diff -Nru openssh-8.1p1/debian/changelog openssh-8.1p1/debian/changelog
--- openssh-8.1p1/debian/changelog	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/changelog	2020-01-11 23:55:03.000000000 +0000
@@ -1,3 +1,42 @@
+openssh (1:8.1p1-5) unstable; urgency=medium
+
+  * Apply upstream patches to allow clock_nanosleep() and variants in the
+    seccomp sandbox, fixing failures with glibc 2.31.
+  * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
+    fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
+    architectures (closes: #946242).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 11 Jan 2020 23:55:03 +0000
+
+openssh (1:8.1p1-4) unstable; urgency=medium
+
+  * Apply upstream patch to stop using 2020 as a future date in regress
+    tests.
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 09 Jan 2020 11:42:10 +0000
+
+openssh (1:8.1p1-3) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * Drop suggestion of rssh, since it's been removed (see
+    https://bugs.debian.org/923691).
+
+  [ Steve Langasek ]
+  * Don't build openssh-tests on Ubuntu i386 (closes: #948466).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 09 Jan 2020 00:29:58 +0000
+
+openssh (1:8.1p1-2) unstable; urgency=medium
+
+  * Drop "Allow flock and ipc syscall for s390 architecture" patch for now;
+    upstream has security concerns with it and it doesn't currently seem to
+    be needed.
+  * Mark openssh-sftp-server, openssh-tests, ssh, and ssh-askpass-gnome as
+    Multi-Arch: foreign; none of them provide any architecture-dependent
+    interfaces.
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 11 Dec 2019 23:53:49 +0000
+
 openssh (1:8.1p1-1) unstable; urgency=medium
 
   * New upstream release (https://www.openssh.com/txt/release-8.1):
diff -Nru openssh-8.1p1/debian/control openssh-8.1p1/debian/control
--- openssh-8.1p1/debian/control	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/control	2020-01-11 23:55:03.000000000 +0000
@@ -96,7 +96,6 @@
 Breaks: ${runit:Breaks},
 Suggests: molly-guard,
           monkeysphere,
-          rssh,
           ssh-askpass,
           ufw,
 Provides: ssh-server,
@@ -132,6 +131,7 @@
 Replaces: openssh-server (<< 1:6.5p1-5),
 Enhances: openssh-server,
           ssh-server,
+Multi-Arch: foreign
 Description: secure shell (SSH) sftp server module, for SFTP access from remote machines
  This is the portable version of OpenSSH, a free implementation of
  the Secure Shell protocol as specified by the IETF secsh working
@@ -168,6 +168,7 @@
          python3-twisted,
          ${misc:Depends},
          ${shlibs:Depends},
+Multi-Arch: foreign
 Description: OpenSSH regression tests
  This package provides OpenSSH's regression test suite.  It is mainly
  intended for use with the autopkgtest system, though can also be run
@@ -180,6 +181,7 @@
 Depends: openssh-client (>= ${binary:Version}),
          openssh-server (>= ${binary:Version}),
          ${misc:Depends},
+Multi-Arch: foreign
 Description: secure shell client and server (metapackage)
  This metapackage is a convenient way to install both the OpenSSH client
  and the OpenSSH server. It provides nothing in and of itself, so you
@@ -195,6 +197,7 @@
          ${shlibs:Depends},
 Replaces: ssh (<< 1:3.5p1-3),
 Provides: ssh-askpass,
+Multi-Arch: foreign
 Description: interactive X program to prompt users for a passphrase for ssh-add
  This has been split out of the main openssh-client package so that
  openssh-client does not need to depend on GTK+.
diff -Nru openssh-8.1p1/debian/.git-dpm openssh-8.1p1/debian/.git-dpm
--- openssh-8.1p1/debian/.git-dpm	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/.git-dpm	2020-01-11 23:55:03.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-660f35293504f04d744d2d6ab6276a83fff305a3
-660f35293504f04d744d2d6ab6276a83fff305a3
+489e04f2c23327dd95981327d8757144a4e574af
+489e04f2c23327dd95981327d8757144a4e574af
 4213eec74e74de6310c27a40c3e9759a08a73996
 4213eec74e74de6310c27a40c3e9759a08a73996
 openssh_8.1p1.orig.tar.gz
diff -Nru openssh-8.1p1/debian/.gitlab-ci.yml openssh-8.1p1/debian/.gitlab-ci.yml
--- openssh-8.1p1/debian/.gitlab-ci.yml	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/.gitlab-ci.yml	2020-01-11 23:55:03.000000000 +0000
@@ -7,3 +7,6 @@
     expire_in: 1 day
   script:
     - gitlab-ci-git-buildpackage-all
+  except:
+    variables:
+      - $CI_COMMIT_TAG != null
diff -Nru openssh-8.1p1/debian/NEWS openssh-8.1p1/debian/NEWS
--- openssh-8.1p1/debian/NEWS	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/NEWS	2020-01-11 23:55:03.000000000 +0000
@@ -1,4 +1,4 @@
-openssh (1:8.1p1-1) UNRELEASED; urgency=medium
+openssh (1:8.1p1-1) unstable; urgency=medium
 
   OpenSSH 8.1 includes a number of changes that may affect existing
   configurations:
@@ -9,7 +9,7 @@
      OpenSSH versions prior to 7.2 unless the default is overridden (using
      "ssh-keygen -t ssh-rsa -s ...").
 
