot <openstack-testing-bot@ubuntu.com>  Wed, 26 Oct 2022 04:32:36 +0000
+
+barbican (1:6.0.1-0ubuntu1.2) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: access policy bypass via query string injection
+    - debian/patches/CVE-2022-3100.patch: don't use contents of query
+      string in barbican/api/controllers/__init__.py.
+    - CVE-2022-3100
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 05 Oct 2022 09:35:33 -0400
 
 barbican (1:6.0.1-0ubuntu1.1) bionic-security; urgency=medium
 
diff -Nru barbican-6.0.1/debian/patches/CVE-2022-3100.patch barbican-6.0.1/debian/patches/CVE-2022-3100.patch
--- barbican-6.0.1/debian/patches/CVE-2022-3100.patch	1970-01-01 00:00:00.000000000 +0000
+++ barbican-6.0.1/debian/patches/CVE-2022-3100.patch	2022-10-05 13:35:11.000000000 +0000
@@ -0,0 +1,24 @@
+From a61489d9f8f17be78d9c3befb2740208205392fc Mon Sep 17 00:00:00 2001
+From: Douglas Mendizábal <dmendiza@redhat.com>
+Date: Tue, 30 Aug 2022 14:58:00 -0500
+Subject: [PATCH] Fix Story 2010258 (CVE-2022-3100)
+
+This patch fixes a security vunlerability where the contents of a
+request query string were mistakenly being used in the RBAC policy
+engine.
+
+(cherry picked from commit 3670a0a8bbe08501d634189ffbf187098fb25fc7)
+
+Change-Id: I5797988e4c63c75fccf85277c52815d9bf684cff
+---
+
+--- a/barbican/api/controllers/__init__.py
++++ b/barbican/api/controllers/__init__.py
+@@ -60,7 +60,6 @@ def _do_enforce_rbac(inst, req, action_n
+         if target_name and target_data:
+             policy_dict['target'] = {target_name: target_data}
+ 
+-        policy_dict.update(kwargs)
+         # Enforce access controls.
+         if ctx.policy_enforcer:
+             ctx.policy_enforcer.enforce(action_name, flatten(policy_dict),
diff -Nru barbican-6.0.1/debian/patches/series barbican-6.0.1/debian/patches/series
--- barbican-6.0.1/debian/patches/series	2022-04-21 13:51:37.000000000 +0000
+++ barbican-6.0.1/debian/patches/series	2022-10-05 13:35:08.000000000 +0000
@@ -2,3 +2,4 @@
 CVE-2022-23451.patch
 CVE-2022-23451-post.patch
 CVE-2022-23452.patch
+CVE-2022-3100.patch