diff -Nru libpam-ccreds-10/debian/changelog libpam-ccreds-10/debian/changelog
--- libpam-ccreds-10/debian/changelog	2017-07-28 13:57:11.000000000 +0000
+++ libpam-ccreds-10/debian/changelog	2019-07-05 20:17:54.000000000 +0000
@@ -1,3 +1,33 @@
+libpam-ccreds (10-7ubuntu1) eoan; urgency=medium
+
+  * Merge with Debian unstable. Remaining changes:
+    - debian/patches/0003-initialize-libgcrypt.patch: Initialize gcrypt
+      before usage.  Closes: #645229, LP #869166.
+
+ -- Andreas Hasenack <andreas@canonical.com>  Fri, 05 Jul 2019 17:17:54 -0300
+
+libpam-ccreds (10-7) unstable; urgency=medium
+
+  [ Guido Günther ]
+  * [22bf358] d/control: Switch Vcs-* URLs to salsa
+  * [febd29f] Switch to dh compat level 11
+  * [a424f5d] d/control: Sort build-deps
+  * [9cf04e9] Switch from cdbs to dh
+  * [571b309] d/control: Bump standards version
+  * [66b06b2] d/watch: Use https URI
+  * [3a1c830] d/watch: Drop boilerplate
+  * [1c2f6d5] d/control: Switch priority to optional
+  * [e59a65c] Turn on hardening
+  * [4c6eff4] Add autopkgtest
+  * [271fc27] Add gbp.conf
+  * [140ed0c] Rediff patches dropping the patch numbers
+
+  [ Andreas Metzler ]
+  * [5059fef] B-d on libgcrypt20-dev instead of libgcrypt11-dev
+    (Closes: #864117)
+
+ -- Guido Günther <agx@sigxcpu.org>  Fri, 02 Nov 2018 12:52:36 +0100
+
 libpam-ccreds (10-6ubuntu1) artful; urgency=medium
 
   * debian/patches/0003-initialize-libgcrypt.patch: Initialize gcrypt
diff -Nru libpam-ccreds-10/debian/compat libpam-ccreds-10/debian/compat
--- libpam-ccreds-10/debian/compat	2017-07-28 13:56:53.000000000 +0000
+++ libpam-ccreds-10/debian/compat	2019-07-05 20:17:54.000000000 +0000
@@ -1 +1 @@
-7
+11
diff -Nru libpam-ccreds-10/debian/control libpam-ccreds-10/debian/control
--- libpam-ccreds-10/debian/control	2017-07-28 13:57:11.000000000 +0000
+++ libpam-ccreds-10/debian/control	2019-07-05 20:17:54.000000000 +0000
@@ -1,13 +1,17 @@
 Source: libpam-ccreds
 Section: admin
-Priority: extra
+Priority: optional
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: Guido Günther <agx@sigxcpu.org>
-Build-Depends: debhelper (>= 7), autotools-dev, libgcrypt11-dev,  libpam0g-dev, libdb-dev, cdbs
-Standards-Version: 3.8.4
+Build-Depends:
+ debhelper (>= 11),
+ libdb-dev,
+ libgcrypt20-dev,
+ libpam0g-dev,
+Standards-Version: 4.2.1
 Homepage: http://www.padl.com/OSS/pam_ccreds.html
-Vcs-Browser: http://git.debian.org/?p=users/agx/libpam-ccreds.git
-Vcs-Git: git://git.debian.org/users/agx/libpam-ccreds.git
+Vcs-Browser: https://salsa.debian.org/agx/libpam-ccreds
+Vcs-Git: https://salsa.debian.org/agx/libpam-ccreds.git
 
