diff --git a/debian/changelog b/debian/changelog
index ef5a7e10..c36fcc21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+shadow (1:4.2-3+deb8u4) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Reset pid_child only if waitpid was successful.
+    This is a regression fix for CVE-2017-2616. If su receives a signal like
+    SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 17 May 2017 12:58:54 +0200
+
 shadow (1:4.2-3+deb8u3) jessie-security; urgency=high
 
   * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170)
diff --git a/debian/patches/303-Reset-pid_child-only-if-waitpid-was-successful.patch b/debian/patches/303-Reset-pid_child-only-if-waitpid-was-successful.patch
new file mode 100644
index 00000000..64aeb341
--- /dev/null
+++ b/debian/patches/303-Reset-pid_child-only-if-waitpid-was-successful.patch
@@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);
diff --git a/debian/patches/series b/debian/patches/series
index 56790820..cf73d5b8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,6 +6,7 @@
 008_login_log_failure_in_FTMP
 301-CVE-2017-2616-su-properly-clear-child-PID.patch
 302-CVE-2016-6252-fix-integer-overflow.patch
+303-Reset-pid_child-only-if-waitpid-was-successful.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first