diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog	2016-06-24 07:31:27.000000000 +0000
+++ bash-4.3/debian/changelog	2017-05-16 11:44:56.000000000 +0000
@@ -1,3 +1,19 @@
+bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium
+
+  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
+    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
+    - CVE-2016-0634
+  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
+    (LP: #1689304)
+    - debian/patches/bash43-048.diff: check for root in variables.c.
+    - CVE-2016-7543
+  * SECURITY UPDATE: restricted shell bypass via use-after-free
+    - debian/patches/bash44-006.diff: check for negative offsets in
+      builtins/pushd.def.
+    - CVE-2016-9401
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 16 May 2017 07:44:56 -0400
+
 bash (4.3-15ubuntu1) yakkety; urgency=medium
 
   * Merge with Debian; remaining changes:
diff -Nru bash-4.3/debian/patches/bash43-047.diff bash-4.3/debian/patches/bash43-047.diff
--- bash-4.3/debian/patches/bash43-047.diff	1970-01-01 00:00:00.000000000 +0000
+++ bash-4.3/debian/patches/bash43-047.diff	2017-05-16 11:44:23.000000000 +0000
@@ -0,0 +1,123 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-047
+
+Bug-Reported-by:	Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL:	https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Index: bash-4.3/parse.y
+===================================================================
+--- bash-4.3.orig/parse.y	2017-05-16 07:42:30.000000000 -0400
++++ bash-4.3/parse.y	2017-05-16 07:42:52.704766350 -0400
+@@ -5258,7 +5258,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -5406,7 +5406,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -5496,9 +5500,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
+Index: bash-4.3/patchlevel.h
+===================================================================
+--- bash-4.3.orig/patchlevel.h	2017-05-16 07:42:30.000000000 -0400
++++ bash-4.3/patchlevel.h	2017-05-16 07:42:52.708766399 -0400
+@@ -25,6 +25,6 @@
+    regexp `^#define[ 	]*PATCHLEVEL', since that's what support/mkversion.sh
+    looks for to find the patch level (for the sccs version string). */
+ 
+-#define PATCHLEVEL 46
++#define PATCHLEVEL 47
+ 
+ #endif /* _PATCHLEVEL_H_ */
+Index: bash-4.3/y.tab.c
+===================================================================
+--- bash-4.3.orig/y.tab.c	2017-05-16 07:42:30.000000000 -0400
++++ bash-4.3/y.tab.c	2017-05-16 07:42:52.708766399 -0400
+@@ -7570,7 +7570,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -7718,7 +7718,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -7808,9 +7812,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
diff -Nru bash-4.3/debian/patches/bash43-048.diff bash-4.3/debian/patches/bash43-048.diff
--- bash-4.3/debian/patches/bash43-048.diff	1970-01-01 00:00:00.000000000 +0000
+++ bash-4.3/debian/patches/bash43-048.diff	2017-05-16 11:44:31.000000000 +0000
@@ -0,0 +1,46 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-048
+
+Bug-Reported-by:	up201407890@alunos.dcc.fc.up.pt
+Bug-Reference-ID:	<20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Index: bash-4.3/patchlevel.h
+===================================================================
+--- bash-4.3.orig/patchlevel.h	2017-05-16 07:42:52.708766399 -0400
++++ bash-4.3/patchlevel.h	2017-05-16 07:43:09.292966687 -0400
+@@ -25,6 +25,6 @@
+    regexp `^#define[ 	]*PATCHLEVEL', since that's what support/mkversion.sh
+    looks for to find the patch level (for the sccs version string). */
+ 
+-#define PATCHLEVEL 47
++#define PATCHLEVEL 48
+ 
+ #endif /* _PATCHLEVEL_H_ */
+Index: bash-4.3/variables.c
+===================================================================
+--- bash-4.3.orig/variables.c	2017-05-16 07:42:30.000000000 -0400
++++ bash-4.3/variables.c	2017-05-16 07:43:09.292966687 -0400
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+       set_if_not ("PS2", secondary_prompt);
+     }
+-  set_if_not ("PS4", "+ ");
++
++  if (current_user.euid == 0)
++    bind_variable ("PS4", "+ ", 0);
++  else
++    set_if_not ("PS4", "+ ");
+ 
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
diff -Nru bash-4.3/debian/patches/bash44-006.diff bash-4.3/debian/patches/bash44-006.diff
--- bash-4.3/debian/patches/bash44-006.diff	1970-01-01 00:00:00.000000000 +0000
+++ bash-4.3/debian/patches/bash44-006.diff	2017-05-16 11:44:45.000000000 +0000
@@ -0,0 +1,40 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.4
+Patch-ID:	bash44-006
+
+Bug-Reported-by:	<fernando@null-life.com>
+Bug-Reference-ID:	<CAEr-gPFPvqheiAeENmMkEwWRd4U=1iqCsYmR3sLdULOqL++_tQ@mail.gmail.com>
+Bug-Reference-URL:	
+
+Bug-Description:
+
+Out-of-range negative offsets to popd can cause the shell to crash attempting
+to free an invalid memory block.
+
+Index: bash-4.3/builtins/pushd.def
+===================================================================
+--- bash-4.3.orig/builtins/pushd.def	2013-09-16 15:32:31.000000000 -0400
++++ bash-4.3/builtins/pushd.def	2017-05-16 07:43:22.397124914 -0400
+@@ -359,7 +359,7 @@ popd_builtin (list)
+ 	break;
+     }
+ 
+-  if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
++  if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
+     {
+       pushd_error (directory_list_offset, which_word ? which_word : "");
+       return (EXECUTION_FAILURE);
+@@ -381,6 +381,11 @@ popd_builtin (list)
+ 	 remove that directory from the list and shift the remainder
+ 	 of the list into place. */
+       i = (direction == '+') ? directory_list_offset - which : which;
++      if (i < 0 || i > directory_list_offset)
++	{
++	  pushd_error (directory_list_offset, which_word ? which_word : "");
++	  return (EXECUTION_FAILURE);
++	}
+       free (pushd_directory_list[i]);
+       directory_list_offset--;
+ 
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series	2016-06-24 07:31:53.000000000 +0000
+++ bash-4.3/debian/patches/series	2017-05-16 11:43:17.000000000 +0000
@@ -65,3 +65,6 @@
 use-system-texi2html.diff
 bzero.diff
 man-macro-warnings.diff
+bash43-047.diff
+bash43-048.diff
+bash44-006.diff