- -- Colin Watson <cjwatson@debian.org>  Wed, 09 Oct 2019 23:18:42 +0100
+ -- Colin Watson <cjwatson@debian.org>  Thu, 10 Oct 2019 10:23:19 +0100
 
 openssh (1:8.0p1-1) experimental; urgency=medium
 
diff -Nru openssh-8.1p1/debian/patches/conch-old-privkey-format.patch openssh-8.1p1/debian/patches/conch-old-privkey-format.patch
--- openssh-8.1p1/debian/patches/conch-old-privkey-format.patch	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/patches/conch-old-privkey-format.patch	2020-01-11 23:55:03.000000000 +0000
@@ -1,4 +1,4 @@
-From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001
+From bbce4380e516e8bfed1ae09af0bc3661e427794a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 30 Aug 2018 00:58:56 +0100
 Subject: Work around conch interoperability failure
diff -Nru openssh-8.1p1/debian/patches/regress-2020.patch openssh-8.1p1/debian/patches/regress-2020.patch
--- openssh-8.1p1/debian/patches/regress-2020.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-8.1p1/debian/patches/regress-2020.patch	2020-01-11 23:55:03.000000000 +0000
@@ -0,0 +1,44 @@
+From df3ad29af495185aa9b051028ae94b965a4b1659 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 3 Jan 2020 03:02:26 +0000
+Subject: upstream: what bozo decided to use 2020 as a future date in a regress
+
+test?
+
+OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=ff31f15773ee173502eec4d7861ec56f26bba381
+Last-Update: 2020-01-09
+
+Patch-Name: regress-2020.patch
+---
+ regress/cert-hostkey.sh | 2 +-
+ regress/cert-userkey.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
+index 86ea62504..844adabcc 100644
+--- a/regress/cert-hostkey.sh
++++ b/regress/cert-hostkey.sh
+@@ -252,7 +252,7 @@ test_one() {
+ test_one "user-certificate"	failure "-n $HOSTS"
+ test_one "empty principals"	success "-h"
+ test_one "wrong principals"	failure "-h -n foo"
+-test_one "cert not yet valid"	failure "-h -V20200101:20300101"
++test_one "cert not yet valid"	failure "-h -V20300101:20320101"
+ test_one "cert expired"		failure "-h -V19800101:19900101"
+ test_one "cert valid interval"	success "-h -V-1w:+2w"
+ test_one "cert has constraints"	failure "-h -Oforce-command=false"
+diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
+index 38c14a698..5cd02fc3f 100644
+--- a/regress/cert-userkey.sh
++++ b/regress/cert-userkey.sh
+@@ -338,7 +338,7 @@ test_one() {
+ test_one "correct principal"	success "-n ${USER}"
+ test_one "host-certificate"	failure "-n ${USER} -h"
+ test_one "wrong principals"	failure "-n foo"
+-test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
++test_one "cert not yet valid"	failure "-n ${USER} -V20300101:20320101"
+ test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+ test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+ test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff -Nru openssh-8.1p1/debian/patches/revert-ipqos-defaults.patch openssh-8.1p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-8.1p1/debian/patches/revert-ipqos-defaults.patch	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/patches/revert-ipqos-defaults.patch	2020-01-11 23:55:03.000000000 +0000
@@ -1,4 +1,4 @@
-From 660f35293504f04d744d2d6ab6276a83fff305a3 Mon Sep 17 00:00:00 2001
+From cfa01c635debb10e05f5ac34d269809c77c582dc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff -Nru openssh-8.1p1/debian/patches/sandbox-seccomp-clock_gettime64.patch openssh-8.1p1/debian/patches/sandbox-seccomp-clock_gettime64.patch
--- openssh-8.1p1/debian/patches/sandbox-seccomp-clock_gettime64.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-8.1p1/debian/patches/sandbox-seccomp-clock_gettime64.patch	2020-01-11 23:55:03.000000000 +0000
@@ -0,0 +1,30 @@
+From 93e9440bae1818746e0cc7f2543001db9d0ea1ea Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b110cefdfbf5a20f49b774a55062d6ded2fb6e22
+Last-Update: 2020-01-11
+
+Patch-Name: sandbox-seccomp-clock_gettime64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3ef30c9d5..999c46c9f 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep_time64
+ 	SC_ALLOW(__NR_clock_nanosleep_time64),
+ #endif
++#ifdef __NR_clock_gettime64
++	SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
diff -Nru openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep.patch openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep.patch
--- openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep.patch	2020-01-11 23:55:03.000000000 +0000
@@ -0,0 +1,31 @@
+From c80d266f4aed7224261b192b8e31ac87dc070cba Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=546274a6f89489d2e6be8a8b62f2bb63c87a61fd
+Last-Update: 2020-01-11
+
+Patch-Name: sandbox-seccomp-clock_nanosleep.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..be2397671 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ 	SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
