diff -Nru openssh-7.9p1/debian/adjust-openssl-dependencies openssh-7.9p1/debian/adjust-openssl-dependencies
--- openssh-7.9p1/debian/adjust-openssl-dependencies	2018-10-20 21:54:14.000000000 +0000
+++ openssh-7.9p1/debian/adjust-openssl-dependencies	2019-01-12 18:47:35.000000000 +0000
@@ -7,9 +7,6 @@
 
 libssl_version="$(dpkg-query -W libssl-dev 2>/dev/null | cut -f2)"
 if [ -z "$libssl_version" ]; then
-	libssl_version="$(dpkg-query -W libssl1.0-dev 2>/dev/null | cut -f2)"
-fi
-if [ -z "$libssl_version" ]; then
 	echo "Can't find libssl-dev version; leaving dependencies alone."
 	exit 0
 fi
diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
--- openssh-7.9p1/debian/changelog	2018-11-16 11:27:28.000000000 +0000
+++ openssh-7.9p1/debian/changelog	2019-01-13 11:22:45.000000000 +0000
@@ -1,3 +1,14 @@
+openssh (1:7.9p1-5) unstable; urgency=high
+
+  * Move /etc/ssh/moduli to openssh-server, since it's reasonably large and
+    only used by sshd (closes: #858050).
+  * Drop obsolete alternate build-dependency on libssl1.0-dev (closes:
+    #917342).
+  * CVE-2018-20685: Apply upstream scp patch to disallow empty incoming
+    filename or ones that refer to the current directory (closes: #919101).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 13 Jan 2019 11:22:45 +0000
+
 openssh (1:7.9p1-4) unstable; urgency=medium
 
   * Fix Ubuntu detection in debian/rules, since the documentation comment
diff -Nru openssh-7.9p1/debian/control openssh-7.9p1/debian/control
--- openssh-7.9p1/debian/control	2018-11-15 01:15:24.000000000 +0000
+++ openssh-7.9p1/debian/control	2019-01-12 18:47:35.000000000 +0000
@@ -13,7 +13,7 @@
                libkrb5-dev | heimdal-dev,
                libpam0g-dev | libpam-dev,
                libselinux1-dev [linux-any],
-               libssl-dev (>= 1.1.0g) | libssl1.0-dev,
+               libssl-dev (>= 1.1.0g),
                libsystemd-dev [linux-any],
                libwrap0-dev | libwrap-dev,
                pkg-config,
@@ -88,7 +88,8 @@
 Conflicts: sftp,
            ssh-socks,
            ssh2,
-Replaces: ssh,
+Replaces: openssh-client (<< 1:7.9p1-5),
+          ssh,
           ssh-krb5,
 Suggests: molly-guard,
           monkeysphere,
diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
--- openssh-7.9p1/debian/.git-dpm	2018-10-20 21:54:15.000000000 +0000
+++ openssh-7.9p1/debian/.git-dpm	2019-01-12 18:47:37.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1d2a55436d4b556269f42ad5f7e16608b5a8ed74
-1d2a55436d4b556269f42ad5f7e16608b5a8ed74
+dee21e97428e69d30e2d15c71f3e7cc08bf8e4f8
+dee21e97428e69d30e2d15c71f3e7cc08bf8e4f8
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff -Nru openssh-7.9p1/debian/openssh-client.install openssh-7.9p1/debian/openssh-client.install
--- openssh-7.9p1/debian/openssh-client.install	2018-10-20 21:54:14.000000000 +0000
+++ openssh-7.9p1/debian/openssh-client.install	2019-01-12 18:47:35.000000000 +0000
@@ -1,6 +1,5 @@
 #! /usr/bin/dh-exec
 
-etc/ssh/moduli
 etc/ssh/ssh_config
 usr/bin/scp
 usr/bin/sftp
diff -Nru openssh-7.9p1/debian/openssh-server.install openssh-7.9p1/debian/openssh-server.install
--- openssh-7.9p1/debian/openssh-server.install	2018-10-21 00:59:53.000000000 +0000
+++ openssh-7.9p1/debian/openssh-server.install	2019-01-12 18:47:35.000000000 +0000
@@ -1,5 +1,6 @@
 #! /usr/bin/dh-exec
 
+etc/ssh/moduli
 usr/sbin/sshd
 usr/share/man/man5/authorized_keys.5
 usr/share/man/man5/sshd_config.5
diff -Nru openssh-7.9p1/debian/patches/scp-disallow-dot-or-empty-filename.patch openssh-7.9p1/debian/patches/scp-disallow-dot-or-empty-filename.patch
--- openssh-7.9p1/debian/patches/scp-disallow-dot-or-empty-filename.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/debian/patches/scp-disallow-dot-or-empty-filename.patch	2019-01-12 18:47:37.000000000 +0000
@@ -0,0 +1,32 @@
+From dee21e97428e69d30e2d15c71f3e7cc08bf8e4f8 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 03:03:10 +0000
+Subject: upstream: disallow empty incoming filename or ones that refer to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
+Bug-Debian: https://bugs.debian.org/919101
+Last-Update: 2019-01-12
+
+Patch-Name: scp-disallow-dot-or-empty-filename.patch
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scp.c b/scp.c
+index ed2864250..7163d33dc 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1114,7 +1114,8 @@ sink(int argc, char **argv)
+ 			SCREWUP("size out of range");
+ 		size = (off_t)ull;
+ 
+-		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++		if (*cp == '\0' || strchr(cp, '/') != NULL ||
++		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ 			run_err("error: unexpected filename: %s", cp);
+ 			exit(1);
+ 		}
diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series
--- openssh-7.9p1/debian/patches/series	2018-10-20 21:54:14.000000000 +0000
+++ openssh-7.9p1/debian/patches/series	2019-01-12 18:47:37.000000000 +0000
@@ -24,3 +24,4 @@
 seccomp-s390-flock-ipc.patch
 seccomp-s390-ioctl-ep11-crypto.patch
 conch-old-privkey-format.patch
+scp-disallow-dot-or-empty-filename.patch
diff -Nru openssh-7.9p1/debian/rules openssh-7.9p1/debian/rules
--- openssh-7.9p1/debian/rules	2018-11-16 11:27:01.000000000 +0000
+++ openssh-7.9p1/debian/rules	2019-01-12 18:47:35.000000000 +0000
@@ -178,7 +178,7 @@
 	# Remove version control tags to avoid unnecessary conffile
 	# resolution steps for administrators.
 	sed -i '/\$$OpenBSD:/d' \
-		debian/openssh-client/etc/ssh/moduli \
+		debian/openssh-server/etc/ssh/moduli \
 		debian/openssh-client/etc/ssh/ssh_config
 
 # We'd like to use dh_install --fail-missing here, but that doesn't work