* New upstream release (http://www.openssh.org/txt/release-5.8):

  - Fix stack information leak in legacy certificate signing
    (http://www.openssh.com/txt/legacy-cert.adv).

38 files changed, 107 insertions, 321 deletions

diff --git a/ChangeLog b/ChangeLog
index 0356a33c5..993e0cb0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,31 @@
+20110204
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2011/01/31 21:42:15
+     [PROTOCOL.mux]
+     cut'n'pasto; from bert.wesarg AT googlemail.com
+   - djm@cvs.openbsd.org 2011/02/04 00:44:21
+     [key.c]
+     fix uninitialised nonce variable; reported by Mateusz Kocielski
+   - djm@cvs.openbsd.org 2011/02/04 00:44:43
+     [version.h]
+     openssh-5.8
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] update versions in docs and spec files.
+ - Release OpenSSH 5.8p1
+
+20110128
+ - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
+   before attempting setfscreatecon(). Check whether matchpathcon()
+   succeeded before using its result. Patch from cjwatson AT debian.org;
+   bz#1851
+
+20110125
+ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
+   openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
+   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
+   building with SELinux support to avoid linking failure; report from
+   amk AT spamfence.net; ok dtucker
+
 20110122
  - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
    RSA_get_default_method() for the benefit of openssl versions that don't
diff --git a/Makefile.in b/Makefile.in
index 257f73cc1..c18ba7099 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
+# $Id: Makefile.in,v 1.320.4.1 2011/02/04 00:42:13 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
diff --git a/PROTOCOL.mux b/PROTOCOL.mux
index 3d6f81878..2a5817bd7 100644
--- a/PROTOCOL.mux
+++ b/PROTOCOL.mux
@@ -122,7 +122,7 @@ For dynamically allocated listen port the server replies with
 
 Note: currently unimplemented (server will always reply with MUX_S_FAILURE).
 
-A client may request the master to establish a port forward:
+A client may request the master to close a port forward:
 
         uint32  MUX_C_CLOSE_FWD
         uint32  request id
@@ -200,4 +200,4 @@ XXX server->client error/warning notifications
 XXX port0 rfwd (need custom response message)
 XXX send signals via mux
 
-$OpenBSD: PROTOCOL.mux,v 1.3 2011/01/13 21:55:25 djm Exp $
+$OpenBSD: PROTOCOL.mux,v 1.4 2011/01/31 21:42:15 djm Exp $
diff --git a/README b/README
index 4e7e9a9f2..4f695066b 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.7 for the release notes.
+See http://www.openssh.com/txt/release-5.8 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.75 2011/01/22 09:23:12 djm Exp $
+$Id: README,v 1.75.4.1 2011/02/04 00:57:50 djm Exp $
diff --git a/configure b/configure
index 7eaffb08e..73040c5d3 100755..100644
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.469 .
+# From configure.ac Revision: 1.469.4.1 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for OpenSSH Portable.
 #
diff --git a/configure.ac b/configure.ac
index f15518b78..ad3c4ab0f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
+# $Id: configure.ac,v 1.469.4.1 2011/02/04 00:42:14 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.469 $)
+AC_REVISION($Revision: 1.469.4.1 $)
 AC_CONFIG_SRCDIR([ssh.c])
 
 # local macros
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 23397b04d..435003a2a 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
 
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
-%define version         5.7p1
+%define version         5.8p1
 %if %{use_stable}
   %define cvs           %{nil}
   %define release       1
@@ -363,4 +363,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.73 2011/01/22 09:23:33 djm Exp $
+$Id: openssh.spec,v 1.73.4.1 2011/02/04 00:57:54 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 8fc76b625..e99e33d0f 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 5.7p1
+%define ver 5.8p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 4573c52fd..6afdcc4b4 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        5.7p1
+Version:        5.8p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/changelog b/debian/changelog
index f661dad98..eb8d29828 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:5.8p1-1) UNRELEASED; urgency=low
+
+  * New upstream release (http://www.openssh.org/txt/release-5.8):
+    - Fix stack information leak in legacy certificate signing
+      (http://www.openssh.com/txt/legacy-cert.adv).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 05 Feb 2011 11:01:47 +0000
+
 openssh (1:5.7p1-2) experimental; urgency=low
 
