diff --git a/debian/changelog b/debian/changelog
index 296224ac9..c83eab44e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,14 @@
-horizon (3:10.0.1-1) UNRELEASED; urgency=medium
-
-  [ Ondřej Nový ]
-  * Bumped debhelper compat version to 10
+horizon (3:10.0.1-1) unstable; urgency=high
 
   [ Ivan Udovichenko ]
   * Sync to the latest version from stable/newton.
 
- -- Ivan Udovichenko <iudovichenko@mirantis.com>  Fri, 30 Dec 2016 17:07:41 +0200
+  [ Thomas Goirand ]
+  * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch:
+    Remove dangerous safestring declaration (Closes: #859559).
+  * Updated Italian translation of debconf messages (Closes: #846931).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 04 Apr 2017 23:47:20 +0200
 
 horizon (3:10.0.0-2) unstable; urgency=medium
 
diff --git a/debian/compat b/debian/compat
index f599e28b8..ec635144f 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-10
+9
diff --git a/debian/control b/debian/control
index 052c7ee43..74f25b1b5 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: extra
 Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
 Uploaders: Thomas Goirand <zigo@debian.org>,
            Ivan Udovichenko <iudovichenko@mirantis.com>,
-Build-Depends: debhelper (>= 10),
+Build-Depends: debhelper (>= 9),
                dh-python,
                openstack-pkg-tools,
                po-debconf,
diff --git a/debian/patches/CVE-2017-7400_Remove_dangerous_safestring_declaration.patch b/debian/patches/CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
new file mode 100644
index 000000000..95b33b6bc
--- /dev/null
+++ b/debian/patches/CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
@@ -0,0 +1,34 @@
+Description: CVE-2017-7400: Remove dangerous safestring declaration
+From: Richard Jones <r1chardj0n3s@gmail.com>
+Date: Tue, 7 Mar 2017 05:55:39 +0000 (+1100)
+X-Git-Tag: 10.0.3^2
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=511b325b45b6bd7a88bb6df1a4639b80d0121277
+ This declaration allows XSS content through the JSON and
+ is unnecessary for correct rendering of the content anyway.
+Change-Id: I82355b37108609ae573237424e528aab86a24efc
+Bug-Ubuntu: https://bugs.launchpad.net/horizon/+bug/1667086
+Bug-Debian: https://bugs.debian.org/859559
+Origin: https://review.openstack.org/#/c/442454/
+Last-Update: 2017-04-04
+
+diff --git a/openstack_dashboard/dashboards/identity/mappings/tables.py b/openstack_dashboard/dashboards/identity/mappings/tables.py
+index df6e8f3..9c22285 100644
+--- a/openstack_dashboard/dashboards/identity/mappings/tables.py
++++ b/openstack_dashboard/dashboards/identity/mappings/tables.py
+@@ -14,7 +14,6 @@
+ 
+ import json
+ 
+-from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _
+ from django.utils.translation import ungettext_lazy
+ 
+@@ -75,7 +74,7 @@ def get_rules_as_json(mapping):
+     rules = getattr(mapping, 'rules', None)
+     if rules:
+         rules = json.dumps(rules, indent=4)
+-    return safestring.mark_safe(rules)
++    return rules
+ 
+ 
+ class MappingsTable(tables.DataTable):
diff --git a/debian/patches/series b/debian/patches/series
index f7b41cbc1..d95250455 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-dashboard-django-wsgi.patch
 fix-dashboard-manage.patch
 fixed-horizon-MANIFEST.in.patch
 stores-SECRET_KEY-in-tmp-folder-for-tests.patch
+CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
diff --git a/debian/po/it.po b/debian/po/it.po
index 63a0b6549..127be56c6 100644
--- a/debian/po/it.po
+++ b/debian/po/it.po
@@ -1,13 +1,13 @@
 # Italian translation of horizon's debconf messages.
-# Copyright (C) 2013, horizon package copyright holder
+# Copyright (C) 2016, horizon package copyright holder
 # This file is distributed under the same license as the horizon package.
-# Beatrice Torracca <beatricet@libero.it>, 2013.
+# Beatrice Torracca <beatricet@libero.it>, 2013, 2016.
 msgid ""
 msgstr ""
 "Project-Id-Version: horizon\n"
 "Report-Msgid-Bugs-To: horizon@packages.debian.org\n"
 "POT-Creation-Date: 2015-09-22 13:31+0000\n"
-"PO-Revision-Date: 2013-10-19 18:48+0200\n"
+"PO-Revision-Date: 2016-08-01 17:05+0200\n"
 "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
 "Language: it\n"
@@ -40,6 +40,8 @@ msgid ""
 "If this option is not selected, Horizon will be installed using /horizon "
 "instead of the webroot."
 msgstr ""
+"Se questa opzione non viene selezionata Horizon verrà installato usando /"
+"horizon invece di webroot."
 
 #. Type: boolean
 #. Description