diff -Nru isc-dhcp-4.2.4/debian/apparmor-profile.dhcpd isc-dhcp-4.2.4/debian/apparmor-profile.dhcpd
--- isc-dhcp-4.2.4/debian/apparmor-profile.dhcpd	2014-04-03 16:51:15.000000000 -0500
+++ isc-dhcp-4.2.4/debian/apparmor-profile.dhcpd	2016-01-30 22:37:10.000000000 -0600
@@ -9,6 +9,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/ssl_keys>
 
+  capability chown,
   capability net_bind_service,
   capability net_raw,
   capability setgid,
diff -Nru isc-dhcp-4.2.4/debian/changelog isc-dhcp-4.2.4/debian/changelog
--- isc-dhcp-4.2.4/debian/changelog	2016-01-11 06:56:50.000000000 -0600
+++ isc-dhcp-4.2.4/debian/changelog	2016-01-30 22:45:29.000000000 -0600
@@ -1,3 +1,17 @@
+isc-dhcp (4.2.4-7ubuntu12.5~jdstrand1) trusty-proposed; urgency=medium
+
+  * debian/patches/lp1186662.patch: Enhance the PARANOIA patch to include
+    fchown() the lease file to allow it to be manipulated after the server
+    does a chown(). (LP: #1186662)
+  * debian/apparmor-profile.dhcpd: adjust to add capability chown
+  * debian/isc-dhcp-server.isc-dhcp-server*.upstart: adjust permissions for
+    this version of the paranoia patch
+    - /var/lib/dhcp is root:dhcpd and 775
+    - /var/lib/dhcp/dhcpd{,6}.leases is root:dhcpd and 664
+    - drop adjusting /var/lib/dhcp/dhcpd{,6}.leases~
+
+ -- Jamie Strandboge <jamie@ubuntu.com>  Sat, 30 Jan 2016 17:34:05 -0600
+
 isc-dhcp (4.2.4-7ubuntu12.4) trusty-security; urgency=medium
 
   * SECURITY UPDATE: denial of service via incorrect UDP payload length
diff -Nru isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server.upstart isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server.upstart
--- isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server.upstart	2014-04-03 16:51:15.000000000 -0500
+++ isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server.upstart	2016-01-30 22:44:56.000000000 -0600
@@ -48,12 +48,11 @@
     mkdir -p /var/run/dhcp-server
     chown dhcpd:dhcpd /var/run/dhcp-server
 
-    # The leases files need to be root:root even when dropping privileges
+    # The leases files need to be root:dhcpd for dropping privileges
     [ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases
-    chown root:root /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
-    if [ -e /var/lib/dhcp/dhcpd.leases~ ]; then
-        chown root:root /var/lib/dhcp/dhcpd.leases~
-    fi
+    chown root:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
+    chmod 775 /var/lib/dhcp
+    chmod 664 /var/lib/dhcp/dhcpd.leases
 
     exec dhcpd -user dhcpd -group dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES
 end script
diff -Nru isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server6.upstart isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server6.upstart
--- isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server6.upstart	2014-04-03 16:51:15.000000000 -0500
+++ isc-dhcp-4.2.4/debian/isc-dhcp-server.isc-dhcp-server6.upstart	2016-01-30 22:44:51.000000000 -0600
@@ -48,12 +48,11 @@
     mkdir -p /var/run/dhcp-server
     chown dhcpd:dhcpd /var/run/dhcp-server
 
-    # The leases files need to be root:root even when dropping privileges
+    # The leases files need to be root:dhcpd for dropping privileges
     [ -e /var/lib/dhcp/dhcpd6.leases ] || touch /var/lib/dhcp/dhcpd6.leases
-    chown root:root /var/lib/dhcp /var/lib/dhcp/dhcpd6.leases
-    if [ -e /var/lib/dhcp/dhcpd6.leases~ ]; then
-        chown root:root /var/lib/dhcp/dhcpd6.leases~
-    fi
+    chown root:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd6.leases
+    chmod 775 /var/lib/dhcp
+    chmod 664 /var/lib/dhcp/dhcpd6.leases
 