 Package: libpam-ccreds
 Architecture: any
diff -Nru libpam-ccreds-10/debian/gbp.conf libpam-ccreds-10/debian/gbp.conf
--- libpam-ccreds-10/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ libpam-ccreds-10/debian/gbp.conf	2019-07-05 20:17:54.000000000 +0000
@@ -0,0 +1,5 @@
+[pq]
+patch-numbers = False
+
+[dch]
+id-length = 7
diff -Nru libpam-ccreds-10/debian/patches/0001-make-sure-we-don-t-overflow-the-data-buffer.patch libpam-ccreds-10/debian/patches/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
--- libpam-ccreds-10/debian/patches/0001-make-sure-we-don-t-overflow-the-data-buffer.patch	2017-07-28 13:56:53.000000000 +0000
+++ libpam-ccreds-10/debian/patches/0001-make-sure-we-don-t-overflow-the-data-buffer.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-From: Nicolas Boullis <nicolas.boullis@ecp.fr>
-Date: Mon, 23 Mar 2009 10:46:44 +0100
-Subject: [PATCH] make sure we don't overflow the data buffer
-
----
- cc_db.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/cc_db.c b/cc_db.c
-index c0e0488..9371c4d 100644
---- a/cc_db.c
-+++ b/cc_db.c
-@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
- 		return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
- 	}
- 
--	if (val.size < *size) {
-+	if (val.size > *size) {
- 		return PAM_BUF_ERR;
- 	}
- 
--- 
diff -Nru libpam-ccreds-10/debian/patches/0002-add-minimum_uid-option.patch libpam-ccreds-10/debian/patches/0002-add-minimum_uid-option.patch
--- libpam-ccreds-10/debian/patches/0002-add-minimum_uid-option.patch	2017-07-28 13:56:53.000000000 +0000
+++ libpam-ccreds-10/debian/patches/0002-add-minimum_uid-option.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,89 +0,0 @@
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Thu, 13 May 2010 12:36:26 +0200
-Subject: [PATCH] add minimum_uid option
-
-Closes: #580037
----
- cc_pam.c |   39 +++++++++++++++++++++++++++++++++++++++
- 1 files changed, 39 insertions(+), 0 deletions(-)
-
-diff --git a/cc_pam.c b/cc_pam.c
-index d096117..56776aa 100644
---- a/cc_pam.c
-+++ b/cc_pam.c
-@@ -20,6 +20,7 @@
- #include <errno.h>
- #include <limits.h>
- #include <syslog.h>
-+#include <pwd.h>
- 
- #include "cc_private.h"
- 
-@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
- 				int flags, int argc, const char **argv);
- #endif
- 
-+
-+/*
-+ * Given the PAM arguments and the user we're authenticating, see if we should
-+ * ignore that user because they're root or have a low-numbered UID and we
-+ * were configured to ignore such users.  Returns true if we should ignore
-+ * them, false otherwise.
-+ */
-+static int
-+_pamcc_should_ignore(const char *username, int minimum_uid)
-+{
-+	struct passwd *pwd;
-+
-+	if (minimum_uid > 0) {
-+		pwd = getpwnam(username);
-+		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
-+			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
-+				(unsigned long) pwd->pw_uid, minimum_uid);
-+			return 1;
-+		}
-+	}
-+	return 0;
-+}
-+
-+
- static int _pam_sm_interact(pam_handle_t *pamh,
- 			    int flags,
- 			    const char **authtok)
-@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
- 	unsigned int sm_flags = 0, sm_action = 0;
- 	const char *ccredsfile = NULL;
- 	const char *action = NULL;
-+	const char *name = NULL;
- 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
-+	int minimum_uid = 0;
- 
- 	for (i = 0; i < argc; i++) {
- 		if (strcmp(argv[i], "use_first_pass") == 0)
-@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
- 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
- 		else if (strcmp(argv[i], "service_specific") == 0)
- 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
-+		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
-+			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
- 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
- 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
- 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
-@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
- 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
- 	}
- 
-+	rc = pam_get_user(pamh, &name, NULL);
-+	if (rc != PAM_SUCCESS || name == NULL) {
-+		if (rc == PAM_CONV_AGAIN)
-+			return PAM_INCOMPLETE;
-+		else
-+			return PAM_SERVICE_ERR;
-+	}
-+	if (_pamcc_should_ignore(name, minimum_uid))
-+		return PAM_USER_UNKNOWN;
-+
- 	switch (sm_action) {
- 	case SM_ACTION_VALIDATE_CCREDS:
- 		selector = _pam_sm_validate_cached_credentials;
--- 
diff -Nru libpam-ccreds-10/debian/patches/PATCH-add-minimum_uid-option.patch libpam-ccreds-10/debian/patches/PATCH-add-minimum_uid-option.patch
