New upstream release (7.2p2).

35 files changed, 99 insertions, 64 deletions

diff --git a/ChangeLog b/ChangeLog
index b01bb5642..1e4346715 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+commit 5c35450a0c901d9375fb23343a8dc82397da5f75
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Mar 10 05:04:48 2016 +1100
+
+    update versions for release
+
+commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Mar 10 05:03:39 2016 +1100
+
+    sanitise characters destined for xauth(1)
+    
+    reported by github.com/tintinweb
+
 commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
 Author: Darren Tucker <dtucker@zip.com.au>
 Date:   Fri Feb 26 14:40:04 2016 +1100
@@ -8889,19 +8903,3 @@ Author: Damien Miller <djm@mindrot.org>
 Date:   Thu Mar 13 13:14:21 2014 +1100
 
      - (djm) Release OpenSSH 6.6
-
-commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Mar 4 09:35:17 2014 +1100
-
-       - djm@cvs.openbsd.org 2014/03/03 22:22:30
-         [session.c]
-         ignore enviornment variables with embedded '=' or '\0' characters;
-         spotted by Jann Horn; ok deraadt@
-
-commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sun Mar 2 04:01:00 2014 +1100
-
-     - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
-       no moduli file exists at the expected location.
diff --git a/README b/README
index 0dd047af3..86c55a554 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-7.2p1 for the release notes.
+See http://www.openssh.com/txt/release-7.2p2 for the release notes.
 
 Please read http://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 2a55f454e..eefe82df0 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 7.2p1
+%define ver 7.2p2
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 53264c1fb..f20a78656 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        7.2p1
+Version:        7.2p2
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 65e3d5e54..a06ce86e7 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-85e40e87a75fb80a0bf893ac05a417d6c353537d
-85e40e87a75fb80a0bf893ac05a417d6c353537d
-c52a95cc4754e6630c96fe65ae0c65eb41d2c590
-c52a95cc4754e6630c96fe65ae0c65eb41d2c590
-openssh_7.2p1.orig.tar.gz
-d30a6fd472199ab5838a7668c0c5fd885fb8d371
-1499707
+27a3937bf51447024527168a510d7f9b21542b1c
+27a3937bf51447024527168a510d7f9b21542b1c
+f0329aac23c61e1a5197d6d57349a63f459bccb0
+f0329aac23c61e1a5197d6d57349a63f459bccb0
+openssh_7.2p2.orig.tar.gz
+70e35d7d6386fe08abbd823b3a12a3ca44ac6d38
+1499808
diff --git a/debian/changelog b/debian/changelog
index 20c8059f2..27b46428e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:7.2p2-1) UNRELEASED; urgency=high
+
+  * New upstream release (http://www.openssh.com/txt/release-7.2p2):
+    - SECURITY: sshd(8): Sanitise X11 authentication credentials to avoid
+      xauth command injection when X11Forwarding is enabled
+      (http://www.openssh.com/txt/x11fwd.adv).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 10 Mar 2016 13:01:22 +0000
+
 openssh (1:7.2p1-1) unstable; urgency=medium
 
