diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog	2019-05-03 13:57:15.000000000 +0000
+++ bash-4.3/debian/changelog	2019-07-12 18:27:11.000000000 +0000
@@ -1,3 +1,13 @@
+bash (4.3-14ubuntu1.4) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: rbash restriction bypass (LP: #1803441)
+    - debian/patches/CVE-2019-9924.patch: if the shell is restricted,
+      reject attempts to add pathnames containing slashes to the hash table
+      in variables.c.
+    - CVE-2019-9924
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 12 Jul 2019 14:25:28 -0400
+
 bash (4.3-14ubuntu1.3) xenial; urgency=medium
 
   * Resurrect "Set the default path to comply with Debian policy" in
diff -Nru bash-4.3/debian/patches/CVE-2019-9924.patch bash-4.3/debian/patches/CVE-2019-9924.patch
--- bash-4.3/debian/patches/CVE-2019-9924.patch	1970-01-01 00:00:00.000000000 +0000
+++ bash-4.3/debian/patches/CVE-2019-9924.patch	2019-07-12 18:28:03.000000000 +0000
@@ -0,0 +1,24 @@
+Description: if the shell is restricted, reject attempts to add pathnames
+ containing slashes to the hash table
+Origin: backport, http://git.savannah.gnu.org/cgit/bash.git/commit/?h=bash-4.4-testing&id=a4eef1991c25c9d1c55f777952cd522c762c6fc3
+Bug: https://savannah.gnu.org/support/?108969
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441
+
+Index: bash-4.3/variables.c
+===================================================================
+--- bash-4.3.orig/variables.c	2019-07-12 14:12:19.000000000 -0400
++++ bash-4.3/variables.c	2019-07-12 14:24:58.364792719 -0400
+@@ -1601,6 +1601,13 @@ assign_hashcmd (self, value, ind, key)
+      arrayind_t ind;
+      char *key;
+ {
++#if defined (RESTRICTED_SHELL)
++  if (restricted && strchr (value, '/'))
++    {
++      sh_restricted (value);
++      return (SHELL_VAR *)NULL;
++    }
++#endif
+   phash_insert (key, value, 0, 0);
+   return (build_hashcmd (self));
+ }
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series	2017-05-16 11:52:03.000000000 +0000
+++ bash-4.3/debian/patches/series	2019-07-12 18:24:18.000000000 +0000
@@ -68,3 +68,4 @@
 bash43-047.diff
 bash43-048.diff
 bash44-006.diff
+CVE-2019-9924.patch