diff -Nru openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
--- openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-8.1p1/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch	2020-01-11 23:55:03.000000000 +0000
@@ -0,0 +1,29 @@
+From c80c5e338c19964755f277b54b390016f5c829a4 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5af6fd5461bb709304e6979c8b7856c7af921c9e
+Last-Update: 2020-01-11
+
+Patch-Name: sandbox-seccomp-clock_nanosleep_time64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index be2397671..3ef30c9d5 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ 	SC_ALLOW(__NR_clock_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep_time64
++	SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
diff -Nru openssh-8.1p1/debian/patches/sandbox-seccomp-ipc.patch openssh-8.1p1/debian/patches/sandbox-seccomp-ipc.patch
--- openssh-8.1p1/debian/patches/sandbox-seccomp-ipc.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-8.1p1/debian/patches/sandbox-seccomp-ipc.patch	2020-01-11 23:55:03.000000000 +0000
@@ -0,0 +1,33 @@
+From 489e04f2c23327dd95981327d8757144a4e574af Mon Sep 17 00:00:00 2001
+From: Jeremy Drake <github@jdrake.com>
+Date: Fri, 11 Oct 2019 18:31:05 -0700
+Subject: Deny (non-fatal) ipc in preauth privsep child.
+
+As noted in openssh/openssh-portable#149, i386 does not have have
+_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
+https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
+list of syscalls that seccomp will deny non-fatally.
+
+Bug-Debian: https://bugs.debian.org/946242
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
+Last-Update: 2020-01-11
+
+Patch-Name: sandbox-seccomp-ipc.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 999c46c9f..0914e48ba 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_shmdt
+ 	SC_DENY(__NR_shmdt, EACCES),
+ #endif
++#ifdef __NR_ipc
++	SC_DENY(__NR_ipc, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk
diff -Nru openssh-8.1p1/debian/patches/seccomp-s390-flock-ipc.patch openssh-8.1p1/debian/patches/seccomp-s390-flock-ipc.patch
--- openssh-8.1p1/debian/patches/seccomp-s390-flock-ipc.patch	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/patches/seccomp-s390-flock-ipc.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,47 +0,0 @@
-From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001
-From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
-Date: Tue, 9 May 2017 10:53:04 -0300
-Subject: Allow flock and ipc syscall for s390 architecture
-
-In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
-and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
-implementation) which calls the libraries that will communicate with the
-crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
-this is only need on s390 architecture.
-
-Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
-
-Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
-Last-Update: 2018-10-19
-
-Patch-Name: seccomp-s390-flock-ipc.patch
----
- sandbox-seccomp-filter.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70bb..2f6b0d55b 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_exit_group
- 	SC_ALLOW(__NR_exit_group),
- #endif
-+#if defined(__NR_flock) && defined(__s390__)
-+	SC_ALLOW(__NR_flock),
-+#endif
- #ifdef __NR_futex
- 	SC_ALLOW(__NR_futex),
- #endif
-@@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_getuid32
- 	SC_ALLOW(__NR_getuid32),
- #endif
-+#if defined(__NR_ipc) && defined(__s390__)
-+	SC_ALLOW(__NR_ipc),
-+#endif
- #ifdef __NR_madvise
- 	SC_ALLOW(__NR_madvise),
- #endif
diff -Nru openssh-8.1p1/debian/patches/series openssh-8.1p1/debian/patches/series
--- openssh-8.1p1/debian/patches/series	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/patches/series	2020-01-11 23:55:03.000000000 +0000
@@ -21,6 +21,10 @@
 systemd-readiness.patch
 debian-config.patch
 restore-authorized_keys2.patch
-seccomp-s390-flock-ipc.patch
 conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
+regress-2020.patch
+sandbox-seccomp-clock_nanosleep.patch
+sandbox-seccomp-clock_nanosleep_time64.patch
+sandbox-seccomp-clock_gettime64.patch
+sandbox-seccomp-ipc.patch
diff -Nru openssh-8.1p1/debian/rules openssh-8.1p1/debian/rules
--- openssh-8.1p1/debian/rules	2019-10-10 09:23:19.000000000 +0000
+++ openssh-8.1p1/debian/rules	2020-01-11 23:55:03.000000000 +0000
@@ -100,8 +100,12 @@
 confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))'
 confflags_udeb += --with-ldflags='-Wl,--as-needed'
 
+ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386)
+  BUILD_PACKAGES += -Nopenssh-tests
+endif
+
 %:
-	dh $@ --with=autoreconf,systemd,runit
+	dh $@ --with=autoreconf,systemd,runit $(BUILD_PACKAGES)
 
 autoreconf:
 	autoreconf -f -i