   * New upstream release (http://www.openssh.com/txt/release-7.2):
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 549570c5c..482ca97bd 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From d104554289d524d6f8c97cc93a8ff5aabbfcdd6c Mon Sep 17 00:00:00 2001
+From 33f7235ca187f62f44734c6caca95e54c3cf7232 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 5a0dcd806..a6e5019e4 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 88659ca2f10e2401f887b9dd58f6361d7bfa08e4 Mon Sep 17 00:00:00 2001
+From 4f28c3fcf778105bbbb3a2144d1d46bee93b48b7 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 7f8cdb172..64e7bcae9 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 3c79e49a4fbd8e4c84f6af6f1173563bda8b273b Mon Sep 17 00:00:00 2001
+From ae6ba56387f97086bb50273e1c80ba5cbaba2adc Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 24f1a77ec..3bc6c1303 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 85e40e87a75fb80a0bf893ac05a417d6c353537d Mon Sep 17 00:00:00 2001
+From 27a3937bf51447024527168a510d7f9b21542b1c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 8b33364e4..a6d108d64 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 094cc9bf1c7f873542a6c8dc25d0f8e61aa23318 Mon Sep 17 00:00:00 2001
+From 9c255ad5c677682eb99e1d45dbd5328cef732036 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 2b203f5dc..20d25b04e 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 3aede5a89ef203b53ef86435fe4af709a39379c2 Mon Sep 17 00:00:00 2001
+From e28df965f5f36a83bba58549a216fba78277585f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 3266c4707..698236ca7 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 2c7520d8d6245868704cf01dd572cce744663173 Mon Sep 17 00:00:00 2001
+From d0f5716ccb267efa3178ee03c2fc5a45d024c465 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index ba2c684fd..7d0c14d5b 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 5e5d8faea814efa9368ccec343580b6dcd440d5e Mon Sep 17 00:00:00 2001
+From bd1efc3a46d0253b5d3c44e7d881d7ac0af87549 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index aa9f25848..6ce8a62bf 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001
+From 6dfd41bb6858c6446c1da47449e2108fbabf220e Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 935235b27..d8a12a26f 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 5c2c0e042d57cee75528686f47b4c47db434ad8b Mon Sep 17 00:00:00 2001
+From 6165757b14648f66150a0b5b45790b117f562790 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index de0f73c59..f184bb41e 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From a9c7a3f8b035fe820fd32283460b1a28e696d2fe Mon Sep 17 00:00:00 2001
+From ce1a5718a57d2d1c0d9e59cfac81c2f6401780a0 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 7e6ad3996..77fd9dd81 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From cbec84cf05e5dbd6d8a739a7d01e1d242a006d20 Mon Sep 17 00:00:00 2001
+From 86be635e17e81da5e0dc39498724a5c37a52753d Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 42463eed7..58a39a95b 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From c2f77b15d182a5399d4548a57a471d6be7b25a87 Mon Sep 17 00:00:00 2001
+From 37fa6804403a83d98a796f417544104996f3c4a8 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index abeaad7a5..72f946fec 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 5a19d59c0b76162929545ad1bc92e7de69ce9a7b Mon Sep 17 00:00:00 2001
+From a94344bdb2f8499dd6370f53f41d46bd5a6fc045 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b41c066e3..3fd57a043 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From f7587633dc374db82455fe7a3fa921de5c4a897b Mon Sep 17 00:00:00 2001
+From fa63bc351c67842b687d94a24afa1d7fd1d8c94f Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -49,13 +49,13 @@ index bb093cc..c762190 100644
             options.version_addendum, newline);
  
 diff --git a/version.h b/version.h
-index 4189982..236dd87 100644
+index eb4e948..0840a1a 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
  #define SSH_VERSION    "OpenSSH_7.2"
  
- #define SSH_PORTABLE   "p1"
+ #define SSH_PORTABLE   "p2"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
 +#define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE
 +#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 51d5c09d0..5eaab4036 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 754544297b321ab1ce1923e6aa9987bb82dd4fc5 Mon Sep 17 00:00:00 2001
+From 2ebca9787f92efa5d3fa1a1a47547f5ed1d31ca0 Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 47ccdda3c..dbb66f10f 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 9496f70a8203592158275489519996476b2356af Mon Sep 17 00:00:00 2001
+From 1b820bd5376b5b04403f0489b2e135566cedd4e6 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index cd2685e3a..fbaaa92ec 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From c2c79a52f66eee7b85b5241d08a70b2593a9bc9e Mon Sep 17 00:00:00 2001
+From 9788125fd5b4541ebeae6028b9e911c5aeb43d9f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index c632f0349..de4384b03 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From a00cba810338ce920de432e7797a45794bf280ba Mon Sep 17 00:00:00 2001
+From 16caff9bcfbc638ed7d2e01a338db678f138faa5 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -396,10 +396,10 @@ index e687c99..823901b 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 7a02500..99ec6f3 100644
+index 87fddfc..f246b8a 100644
 --- a/session.c
 +++ b/session.c
-@@ -1489,7 +1489,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1511,7 +1511,7 @@ safely_chroot(const char *path, uid_t uid)
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -408,7 +408,7 @@ index 7a02500..99ec6f3 100644
  {
         char *chroot_path, *tmp;
  
-@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1539,7 +1539,7 @@ do_setusercontext(struct passwd *pw)
                 endgrent();
  #endif
  
