diff --git a/debian/changelog b/debian/changelog
index 50b9285f..528fa686 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,14 +4,14 @@ shadow (1:4.1.5-1) unstable; urgency=low
 
   [ Nicolas FRANCOIS (Nekral) ]
   * New upstream release:
+    - su: Fix possible tty hijacking by dropping the controlling terminal when
+      executing a command (CVE-2005-4890). Closes: #628843
     - userdel: Check the existence of the user's mail spool before trying to
       remove it. If it does not exist, a warning is issued, but no failure.
       Closes: #617295
     - userdel: Do not remove a group with the same name as the user
       (usergroup) if this group isn't the user's primary group.
       Closes: #584868
-    - su: Fix possible tty hijacking by dropping the controlling terminal when
-      executing a command. Closes: #628843
     - su: Close the PAM session as root (fix issues with pam_mount and
       pam_systemd). Closes: #580434
     - Fix several typos in manpages. Thanks to Simon Brandmair.
diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch
index 501545c1..687f9e92 100755
--- a/debian/patches/401_cppw_src.dpatch
+++ b/debian/patches/401_cppw_src.dpatch
@@ -266,7 +266,7 @@
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 --- a/po/POTFILES.in
 +++ b/po/POTFILES.in
-@@ -83,6 +83,7 @@
+@@ -85,6 +85,7 @@
  src/chgpasswd.c
  src/chpasswd.c
  src/chsh.c
diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow
index a52f09f6..436d48f8 100644
--- a/debian/patches/501_commonio_group_shadow
+++ b/debian/patches/501_commonio_group_shadow
@@ -10,9 +10,9 @@ Fixes: #166793
  #include <signal.h>
 +#include <grp.h>
  #include "nscd.h"
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
-@@ -988,13 +989,20 @@
+ #ifdef WITH_TCB
+ #include <tcb.h>
+@@ -966,13 +967,20 @@
  			goto fail;
  		}
  	} else {
diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames
index 3a80e31b..bdf39615 100755
--- a/debian/patches/506_relaxed_usernames
+++ b/debian/patches/506_relaxed_usernames
@@ -54,7 +54,7 @@ Details:
  }
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -631,12 +631,20 @@
+@@ -635,12 +635,20 @@
      </para>
  
      <para>
@@ -78,7 +78,7 @@ Details:
    </refsect1>
 --- a/man/groupadd.8.xml
 +++ b/man/groupadd.8.xml
-@@ -237,12 +237,18 @@
+@@ -240,12 +240,18 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option
index e607f245..506352f1 100644
--- a/debian/patches/542_useradd-O_option
+++ b/debian/patches/542_useradd-O_option
@@ -21,19 +21,19 @@ Status wrt upstream: not included as this is just specific
        <varlistentry>
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -1009,9 +1009,9 @@
+@@ -1011,9 +1011,9 @@
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
 -		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
 +		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
- #else
+ #else				/* !WITH_SELINUX */
 -		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
 +		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
- #endif
+ #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1134,6 +1134,7 @@
+@@ -1136,6 +1136,7 @@
  				kflg = true;
  				break;
  			case 'K':