   * Fix crash in ssh_selinux_setfscreatecon when SELinux is disabled
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 86b269659..13b3b6561 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -288,6 +288,7 @@
+@@ -289,6 +289,7 @@
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 112b31fdf..c123bf7b9 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -137,7 +137,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -74,6 +74,7 @@
+@@ -75,6 +75,7 @@
         atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
         monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +145,7 @@ Index: b/Makefile.in
         msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
         schnorr.o ssh-pkcs11.o
  
-@@ -90,7 +91,7 @@
+@@ -91,7 +92,7 @@
         auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
         auth-krb5.o \
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index b51377c2d..6e161f451 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -298,9 +298,9 @@
+@@ -299,9 +299,9 @@
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
         $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
         -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index ffd416d98..0bcc7ed3b 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -38,7 +38,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_5.7"
+ #define SSH_VERSION    "OpenSSH_5.8"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch
index 89b91ff00..6c99e3f38 100644
--- a/debian/patches/selinux-build-failure.patch
+++ b/debian/patches/selinux-build-failure.patch
@@ -1,236 +1,19 @@
 Description: Fix SELinux build failure
-Origin: backport, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6317
-Author: Damien Miller <djm@mindrot.org>
-Last-Update: 2011-01-25
+Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=1991&action=diff
+Author: Leonardo Chiqitto <leonardo@ngdn.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1851
+Last-Update: 2011-02-05
 
