diff -Nru hesiod-3.2.1/debian/changelog hesiod-3.2.1/debian/changelog
--- hesiod-3.2.1/debian/changelog	2018-04-03 12:27:57.000000000 +0000
+++ hesiod-3.2.1/debian/changelog	2019-02-14 15:51:52.000000000 +0000
@@ -1,8 +1,21 @@
-hesiod (3.2.1-3build1) bionic; urgency=high
+hesiod (3.2.1-3.1~build0.18.04.1) bionic-security; urgency=medium
 
-  * No change rebuild to pick up -fPIE compiler default
+  * fake sync from Debian
 
- -- Balint Reczey <rbalint@ubuntu.com>  Tue, 03 Apr 2018 12:27:57 +0000
+ -- Mike Salvatore <mike.salvatore@canonical.com>  Thu, 14 Feb 2019 10:51:52 -0500
+
+hesiod (3.2.1-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-10151: Use secure_getenv() when it's available.
+    Factor out logic that attempts to only consult the environment when it's
+    safe to do so into its own function, and use secure_getenv() instead of
+    getenv() if it's available. Closes: #852094
+  * CVE-2016-10152: Remove hard-coded defaults for LHS and RHS.
+    Don't fall back to using a default LHS or RHS when the configuration
+    file can't be read. Instead, return an error. Closes: #852093
+
+ -- Dr. Tobias Quathamer <toddy@debian.org>  Wed, 13 Feb 2019 21:31:25 +0100
 
 hesiod (3.2.1-3) unstable; urgency=medium
 
@@ -270,5 +283,3 @@
   * Initial release.
 