@@ -417,7 +417,7 @@ index 7a02500..99ec6f3 100644
  
                 if (!in_chroot && options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
+@@ -1696,7 +1696,7 @@ do_child(Session *s, const char *command)
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 7a02500..99ec6f3 100644
                 child_close_fds();
                 do_pwchange(s);
                 exit(1);
-@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
+@@ -1723,7 +1723,7 @@ do_child(Session *s, const char *command)
                 /* When PAM is enabled we rely on it to do the nologin check */
                 if (!options.use_pam)
                         do_nologin(pw);
@@ -435,7 +435,7 @@ index 7a02500..99ec6f3 100644
                 /*
                  * PAM session modules in do_setusercontext may have
                  * generated messages, so if this in an interactive
-@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
+@@ -2134,7 +2134,7 @@ session_pty_req(Session *s)
         tty_parse_modes(s->ttyfd, &n_bytes);
  
         if (!use_privsep)
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 953bae5d0..ea8f2d685 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 434f7bc6f37b86a449d3d975fad53233f4c141f2 Mon Sep 17 00:00:00 2001
+From a8c208a1f6b234a3bf0206c7bce2aaa27b88b46a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index e022fa53f..590f55539 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From e66add5020e18f6dd9b942b46e02d9b20e24edcc Mon Sep 17 00:00:00 2001
+From 2b25784cfb29177fe9e19546981ab698eb422b9f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index a2f23396e..5d64655e5 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From d7698edca3667ffacae051582028eb3971928edc Mon Sep 17 00:00:00 2001
+From 3e0e43c3840d4df2e44435a41981fd1eef5030b4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index f830f2cf2..6cb4a8472 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 30dfe2ed8df15c27b53c883c1b718b13416299d5 Mon Sep 17 00:00:00 2001
+From af8f74e50c8b6f49d85bd03c64e92260ae95ef59 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index f2bb35326..7ff30093a 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 68e8163d9209f731c582fe5350002c51c9551983 Mon Sep 17 00:00:00 2001
+From 50201dd1c0a38e8a26d614b1679981610a8effc5 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 5ac2fc593..fe72ff7ba 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From c87856cd1b99bc4188b145b0689af5e1d1babe24 Mon Sep 17 00:00:00 2001
+From b8c3ad59100fedf8aaab9986b55c9307c599ec61 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 3c2c67cda..ae66bee27 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 Mon Sep 17 00:00:00 2001
+From 8eec1f49bed1e85e4534067c4290662b7bcc3f34 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 456944f6b..79536fd47 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 6f05f80017871238b4e50fc4e09d57d722416743 Mon Sep 17 00:00:00 2001
+From 4176718757a83a831028f468ff66cedd291c24b9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
diff --git a/session.c b/session.c
index 99ec6f363..f246b8a62 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
         do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+        size_t i;
+
+        for (i = 0; s[i] != '\0'; i++) {
+                if (!isalnum((u_char)s[i]) &&
+                    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+                    s[i] != '-' && s[i] != '_')
+                return 0;
+        }
+        return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
                                 s->screen = 0;
                         }
                         packet_check_eom();
-                        success = session_setup_x11fwd(s);
+                        if (xauth_valid_string(s->auth_proto) &&
+                            xauth_valid_string(s->auth_data))
+                                success = session_setup_x11fwd(s);
+                        else {
+                                success = 0;
+                                error("Invalid X11 forwarding data");
+                        }
                         if (!success) {
                                 free(s->auth_proto);
                                 free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
         s->screen = packet_get_int();
         packet_check_eom();
 
-        success = session_setup_x11fwd(s);
+        if (xauth_valid_string(s->auth_proto) &&
+            xauth_valid_string(s->auth_data))
+                success = session_setup_x11fwd(s);
+        else {
+                success = 0;
+                error("Invalid X11 forwarding data");
+        }
         if (!success) {
                 free(s->auth_proto);
                 free(s->auth_data);
diff --git a/version.h b/version.h
index 236dd8779..0840a1a66 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
 
 #define SSH_VERSION     "OpenSSH_7.2"
 
-#define SSH_PORTABLE    "p1"
+#define SSH_PORTABLE    "p2"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE
 #ifdef SSH_EXTRAVERSION
 #define SSH_RELEASE     SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION