diff -Nru shadow-4.2/debian/changelog shadow-4.2/debian/changelog
--- shadow-4.2/debian/changelog	2019-03-22 18:57:50.000000000 +0000
+++ shadow-4.2/debian/changelog	2019-03-25 11:54:43.000000000 +0000
@@ -1,9 +1,23 @@
-shadow (1:4.2-3.1ubuntu5.4) xenial; urgency=medium
+shadow (1:4.2-3.1ubuntu5.4+ppa1) xenial; urgency=medium
+
+  * no change upload to help slightly confused PPA that
+    think 1:4.2-3.1ubuntu5.4 is in the PPA (but that
+    one got deleted from the PPA)
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 25 Mar 2019 12:54:43 +0100
+
+shadow (1:4.2-3.1ubuntu5.3+ppa2) xenial; urgency=medium
 
   * debian/patches/1013_extrausers_deluser.patch
     - add --extrausers option to "userdel" (LP: #1659534)
 
- -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 22 Mar 2019 19:57:50 +0100
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 22 Mar 2019 20:15:35 +0100
+
+shadow (1:4.2-3.1ubuntu5.3+ppa1) xenial; urgency=medium
+
+  * sync with the archive
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 17 May 2017 08:39:31 +0200
 
 shadow (1:4.2-3.1ubuntu5.3) xenial-security; urgency=medium
 
@@ -28,6 +42,18 @@
 
  -- Seth Arnold <seth.arnold@canonical.com>  Thu, 04 May 2017 01:00:19 -0700
 
+shadow (1:4.2-3.1ubuntu5.1~ppa2) xenial; urgency=medium
+
+  * fix "su -l" to honor /etc/environment (LP: #984390)
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 31 Jan 2017 07:53:23 +0100
+
+shadow (1:4.2-3.1ubuntu5.1~ppa1) xenial; urgency=medium
+
+  * add support for "chfn --extrausers"
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 22 Jun 2016 16:35:00 +0200
+
 shadow (1:4.2-3.1ubuntu5) xenial; urgency=medium
 
   * debian/patches/1010_extrausers.patch:
diff -Nru shadow-4.2/debian/patches/1012_extrausers_chfn.patch shadow-4.2/debian/patches/1012_extrausers_chfn.patch
--- shadow-4.2/debian/patches/1012_extrausers_chfn.patch	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.2/debian/patches/1012_extrausers_chfn.patch	2016-06-22 14:34:44.000000000 +0000
@@ -0,0 +1,64 @@
+Description: add support for --extrausers for chfn
+ This add support for --extrausers to the chfn tool.
+Author: Michael Vogt <mvo@ubuntu.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1495580
+
+--- shadow-4.2.orig/src/chfn.c
++++ shadow-4.2/src/chfn.c
+@@ -74,6 +74,11 @@ static bool hflg = false;		/* -h - set h
+ static bool oflg = false;		/* -o - set other information        */
+ static bool pw_locked = false;
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++static bool use_extrausers = false;
++
+ /*
+  * External identifiers
+  */
+@@ -126,6 +131,7 @@ static /*@noreturn@*/void usage (int sta
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -u, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -w, --work-phone WORK_PHONE   change user's office phone number\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);        
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -276,6 +282,7 @@ static void process_flags (int argc, cha
+ 		{"root",       required_argument, NULL, 'R'},
+ 		{"help",       no_argument,       NULL, 'u'},
+ 		{"work-phone", required_argument, NULL, 'w'},
++                {"extrausers", no_argument, NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+@@ -289,6 +296,9 @@ static void process_flags (int argc, cha
+ 	while ((c = getopt_long (argc, argv, "f:h:o:r:R:uw:",
+ 	                         long_options, NULL)) != -1) {
+ 		switch (c) {
++                case EXTRAUSERS_OPT:
++                   use_extrausers = true;
++                   break;
+ 		case 'f':
+ 			if (!may_change_field ('f')) {
+ 				fprintf (stderr,
+@@ -657,6 +667,18 @@ int main (int argc, char **argv)
+ 	/* parse the command line options */
+ 	process_flags (argc, argv);
+ 
++        if (use_extrausers) {
++           pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++           spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++           gr_setdbname (EXTRAUSERS_GROUP_FILE);
++           /* TODO expose this information in other tools */
++           sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++           sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++           sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++        }
++        
+ 	/*
+ 	 * Get the name of the user to check. It is either the command line
+ 	 * name, or the name getlogin() returns.
diff -Nru shadow-4.2/debian/patches/2000_fix-su-pam-env-handling shadow-4.2/debian/patches/2000_fix-su-pam-env-handling
--- shadow-4.2/debian/patches/2000_fix-su-pam-env-handling	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.2/debian/patches/2000_fix-su-pam-env-handling	2017-01-31 06:53:23.000000000 +0000
@@ -0,0 +1,45 @@
+Description: Fix "su -l" to correctly use pam_getenvlist
+ When "su -l" is used the behaviour should be similar to a direct
+ login. However login.c is doing a setup_env(pw) and then a
+ pam_getenvlist() in this scenario. But su.c is doing it the other
+ way around. Which means that the values from /etc/environment are
+ overriden. This is a bug because:
+ .
+ a) the man-page claims that "-l": "provides an environment similar
+    to what the user would expect had the user logged in directly."
+    And login.c is using the values from /etc/environment
+ b) The "OneTruePath" spec claims that there should be one place to
+    set PATH (https://wiki.ubuntu.com/OneTruePath) and that should
+    be /etc/environment. But su.c is currently not honoring it.
+Author: Michael Vogt <mvo@ubuntu.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: vendor
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390
+Last-Update: 2017-01-30
+
+--- shadow-4.2.orig/src/su.c
++++ shadow-4.2/src/su.c
+@@ -933,6 +933,18 @@ static void set_environment (struct pass
+ 				pw->pw_shell = xstrdup (shellstr);
+ 			}
+ 			setup_env (pw);
++                        // FIXME: merge with the pam_getenvlist above
++#ifdef USE_PAM
++                        {
++                           const char *const *env;
++                           
++                           env = (const char *const *) pam_getenvlist (pamh);
++                           while ((NULL != env) && (NULL != *env)) {
++                              addenv (*env, NULL);
++                              env++;
++                           }
++                        }
++#endif
+ 		} else {
+ 			addenv ("HOME", pw->pw_dir);
+ 			addenv ("USER", pw->pw_name);
diff -Nru shadow-4.2/debian/patches/series shadow-4.2/debian/patches/series
--- shadow-4.2/debian/patches/series	2019-03-22 18:57:09.000000000 +0000
+++ shadow-4.2/debian/patches/series	2019-03-22 19:15:20.000000000 +0000
@@ -40,6 +40,10 @@
 1011_extrausers_toggle.patch
 1013_extrausers_deluser.patch
 1021_no_subuids_for_system_users.patch
-CVE-2017-2616.patch
+1012_extrausers_chfn.patch
+
+2000_fix-su-pam-env-handling 
+
 CVE-2016-6252.patch
+CVE-2017-2616.patch
 CVE-2017-2616-regression.patch