-Index: b/Makefile.in
-===================================================================
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -48,6 +48,7 @@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- LIBS=@LIBS@
-+SSHLIBS=@SSHLIBS@
- SSHDLIBS=@SSHDLIBS@
- LIBEDIT=@LIBEDIT@
- AR=@AR@
-@@ -145,7 +146,7 @@
-        $(RANLIB) $@
- 
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
--       $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+       $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
- 
- sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
-        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
-Index: b/configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -761,7 +761,6 @@
-                        [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
-                                [Define if you have Solaris process contracts])
-                          SSHDLIBS="$SSHDLIBS -lcontract"
--                         AC_SUBST(SSHDLIBS)
-                          SPC_MSG="yes" ], )
-                ],
-        )
-@@ -772,7 +771,6 @@
-                        [ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
-                                [Define if you have Solaris projects])
-                        SSHDLIBS="$SSHDLIBS -lproject"
--                       AC_SUBST(SSHDLIBS)
-                        SP_MSG="yes" ], )
-                ],
-        )
-@@ -3539,11 +3537,14 @@
-                          LIBS="$LIBS -lselinux"
-                        ],
-                        AC_MSG_ERROR(SELinux support requires libselinux library))
-+               SSHLIBS="$SSHLIBS $LIBSELINUX"
-                SSHDLIBS="$SSHDLIBS $LIBSELINUX"
-                AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
-                LIBS="$save_LIBS"
-        fi ]
- )
-+AC_SUBST(SSHLIBS)
-+AC_SUBST(SSHDLIBS)
- 
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
-@@ -4365,6 +4366,9 @@
- if test ! -z "${SSHDLIBS}"; then
- echo "         +for sshd: ${SSHDLIBS}"
- fi
-+if test ! -z "${SSHLIBS}"; then
-+echo "          +for ssh: ${SSHLIBS}"
-+fi
- 
- echo ""
- 
-Index: b/configure
-===================================================================
---- a/configure
-+++ b/configure
-@@ -696,7 +696,6 @@
- LOGIN_PROGRAM_FALLBACK
- PATH_PASSWD_PROG
- LD
--SSHDLIBS
- PKGCONFIG
- LIBEDIT
- TEST_SSH_SHA256
-@@ -721,6 +720,8 @@
- PROG_IPCS
- PROG_TAIL
- INSTALL_SSH_PRNG_CMDS
-+SSHLIBS
-+SSHDLIBS
- KRB5CONF
- PRIVSEP_PATH
- xauth_path
-@@ -9047,7 +9048,6 @@
- _ACEOF
- 
-                          SSHDLIBS="$SSHDLIBS -lcontract"
--
-                          SPC_MSG="yes"
- fi
- 
-@@ -9126,7 +9126,6 @@
- _ACEOF
- 
-                        SSHDLIBS="$SSHDLIBS -lproject"
--
-                        SP_MSG="yes"
- fi
- 
-@@ -27806,6 +27805,7 @@
-    { (exit 1); exit 1; }; }
- fi
- 
-+               SSHLIBS="$SSHLIBS $LIBSELINUX"
-                SSHDLIBS="$SSHDLIBS $LIBSELINUX"
- 
- 
-@@ -27908,6 +27908,8 @@
- fi
- 
- 
-+
-+
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
- 
-@@ -31416,7 +31418,6 @@
- LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
- PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
- LD!$LD$ac_delim
--SSHDLIBS!$SSHDLIBS$ac_delim
- PKGCONFIG!$PKGCONFIG$ac_delim
- LIBEDIT!$LIBEDIT$ac_delim
- TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
-@@ -31433,6 +31434,7 @@
- PROG_SAR!$PROG_SAR$ac_delim
- PROG_W!$PROG_W$ac_delim
- PROG_WHO!$PROG_WHO$ac_delim
-+PROG_LAST!$PROG_LAST$ac_delim
- _ACEOF
- 
-   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-@@ -31474,7 +31476,6 @@
- ac_delim='%!_!# '
- for ac_last_try in false false false false false :; do
-   cat >conf$$subs.sed <<_ACEOF
--PROG_LAST!$PROG_LAST$ac_delim
- PROG_LASTLOG!$PROG_LASTLOG$ac_delim
- PROG_DF!$PROG_DF$ac_delim
- PROG_VMSTAT!$PROG_VMSTAT$ac_delim
-@@ -31482,6 +31483,8 @@
- PROG_IPCS!$PROG_IPCS$ac_delim
- PROG_TAIL!$PROG_TAIL$ac_delim
- INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
-+SSHLIBS!$SSHLIBS$ac_delim
-+SSHDLIBS!$SSHDLIBS$ac_delim
- KRB5CONF!$KRB5CONF$ac_delim
- PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
- xauth_path!$xauth_path$ac_delim
-@@ -31496,7 +31499,7 @@
- LTLIBOBJS!$LTLIBOBJS$ac_delim
- _ACEOF
- 
--  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 20; then
-+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 21; then
-     break
-   elif $ac_last_try; then
-     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-@@ -31993,6 +31996,9 @@
- if test ! -z "${SSHDLIBS}"; then
- echo "         +for sshd: ${SSHDLIBS}"
- fi
-+if test ! -z "${SSHLIBS}"; then
-+echo "          +for ssh: ${SSHLIBS}"
-+fi
- 
- echo ""
- 
 Index: b/openbsd-compat/port-linux.c
 ===================================================================
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
-@@ -218,6 +218,20 @@
-        xfree(oldctx);
-        xfree(newctx);
- }
-+
-+void
-+ssh_selinux_setfscreatecon(const char *path)
-+{
-+               security_context_t context;
-+
-+               if (path == NULL) {
-+                       setfscreatecon(NULL);
-+                       return;
-+               }
-+               matchpathcon(path, 0700, &context);
-+               setfscreatecon(context);
-+}
-+
- #endif /* WITH_SELINUX */
- 
- #ifdef LINUX_OOM_ADJUST
-Index: b/openbsd-compat/port-linux.h
-===================================================================
---- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -24,6 +24,7 @@
- void ssh_selinux_setup_pty(char *, const char *, const char *);
- void ssh_selinux_setup_exec_context(char *, const char *);
- void ssh_selinux_change_context(const char *);
-+void ssh_selinux_setfscreatecon(const char *);
- #endif
- 
- #ifdef LINUX_OOM_ADJUST
-Index: b/ssh.c
-===================================================================
---- a/ssh.c
-+++ b/ssh.c
-@@ -852,15 +852,12 @@
-            strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
-        if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
- #ifdef WITH_SELINUX
--               char *scon;
--
--               matchpathcon(buf, 0700, &scon);
--               setfscreatecon(scon);
-+               ssh_selinux_setfscreatecon(buf);
- #endif
-                if (mkdir(buf, 0700) < 0)
-                        error("Could not create directory '%.200s'.", buf);
- #ifdef WITH_SELINUX
--               setfscreatecon(NULL);
-+               ssh_selinux_setfscreatecon(NULL);
- #endif
+@@ -226,7 +226,7 @@
+ 
+        if (!ssh_selinux_enabled())
+                return;
+-       if (path == NULL)
++       if (path == NULL) {
+                setfscreatecon(NULL);
+                return;
         }
-        /* load options.identity_files */
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 30db352dd..70364f9d5 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -336,8 +336,8 @@ Index: b/openbsd-compat/port-linux.h
 +void ssh_selinux_setup_pty(char *, const char *, const char *);
 +void ssh_selinux_setup_exec_context(char *, const char *);
  void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
  #endif
- 
 Index: b/platform.c
 ===================================================================
 --- a/platform.c
diff --git a/debian/patches/selinux-setfscreatecon-crash.patch b/debian/patches/selinux-setfscreatecon-crash.patch
deleted file mode 100644
index 8d09d3529..000000000
--- a/debian/patches/selinux-setfscreatecon-crash.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Description: Fix crash in ssh_selinux_setfscreatecon when SELinux is disabled
-Author: Colin Watson <cjwatson@ubuntu.com>
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/708571
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=1851
-Last-Update: 2011-01-27
-
-Index: b/openbsd-compat/port-linux.c
-===================================================================
---- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
-@@ -224,12 +224,15 @@
- {
-                security_context_t context;
- 
-+               if (!ssh_selinux_enabled())
-+                       return;
-+
-                if (path == NULL) {
-                        setfscreatecon(NULL);
-                        return;
-                }
--               matchpathcon(path, 0700, &context);
--               setfscreatecon(context);
-+               if (matchpathcon(path, 0700, &context) == 0)
-+                       setfscreatecon(context);
- }
- 
- #endif /* WITH_SELINUX */
diff --git a/debian/patches/series b/debian/patches/series
index 15b5d91db..a243174dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,11 +36,8 @@ openbsd-docs.patch
 ssh-argv0.patch
 doc-hash-tab-completion.patch
 
-# Upstream backports
-selinux-build-failure.patch
-
 # Miscellaneous bug fixes
-selinux-setfscreatecon-crash.patch
+selinux-build-failure.patch
 
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 78c9833cd..f3e08b06d 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -32,7 +32,7 @@ Index: b/Makefile.in
  
  CC=@CC@
  LD=@LD@
-@@ -63,7 +65,7 @@
+@@ -64,7 +66,7 @@
  INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
  INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
  
@@ -41,7 +41,7 @@ Index: b/Makefile.in
  
  LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -96,8 +98,8 @@
+@@ -97,8 +99,8 @@
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o
  
@@ -52,7 +52,7 @@ Index: b/Makefile.in
  MANTYPE                = @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -178,6 +180,9 @@
+@@ -179,6 +181,9 @@
  ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
         $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
@@ -62,7 +62,7 @@ Index: b/Makefile.in
  # test driver for the loginrec code - not built by default
  logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
         $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -272,6 +277,7 @@
+@@ -273,6 +278,7 @@
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
         $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
         $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
         $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -289,6 +295,7 @@
+@@ -290,6 +296,7 @@
         $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
         $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/slogin
         ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -378,6 +385,7 @@
+@@ -379,6 +386,7 @@
         -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
         -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -391,6 +399,7 @@
+@@ -392,6 +400,7 @@
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1448,7 +1448,7 @@
+@@ -1445,7 +1445,7 @@
  static void
  load_public_identity_files(void)
  {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
         char *pwdir = NULL, *pwname = NULL;
         int i = 0;
         Key *public;
-@@ -1505,6 +1505,22 @@
+@@ -1502,6 +1502,22 @@
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
diff --git a/key.c b/key.c
index 6ccfd8dcb..d30dc5c3c 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.95 2010/11/10 01:33:07 djm Exp $ */
+/* $OpenBSD: key.c,v 1.96 2011/02/04 00:44:21 djm Exp $ */
 /*
  * read_bignum():
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1890,10 +1890,9 @@ key_certify(Key *k, Key *ca)
         buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
 
         /* -v01 certs put nonce first */
-        if (!key_cert_is_legacy(k)) {
-                arc4random_buf(&nonce, sizeof(nonce));
+        arc4random_buf(&nonce, sizeof(nonce));
+        if (!key_cert_is_legacy(k))
                 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
-        }
 
         switch (k->type) {
         case KEY_DSA_CERT_V00:
diff --git a/moduli.0 b/moduli.0
index af4b37511..ded094ff0 100644
--- a/moduli.0
+++ b/moduli.0
@@ -69,4 +69,4 @@ SEE ALSO
      Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
      Protocol, RFC 4419, 2006.
 
