diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog	2014-08-25 05:34:56.000000000 +1000
+++ libexif-0.6.21/debian/changelog	2017-10-03 21:59:35.000000000 +1100
@@ -1,3 +1,32 @@
+libexif (0.6.21-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debhelper update:
+    - Update package compatibility to level 10.
+  * debian/control:
+    - Bump debhelper build-dep to >= 10~.
+    - Remove dh-autoreconf from the Build-Depends list, as debhelper
+      enables the 'autoreconf' sequence by default.
+    - Bump Standards-Version from 3.9.5 to 4.1.1.
+    - Use the https protocol in the Vcs-Browser field.
+    - Update the URI referenced by the Vcs-Git field.
+    - Mark libexif-dev Multi-Arch: same (Closes: #786562).
+  * debian/copyright:
+    - Update the format specification URI.
+    - Remove references to libjpeg/* and configure.in (lintian).
+  * debian/patches:
+    - Add upstream patches to fix CVE-2016-6328 and CVE-2017-7544 
+      (thanks to Marcus Meissner) (Closes: #873022, #876466).
+  * debian/rules:
+    - Add 'hardening=+all' to DEB_BUILD_MAINT_OPTIONS.
+    - Exclude doxygen md5 files from installation (lintian).
+    - Remove '--with autoreconf' (now handled by debhelper level 10).
+    - Fix grammatical errors in a comment.
+  * debian/source/lintian-overrides:
+    - Override 'unused-file-paragraph-in-dep5-copyright' warnings.
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com>  Tue, 03 Oct 2017 22:00:00 +1100
+
 libexif (0.6.21-2) unstable; urgency=medium
 
   * Use autoreconf instead of autotools-dev (Closes: #754399)
diff -Nru libexif-0.6.21/debian/compat libexif-0.6.21/debian/compat
--- libexif-0.6.21/debian/compat	2012-01-24 19:35:06.000000000 +1100
+++ libexif-0.6.21/debian/compat	2017-10-02 22:07:22.000000000 +1100
@@ -1 +1 @@
-9
+10
diff -Nru libexif-0.6.21/debian/control libexif-0.6.21/debian/control
--- libexif-0.6.21/debian/control	2014-08-25 05:34:39.000000000 +1000
+++ libexif-0.6.21/debian/control	2017-10-03 12:56:17.000000000 +1100
@@ -4,19 +4,20 @@
 Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
 Uploaders: Emmanuel Bouthenot <kolter@debian.org>, Frederic Peters <fpeters@debian.org>
 Build-Depends:
-    debhelper (>= 9),
-    dh-autoreconf,
+    debhelper (>= 10~),
     doxygen,
     graphviz
-Standards-Version: 3.9.5
+Standards-Version: 4.1.1
 Homepage: http://libexif.sourceforge.net/
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-phototools/libexif.git
-Vcs-Git: git://anonscm.debian.org/pkg-phototools/libexif.git
+Vcs-Browser: https://anonscm.debian.org/gitweb/?p=pkg-phototools/libexif.git
+Vcs-Git: https://alioth.debian.org/anonscm/git/pkg-phototools/libexif.git
 
 Package: libexif-dev
 Section: libdevel
 Architecture: any
+Multi-Arch: same
 Depends: libc6-dev, ${misc:Depends}, libexif12 (= ${binary:Version}), libjs-jquery
+Replaces: libexif-dev (<= 0.6.21-2)
 Description: library to parse EXIF files (development files)
  Most digital cameras produce EXIF files, which are JPEG files with
  extra tags that contain information about the image. The EXIF library
@@ -29,6 +30,7 @@
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Replaces: libexif12 (<= 0.6.21-2)
 Description: library to parse EXIF files
  Most digital cameras produce EXIF files, which are JPEG files with
  extra tags that contain information about the image. The EXIF library
diff -Nru libexif-0.6.21/debian/copyright libexif-0.6.21/debian/copyright
--- libexif-0.6.21/debian/copyright	2012-01-24 19:35:06.000000000 +1100
+++ libexif-0.6.21/debian/copyright	2017-10-03 21:49:44.000000000 +1100
@@ -1,4 +1,4 @@
-Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=174
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: libexif
 Upstream-Contact: Dan Fandrich <dan@coneharvesters.com>,
                   Lutz Müller <urc8@rz.uni-karlsruhe.de>
@@ -44,11 +44,6 @@
            2004, Angela Wrobel
 License: LGPL-2.1+
 
