Oh, and to reply to Anders' comments, the patch was added to dkms.conf.in. It's at the very top of the debdiff, and is easy to miss. And I can't use PATCH_MATCH in this particular fix, because PATCH_MATCH matches on `uname -r`, which could be anything, since the fix for this CVE hit a bunch of stable releases.
Oh, and to reply to Anders' comments, the patch was added to dkms.conf.in. It's at the very top of the debdiff, and is easy to miss. And I can't use PATCH_MATCH in this particular fix, because PATCH_MATCH matches on `uname -r`, which could be anything, since the fix for this CVE hit a bunch of stable releases.