-OpenBSD 4.8                      June 26, 2008                     OpenBSD 4.8
+OpenBSD 4.9                      June 26, 2008                     OpenBSD 4.9
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index a2498dc15..dc8b1fa55 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -222,17 +222,16 @@ ssh_selinux_change_context(const char *newname)
 void
 ssh_selinux_setfscreatecon(const char *path)
 {
-                security_context_t context;
+        security_context_t context;
 
-                if (!ssh_selinux_enabled())
-                        return;
-
-                if (path == NULL) {
-                        setfscreatecon(NULL);
-                        return;
-                }
-                if (matchpathcon(path, 0700, &context) == 0)
-                        setfscreatecon(context);
+        if (!ssh_selinux_enabled())
+                return;
+        if (path == NULL) {
+                setfscreatecon(NULL);
+                return;
+        }
+        if (matchpathcon(path, 0700, &context) == 0)
+                setfscreatecon(context);
 }
 
 #endif /* WITH_SELINUX */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 8ed5587ee..3804fa2d1 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -1,4 +1,4 @@
-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
+/* $Id: port-linux.h,v 1.4.10.1 2011/02/04 00:42:21 djm Exp $ */
 
 /*
  * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
diff --git a/scp.0 b/scp.0
index f00631626..72467c8ec 100644
--- a/scp.0
+++ b/scp.0
@@ -153,4 +153,4 @@ AUTHORS
      Timo Rinne <tri@iki.fi>
      Tatu Ylonen <ylo@cs.hut.fi>
 
-OpenBSD 4.8                    December 9, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 9, 2010                    OpenBSD 4.9
diff --git a/sftp-server.0 b/sftp-server.0
index d8d91c5d5..b7d30ec09 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -61,4 +61,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 4.8                     January 9, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     January 9, 2010                    OpenBSD 4.9
diff --git a/sftp.0 b/sftp.0
index 6ceed93ab..960ffb9df 100644
--- a/sftp.0
+++ b/sftp.0
@@ -328,4 +328,4 @@ SEE ALSO
      draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
      material.
 
-OpenBSD 4.8                    December 4, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 4, 2010                    OpenBSD 4.9
diff --git a/ssh-add.0 b/ssh-add.0
index bf62ca905..d91512888 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -112,4 +112,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
diff --git a/ssh-agent.0 b/ssh-agent.0
index 7fe1560d3..c3de21b42 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -120,4 +120,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 4.8                    November 21, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    November 21, 2010                   OpenBSD 4.9
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index e01ad16d9..a01b30db0 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -440,4 +440,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index ba53bce81..4c3d2dbcc 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -106,4 +106,4 @@ BUGS
      This is because it opens a connection to the ssh port, reads the public
      key, and drops the connection as soon as it gets the key.
 
-OpenBSD 4.8                     August 31, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     August 31, 2010                    OpenBSD 4.9
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 9da4b2446..bff850f27 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -48,4 +48,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 4.8                     August 31, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     August 31, 2010                    OpenBSD 4.9
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 664ec971f..22526781e 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 4.8                    February 10, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    February 10, 2010                   OpenBSD 4.9
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 5bc19e8a7..93d3554fc 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -48,4 +48,4 @@ AUTHORS
 SEE ALSO
      ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
 
-OpenBSD 4.8                     April 14, 2002                     OpenBSD 4.8
+OpenBSD 4.9                     April 14, 2002                     OpenBSD 4.9
diff --git a/ssh.0 b/ssh.0
index 3d2036253..c1d3135ce 100644
--- a/ssh.0
+++ b/ssh.0
@@ -895,4 +895,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 4.8                    November 18, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    November 18, 2010                   OpenBSD 4.9
diff --git a/ssh_config.0 b/ssh_config.0
index 71233b49b..c4a12f7bb 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -741,4 +741,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 4.8                    December 8, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 8, 2010                    OpenBSD 4.9
diff --git a/sshd.0 b/sshd.0
index bb01b7164..873584d7d 100644
--- a/sshd.0
+++ b/sshd.0
@@ -631,4 +631,4 @@ CAVEATS
      System security is not improved unless rshd, rlogind, and rexecd are
      disabled (thus completely disabling rlogin and rsh into the machine).
 
-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
diff --git a/sshd_config.0 b/sshd_config.0
index 669d29a06..ab0d79be6 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -710,4 +710,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 4.8                    December 8, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 8, 2010                    OpenBSD 4.9
diff --git a/version.h b/version.h
index d07022688..56809360c 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.60 2011/01/22 09:18:53 djm Exp $ */
+/* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_5.7"
+#define SSH_VERSION     "OpenSSH_5.8"
 
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE