diff --git a/debian/changelog b/debian/changelog
index b9d894dc..ad21ceca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it
+    if needed as described in #830255.
+    (cherry-picked from 1:4.5-1)
+    See also #877374 (previous proposed update) and #914957
+    (/etc/securetty will be dropped in bullseye).
+  * CVE-2017-12424: the newusers tool could be made to manipulate internal
+    data structures in ways unintended by the authors. Malformed input may
+    lead to crashes (with a buffer overflow or other memory corruption) or
+    other unspecified behaviors. This crosses a privilege boundary in, for
+    example, certain web-hosting environments in which a Control Panel
+    allows an unprivileged user account to create subaccounts.
+    (Closes: #756630)
+
+ -- Sylvain Beucler <beuc@debian.org>  Wed, 17 Mar 2021 10:27:01 +0100
+
 shadow (1:4.4-4.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff --git a/debian/patches/CVE-2017-12424.patch b/debian/patches/CVE-2017-12424.patch
new file mode 100644
index 00000000..49338e07
--- /dev/null
+++ b/debian/patches/CVE-2017-12424.patch
@@ -0,0 +1,43 @@
+Origin: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2021-03-16
+
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: shadow-4.4/lib/commonio.c
+===================================================================
+--- shadow-4.4.orig/lib/commonio.c
++++ shadow-4.4/lib/commonio.c
+@@ -755,16 +755,16 @@ commonio_sort (struct commonio_db *db, i
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index d2bff0e2..1cdf3ac0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,5 @@
 501_commonio_group_shadow
 # does not apply cleanly, please merge at upstream
 1010_vietnamese_translation
+
+CVE-2017-12424.patch
diff --git a/debian/securetty.linux b/debian/securetty.linux
index f6fb3044..2e346381 100644
--- a/debian/securetty.linux
+++ b/debian/securetty.linux
@@ -164,11 +164,6 @@ ttyM0
 ttyM1
 #...
 
-# Unix98 PTY slaves
-pts/0
-pts/1
-#...
-
 # Technology Concepts serial card
 ttyT0
 ttyT1