--- libpam-ccreds-10/debian/patches/PATCH-add-minimum_uid-option.patch	1970-01-01 00:00:00.000000000 +0000
+++ libpam-ccreds-10/debian/patches/PATCH-add-minimum_uid-option.patch	2019-07-05 20:17:54.000000000 +0000
@@ -0,0 +1,88 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 13 May 2010 12:36:26 +0200
+Subject: [PATCH] add minimum_uid option
+
+Closes: #580037
+---
+ cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/cc_pam.c b/cc_pam.c
+index d096117..56776aa 100644
+--- a/cc_pam.c
++++ b/cc_pam.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <syslog.h>
++#include <pwd.h>
+ 
+ #include "cc_private.h"
+ 
+@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
+ 				int flags, int argc, const char **argv);
+ #endif
+ 
++
++/*
++ * Given the PAM arguments and the user we're authenticating, see if we should
++ * ignore that user because they're root or have a low-numbered UID and we
++ * were configured to ignore such users.  Returns true if we should ignore
++ * them, false otherwise.
++ */
++static int
++_pamcc_should_ignore(const char *username, int minimum_uid)
++{
++	struct passwd *pwd;
++
++	if (minimum_uid > 0) {
++		pwd = getpwnam(username);
++		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
++			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
++				(unsigned long) pwd->pw_uid, minimum_uid);
++			return 1;
++		}
++	}
++	return 0;
++}
++
++
+ static int _pam_sm_interact(pam_handle_t *pamh,
+ 			    int flags,
+ 			    const char **authtok)
+@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 	unsigned int sm_flags = 0, sm_action = 0;
+ 	const char *ccredsfile = NULL;
+ 	const char *action = NULL;
++	const char *name = NULL;
+ 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
++	int minimum_uid = 0;
+ 
+ 	for (i = 0; i < argc; i++) {
+ 		if (strcmp(argv[i], "use_first_pass") == 0)
+@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
+ 		else if (strcmp(argv[i], "service_specific") == 0)
+ 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
++		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
++			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
+ 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
+ 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
+ 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
+@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
+ 	}
+ 
++	rc = pam_get_user(pamh, &name, NULL);
++	if (rc != PAM_SUCCESS || name == NULL) {
++		if (rc == PAM_CONV_AGAIN)
++			return PAM_INCOMPLETE;
++		else
++			return PAM_SERVICE_ERR;
++	}
++	if (_pamcc_should_ignore(name, minimum_uid))
++		return PAM_USER_UNKNOWN;
++
+ 	switch (sm_action) {
+ 	case SM_ACTION_VALIDATE_CCREDS:
+ 		selector = _pam_sm_validate_cached_credentials;
diff -Nru libpam-ccreds-10/debian/patches/PATCH-make-sure-we-don-t-overflow-the-data-buffer.patch libpam-ccreds-10/debian/patches/PATCH-make-sure-we-don-t-overflow-the-data-buffer.patch
--- libpam-ccreds-10/debian/patches/PATCH-make-sure-we-don-t-overflow-the-data-buffer.patch	1970-01-01 00:00:00.000000000 +0000
+++ libpam-ccreds-10/debian/patches/PATCH-make-sure-we-don-t-overflow-the-data-buffer.patch	2019-07-05 20:17:54.000000000 +0000
@@ -0,0 +1,21 @@
+From: Nicolas Boullis <nicolas.boullis@ecp.fr>
+Date: Mon, 23 Mar 2009 10:46:44 +0100
+Subject: [PATCH] make sure we don't overflow the data buffer
+
+---
+ cc_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cc_db.c b/cc_db.c
+index c0e0488..9371c4d 100644
+--- a/cc_db.c
++++ b/cc_db.c
+@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
+ 		return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
+ 	}
+ 
+-	if (val.size < *size) {
++	if (val.size > *size) {
+ 		return PAM_BUF_ERR;
+ 	}
+ 
diff -Nru libpam-ccreds-10/debian/patches/series libpam-ccreds-10/debian/patches/series
--- libpam-ccreds-10/debian/patches/series	2017-07-28 13:57:11.000000000 +0000
+++ libpam-ccreds-10/debian/patches/series	2019-07-05 20:17:54.000000000 +0000
@@ -1,3 +1,3 @@
-0001-make-sure-we-don-t-overflow-the-data-buffer.patch
-0002-add-minimum_uid-option.patch
+PATCH-make-sure-we-don-t-overflow-the-data-buffer.patch
+PATCH-add-minimum_uid-option.patch
 0003-initialize-libgcrypt.patch
diff -Nru libpam-ccreds-10/debian/rules libpam-ccreds-10/debian/rules
--- libpam-ccreds-10/debian/rules	2017-07-28 13:56:53.000000000 +0000
+++ libpam-ccreds-10/debian/rules	2019-07-05 20:17:54.000000000 +0000
@@ -1,21 +1,21 @@
 #!/usr/bin/make -f
 