-Files: libjpeg/jpeg-data.c
-Copyright: 2002, Basil Dias <basil.dias@wipro.com>
-           2003, Ralph Heidelberg <RHeidelberg@Pinnaclesys.com>
-License: LGPL-2.1+
-
 Files: libexif/exif-tag.c
 Copyright: 2002, Javier Achirica <achirica@ttd.net>
            2003, Gernot Jander <gernot@bigpond.com>
@@ -71,7 +66,7 @@
 Copyright: 2002, Javier Achirica <achirica@ttd.net>
 License: LGPL-2.1+
 
-Files: libexif.spec.in configure.in Makefile.am
+Files: libexif.spec.in Makefile.am
 Copyright: 2002, Mark Pulford <mark@kyne.com.au>
 License: LGPL-2.1+
 
@@ -97,10 +92,6 @@
 Copyright: 2003, Peter Bieringer <pb@bieringer.de>
 License: LGPL-2.1+
 
-Files: libjpeg/jpeg-marker.h
-Copyright: 2004, Antonio Scuri <scuri@tecgraf.puc-rio.br>
-License: LGPL-2.1+
-
 Files: po/nl.po
 Copyright: 2008-2010, Erwin Poeze
 License: LGPL-2.1+
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch	2017-10-03 21:57:30.000000000 +1100
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2017-7544.patch	2017-10-03 21:57:38.000000000 +1100
@@ -0,0 +1,22 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series	2013-01-27 02:46:30.000000000 +1100
+++ libexif-0.6.21/debian/patches/series	2017-10-02 22:42:11.000000000 +1100
@@ -1,2 +1,4 @@
 pkg_config_header_dir
 extra_colorspace_check
+cve-2016-6328.patch
+cve-2017-7544.patch
diff -Nru libexif-0.6.21/debian/rules libexif-0.6.21/debian/rules
--- libexif-0.6.21/debian/rules	2014-08-25 05:34:56.000000000 +1000
+++ libexif-0.6.21/debian/rules	2017-10-03 21:42:29.000000000 +1100
@@ -1,15 +1,17 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 override_dh_install:
 	# remove JQuery embedded copy
 	rm -f debian/libexif-dev/usr/share/doc/libexif-dev/libexif-api.html/jquery.js
 	# Install pkgconfig file in full triplet directory.
 	install -D -m 644 libexif.pc debian/libexif-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/libexif.pc
-	dh_install
+	dh_install -X*.md5
 
-# Upstream sources contains a directory named 'binary'
-# which breaks the build, the following rule fix it
+# Upstream sources contain a directory named 'binary'
+# which breaks the build. The following rule fixes it.
 binary: binary-arch binary-indep
 
 %:
-	dh $@ --parallel --with autoreconf
+	dh $@ --parallel
diff -Nru libexif-0.6.21/debian/source/lintian-overrides libexif-0.6.21/debian/source/lintian-overrides
--- libexif-0.6.21/debian/source/lintian-overrides	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/source/lintian-overrides	2017-10-03 21:27:39.000000000 +1100
@@ -0,0 +1,5 @@
+# Some source files are listed in debian/copyright multiple times.
+# Each repetition (or wildcard equivalent) of a Files paragraph overrides
+# the previous iteration of that paragraph, causing lintian to complain 
+# that the previous iteration is unused.
+libexif source: unused-file-paragraph-in-dep5-copyright