  -- Steve Langasek <vorlon@dodds.net>  Tue, 31 Oct 2000 23:27:22 -0600
-
-
diff -Nru hesiod-3.2.1/debian/control hesiod-3.2.1/debian/control
--- hesiod-3.2.1/debian/control	2018-04-03 12:27:57.000000000 +0000
+++ hesiod-3.2.1/debian/control	2019-02-13 20:16:25.000000000 +0000
@@ -1,8 +1,7 @@
 Source: hesiod
 Section: libs
 Priority: extra
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: Karl Ramm <kcr@debian.org>
+Maintainer: Karl Ramm <kcr@debian.org>
 Uploaders: Alexander Chernyakhovsky <achernya@mit.edu>
 Standards-Version: 3.9.4
 Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1~), dh-exec (>=0.3), autotools-dev, dh-autoreconf, libidn11-dev
diff -Nru hesiod-3.2.1/debian/patches/0001-CVE-2016-10151-Use-secure_getenv-when-it-s-available.patch hesiod-3.2.1/debian/patches/0001-CVE-2016-10151-Use-secure_getenv-when-it-s-available.patch
--- hesiod-3.2.1/debian/patches/0001-CVE-2016-10151-Use-secure_getenv-when-it-s-available.patch	1970-01-01 00:00:00.000000000 +0000
+++ hesiod-3.2.1/debian/patches/0001-CVE-2016-10151-Use-secure_getenv-when-it-s-available.patch	2019-02-13 20:31:21.000000000 +0000
@@ -0,0 +1,75 @@
+From: "Dr. Tobias Quathamer" <toddy@debian.org>
+Date: Wed, 13 Feb 2019 21:24:55 +0100
+Subject: CVE-2016-10151: Use secure_getenv() when it's available.
+
+Factor out logic that attempts to only consult the environment when it's
+safe to do so into its own function, and use secure_getenv() instead of
+getenv() if it's available.
+
+https://github.com/achernya/hesiod/commit/39b21dac9bc6473365de04d94be0da94941c7c73
+
+Closes: #852094
+---
+ configure.ac     |  3 ++-
+ src/lib/hesiod.c | 15 +++++++++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index e5e94d4..9098afa 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -9,6 +9,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+ AC_CONFIG_MACRO_DIR([m4])
+ AC_CONFIG_SRCDIR([src/lib/hesiod.h])
+ AC_CONFIG_HEADERS([config.h])
++AC_USE_SYSTEM_EXTENSIONS
+ 
+ # Checks for programs.
+ AC_PROG_CC
+@@ -80,7 +81,7 @@ AC_EGREP_HEADER([pw_expire], [pwd.h],
+ # Checks for library functions.
+ AC_FUNC_MALLOC
+ AC_FUNC_REALLOC
+-AC_CHECK_FUNCS([strchr strdup])
++AC_CHECK_FUNCS([strchr strdup secure_getenv])
+ 
+ AC_CONFIG_FILES([
+ 	Makefile
+diff --git a/src/lib/hesiod.c b/src/lib/hesiod.c
+index c96aebe..2738713 100644
+--- a/src/lib/hesiod.c
++++ b/src/lib/hesiod.c
+@@ -99,6 +99,17 @@ static int read_config_file(struct hesiod_p *ctx, const char *filename);
+ static char **get_txt_records(struct hesiod_p *ctx, const char *name);
+ static int cistrcmp(const char *s1, const char *s2);
+ 
++static const char *hesiod_getenv(const char *e)
++{
++  if ((getuid() != geteuid()) || (getgid() != getegid()))
++    return NULL;
++#ifdef HAVE_SECURE_GETENV
++  return secure_getenv(e);
++#else
++  return getenv(e);
++#endif
++}
++
+ /* This function is called to initialize a hesiod_p. */
+ int hesiod_init(void **context)
+ {
+@@ -109,13 +120,13 @@ int hesiod_init(void **context)
+   if (ctx)
+     {
+       *context = ctx;
+-      configname = ((getuid() == geteuid()) && (getgid() == getegid())) ? getenv("HESIOD_CONFIG") : NULL;
++      configname = hesiod_getenv("HESIOD_CONFIG");
+       if (!configname)
+ 	configname = SYSCONFDIR "/hesiod.conf";
+       if (read_config_file(ctx, configname) >= 0)
+ 	{
+ 	  /* The default rhs can be overridden by an environment variable. */
+-	  p = ((getuid() == geteuid()) && (getgid() == getegid())) ? getenv("HES_DOMAIN") : NULL;
++	  p = hesiod_getenv("HES_DOMAIN");
+ 	  if (p)
+ 	    {
+ 	      if (ctx->rhs)
diff -Nru hesiod-3.2.1/debian/patches/0002-CVE-2016-10152-Remove-hard-coded-defaults-for-LHS-an.patch hesiod-3.2.1/debian/patches/0002-CVE-2016-10152-Remove-hard-coded-defaults-for-LHS-an.patch
--- hesiod-3.2.1/debian/patches/0002-CVE-2016-10152-Remove-hard-coded-defaults-for-LHS-an.patch	1970-01-01 00:00:00.000000000 +0000
+++ hesiod-3.2.1/debian/patches/0002-CVE-2016-10152-Remove-hard-coded-defaults-for-LHS-an.patch	2019-02-13 20:31:21.000000000 +0000
@@ -0,0 +1,67 @@
+From: "Dr. Tobias Quathamer" <toddy@debian.org>
+Date: Wed, 13 Feb 2019 21:28:10 +0100
+Subject: CVE-2016-10152: Remove hard-coded defaults for LHS and RHS.
+
+Don't fall back to using a default LHS or RHS when the configuration
+file can't be read.  Instead, return an error.
+
+https://github.com/achernya/hesiod/commit/247e2ce1f2aff40040657acaae7f1a1d673d6618
+
+Closes: #852093
+---
+ src/lib/Makefile.am |  2 +-
+ src/lib/hesiod.c    | 21 +--------------------
+ 2 files changed, 2 insertions(+), 21 deletions(-)
+
+diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
+index d092565..e6324b1 100644
+--- a/src/lib/Makefile.am
++++ b/src/lib/Makefile.am
+@@ -15,7 +15,7 @@ noinst_PROGRAMS = hestest
+ hestest_SOURCES = hestest.c
+ hestest_LDADD = libhesiod.la
+ 
+-TESTS_ENVIRONMENT = ./hestest
++TESTS_ENVIRONMENT = HESIOD_CONFIG=$(srcdir)/hesiod.conf.sample ./hestest
+ TESTS = hestest.conf
+ 
+ EXTRA_DIST = hesiod.conf.sample hestest.conf
+diff --git a/src/lib/hesiod.c b/src/lib/hesiod.c
+index 2738713..e69a8ca 100644
+--- a/src/lib/hesiod.c
++++ b/src/lib/hesiod.c
+@@ -81,10 +81,6 @@ static const char rcsid[] = "$Id: hesiod.c,v 1.30 2002-04-03 21:40:55 ghudson Ex
+ #define T_TXT	16
+ #endif
+ 
+-/* Defaults if the configuration file is not present. */
+-#define DEF_RHS ".athena.mit.edu"
+-#define DEF_LHS ".ns"
+-
+ /* Maximum size of a Hesiod response from the DNS. */
+ #define MAX_HESRESP 1024
+ 
+@@ -301,22 +297,7 @@ static int read_config_file(struct hesiod_p *ctx, const char *filename)
+   /* Try to open the configuration file. */
+   fp = fopen(filename, "r");
+   if (!fp)
+-    {
+-      /* Use compiled in default domain names. */
+-      ctx->lhs = malloc(strlen(DEF_LHS) + 1);
+-      ctx->rhs = malloc(strlen(DEF_RHS) + 1);
+-      if (ctx->lhs && ctx->rhs)
+-	{
+-	  strcpy(ctx->lhs, DEF_LHS);
+-	  strcpy(ctx->rhs, DEF_RHS);
+-	  return 0;
+-	}
+-      else
+-	{
+-	  errno = ENOMEM;
+-	  return -1;
+-	}
+-    }
++    return -1;
+ 
+   ctx->lhs = NULL;
+   ctx->rhs = NULL;
diff -Nru hesiod-3.2.1/debian/patches/series hesiod-3.2.1/debian/patches/series
--- hesiod-3.2.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ hesiod-3.2.1/debian/patches/series	2019-02-13 20:31:21.000000000 +0000
@@ -0,0 +1,2 @@
+0001-CVE-2016-10151-Use-secure_getenv-when-it-s-available.patch
+0002-CVE-2016-10152-Remove-hard-coded-defaults-for-LHS-an.patch