-include /usr/share/cdbs/1/rules/debhelper.mk
-include /usr/share/cdbs/1/class/autotools.mk
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
-DEB_FIXPERMS_EXCLUDE=/sbin/ccreds_chkpwd
+DEB_CONFIGURE_EXTRA_ARGS := \
+	--libdir=/lib/$(DEB_BUILD_GNU_TYPE) \
+	--sbindir=/sbin \
+	--enable-gcrypt \
+	$(NULL)
 
-DEB_CONFIGURE_EXTRA_FLAGS :=     \
-	--host=$(DEB_HOST_GNU_TYPE) 	\
-        --build=$(DEB_BUILD_GNU_TYPE)   \
-	--prefix=/usr			\
-	--mandir=\$${prefix}/share/man 	\
-	--infodir=\$${prefix}/share/info\
-	--sbindir=/sbin			\
-	--libdir=/lib			\
-	--enable-gcrypt
+%:
+	dh $@
 
-binary-install/libpam-ccreds::
+override_dh_auto_configure:
+	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS)
+
+override_dh_auto_install:
+	dh_auto_install
 	chown root:root debian/libpam-ccreds/sbin/ccreds_chkpwd
 	chmod 4755 debian/libpam-ccreds/sbin/ccreds_chkpwd
 
@@ -24,4 +24,8 @@
 		debian/libpam-ccreds/usr/share/pam-configs/ccreds-save
 	install -m 0644 debian/libpam-ccreds.pam-auth-update.ccreds-check \
 		debian/libpam-ccreds/usr/share/pam-configs/ccreds-check
+	rmdir debian/libpam-ccreds/lib/security
+
+override_dh_fixperms:
+	dh_fixperms -X/sbin/ccreds_chkpwd
 
diff -Nru libpam-ccreds-10/debian/tests/control libpam-ccreds-10/debian/tests/control
--- libpam-ccreds-10/debian/tests/control	1970-01-01 00:00:00.000000000 +0000
+++ libpam-ccreds-10/debian/tests/control	2019-07-05 20:17:54.000000000 +0000
@@ -0,0 +1,4 @@
+Tests: smoke
+Depends: @
+Restrictions: allow-stderr
+
diff -Nru libpam-ccreds-10/debian/tests/smoke libpam-ccreds-10/debian/tests/smoke
--- libpam-ccreds-10/debian/tests/smoke	1970-01-01 00:00:00.000000000 +0000
+++ libpam-ccreds-10/debian/tests/smoke	2019-07-05 20:17:54.000000000 +0000
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+set -x
+
+TMPFILE=$(mktemp)
+
+cc_test -store any foo 1234 "${TMPFILE}"
+cc_test -store any bar 1234 "${TMPFILE}"
+cc_test -store any foo 12341234 "${TMPFILE}"
+cc_test -validate any foo 12341234 "${TMPFILE}"
+! cc_test -validate any foo 1234 "${TMPFILE}"
+
+cc_test -update any foo - "${TMPFILE}"
+cc_dump "${TMPFILE}" | grep " bar "
+cc_dump "${TMPFILE}"
diff -Nru libpam-ccreds-10/debian/watch libpam-ccreds-10/debian/watch
--- libpam-ccreds-10/debian/watch	2017-07-28 13:56:53.000000000 +0000
+++ libpam-ccreds-10/debian/watch	2019-07-05 20:17:54.000000000 +0000
@@ -1,9 +1,6 @@
-# Example watch control file for uscan
-# Rename this file to "watch" and then you can run the "uscan" command
-# to check for upstream updates and more.
 # See uscan(1) for format
 
 # Compulsory line, this is a version 3 file
 version=3
 
-http://www.padl.com/download/pam_ccreds-(\d+)\.tar\.gz
+https://www.padl.com/download/pam_ccreds-(\d+)\.tar\.gz