     exec dhcpd -user dhcpd -group dhcpd -f -q -6 -pf /run/dhcp-server/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES
 end script
diff -Nru isc-dhcp-4.2.4/debian/patches/lp1186662.patch isc-dhcp-4.2.4/debian/patches/lp1186662.patch
--- isc-dhcp-4.2.4/debian/patches/lp1186662.patch	1969-12-31 18:00:00.000000000 -0600
+++ isc-dhcp-4.2.4/debian/patches/lp1186662.patch	2016-01-30 17:52:14.000000000 -0600
@@ -0,0 +1,75 @@
+Origin: backport from 4.3.3
+Description: - Enhance the PARANOIA patch to include fchown() the lease file to
+  allow it to be manipulated after the server does a chown().
+  Thanks to Jiri Popelka at Red Hat for the patch.
+  [ISC-Bugs #36978]
+Bug-Ubuntu: https://launchpad.net/bugs/1186662
+
+Index: isc-dhcp-4.2.4/server/db.c
+===================================================================
+--- isc-dhcp-4.2.4.orig/server/db.c
++++ isc-dhcp-4.2.4/server/db.c
+@@ -1109,6 +1109,22 @@ int new_lease_file ()
+ 		log_error ("Can't create new lease file: %m");
+ 		return 0;
+ 	}
++
++#if defined (PARANOIA)
++	/*
++	 * If we are currently root and plan to change the
++	 * uid and gid change the file information so we
++	 * can manipulate it later, after we've changed
++	 * our group and user (that is dropped privileges.)
++	 */
++	if ((set_uid != 0) && (geteuid() == 0) &&
++	    (set_gid != 0) && (getegid() == 0)) {
++		if (fchown(db_fd, set_uid, set_gid)) {
++			log_fatal ("Can't chown new lease file: %m");
++		}
++	}
++#endif /* PARANOIA */
++
+ 	if ((new_db_file = fdopen(db_fd, "w")) == NULL) {
+ 		log_error("Can't fdopen new lease file: %m");
+ 		close(db_fd);
+Index: isc-dhcp-4.2.4/server/dhcpd.c
+===================================================================
+--- isc-dhcp-4.2.4.orig/server/dhcpd.c
++++ isc-dhcp-4.2.4/server/dhcpd.c
+@@ -56,6 +56,10 @@ static const char url [] =
+ #  define group real_group 
+ #    include <grp.h>
+ #  undef group
++
++/* global values so db.c can look at them */
++uid_t set_uid = 0;
++gid_t set_gid = 0;
+ #endif /* PARANOIA */
+ 
+ static void usage(void);
+@@ -262,9 +266,6 @@ main(int argc, char **argv) {
+ 	char *set_user   = 0;
+ 	char *set_group  = 0;
+ 	char *set_chroot = 0;
+-
+-	uid_t set_uid = 0;
+-	gid_t set_gid = 0;
+ #endif /* PARANOIA */
+ 
+         /* Make sure that file descriptors 0 (stdin), 1, (stdout), and
+Index: isc-dhcp-4.2.4/includes/dhcpd.h
+===================================================================
+--- isc-dhcp-4.2.4.orig/includes/dhcpd.h
++++ isc-dhcp-4.2.4/includes/dhcpd.h
+@@ -1882,6 +1882,11 @@ extern const char *path_dhcpd_pid;
+ extern int dhcp_max_agent_option_packet_length;
+ extern struct eventqueue *rw_queue_empty;
+ 
++#if defined (PARANOIA)
++extern uid_t set_uid;
++extern gid_t set_gid;
++#endif
++
+ int main(int, char **);
+ void postconf_initialization(int);
+ void postdb_startup(void);
diff -Nru isc-dhcp-4.2.4/debian/patches/series isc-dhcp-4.2.4/debian/patches/series
--- isc-dhcp-4.2.4/debian/patches/series	2016-01-11 06:56:46.000000000 -0600
+++ isc-dhcp-4.2.4/debian/patches/series	2016-01-30 17:30:11.000000000 -0600
@@ -24,3 +24,4 @@
 dhcp-4.2.2-gpxe-cid.patch
 dhcp-4.2.4-improved-xid-correct-byte-order.patch
 CVE-2015-8605.patch
+lp1186662.patch