diff -Nru shadow-4.2/debian/changelog shadow-4.2/debian/changelog
--- shadow-4.2/debian/changelog	2017-05-04 08:00:25.000000000 +0000
+++ shadow-4.2/debian/changelog	2017-05-16 05:27:49.000000000 +0000
@@ -1,3 +1,13 @@
+shadow (1:4.2-3.1ubuntu5.3) xenial-security; urgency=medium
+
+  * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
+    If su received a signal like SIGTERM it wasn't propagated to the child.
+    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
+      pid_child to 0 if the child process is still running.
+    Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.
+
+ -- Seth Arnold <seth.arnold@canonical.com>  Mon, 15 May 2017 19:26:55 -0700
+
 shadow (1:4.2-3.1ubuntu5.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: su could be used to kill arbitrary processes.
diff -Nru shadow-4.2/debian/patches/CVE-2017-2616-regression.patch shadow-4.2/debian/patches/CVE-2017-2616-regression.patch
--- shadow-4.2/debian/patches/CVE-2017-2616-regression.patch	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.2/debian/patches/CVE-2017-2616-regression.patch	2017-05-16 02:11:14.000000000 +0000
@@ -0,0 +1,31 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/src/su.c
+===================================================================
+--- a/src/su.c
++++ b/src/su.c
+@@ -376,7 +376,7 @@
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);
diff -Nru shadow-4.2/debian/patches/series shadow-4.2/debian/patches/series
--- shadow-4.2/debian/patches/series	2017-03-10 02:12:48.000000000 +0000
+++ shadow-4.2/debian/patches/series	2017-05-16 02:11:05.000000000 +0000
@@ -41,3 +41,4 @@
 1021_no_subuids_for_system_users.patch
 CVE-2017-2616.patch
 CVE-2016-6252.patch
+CVE-2017-2616-regression.patch