Import openssh_7.6p1.orig.tar.gz

1 files changed, 2511 insertions, 2554 deletions

diff --git a/ChangeLog b/ChangeLog
index 48f648d78..e008ec9f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,2514 @@
+commit 66bf74a92131b7effe49fb0eefe5225151869dc5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Oct 2 19:33:20 2017 +0000
+
+    upstream commit
+    
+    Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
+    
+    Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
+
+commit d63b38160a59039708fd952adc75a0b3da141560
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Oct 1 10:32:25 2017 +1100
+
+    update URL again
+    
+    I spotted a typo in the draft so uploaded a new version...
+
+commit 6f64f596430cd3576c529f07acaaf2800aa17d58
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Oct 1 10:01:56 2017 +1100
+
+    sync release notes URL
+
+commit 35ff70a04dd71663a5ac1e73b90d16d270a06e0d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Oct 1 10:01:25 2017 +1100
+
+    sync contrib/ssh-copy-id with upstream
+
+commit 290843b8ede85f8b30bf29cd7dceb805c3ea5b66
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Oct 1 09:59:19 2017 +1100
+
+    update version in RPM spec files
+
+commit 4e4e0bb223c5be88d87d5798c75cc6b0d4fef31d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Oct 1 09:58:24 2017 +1100
+
+    update agent draft URL
+
+commit e4a798f001d2ecd8bf025c1d07658079f27cc604
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Sep 30 22:26:33 2017 +0000
+
+    upstream commit
+    
+    openssh-7.6; ok deraadt@
+    
+    Upstream-ID: a39c3a5b63a1baae109ae1ae4c7c34c2a59acde0
+
+commit 5fa1407e16e7e5fda9769d53b626ce39d5588d4d
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed Sep 27 06:45:53 2017 +0000
+
+    upstream commit
+    
+    tweak EposeAuthinfo; diff from lars nooden
+    
+    tweaked by sthen; ok djm dtucker
+    
+    Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
+
+commit bba69c246f0331f657fd6ec97724df99fc1ad174
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Sep 28 16:06:21 2017 -0700
+
+    don't fatal ./configure for LibreSSL
+
+commit 04dc070e8b4507d9d829f910b29be7e3b2414913
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Sep 28 14:54:34 2017 -0700
+
+    abort in configure when only openssl-1.1.x found
+    
+    We don't support openssl-1.1.x yet (see multiple threads on the
+    openssh-unix-dev@ mailing list for the reason), but previously
+    ./configure would accept it and the compilation would subsequently
+    fail. This makes ./configure display an explicit error message and
+    abort.
+    
+    ok dtucker@
+
+commit 74c1c3660acf996d9dc329e819179418dc115f2c
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Sep 27 07:44:41 2017 +1000
+
+    Check for and handle calloc(p, 0) = NULL.
+    
+    On some platforms (AIX, maybe others) allocating zero bytes of memory
+    via the various *alloc functions returns NULL, which is permitted
+    by the standards.  Autoconf has some macros for detecting this (with
+    the exception of calloc for some reason) so use these and if necessary
+    activate shims for them.  ok djm@
+
+commit 6a9481258a77b0b54b2a313d1761c87360c5f1f5
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Thu Sep 21 19:18:12 2017 +0000
+
+    upstream commit
+    
+    test reverse dynamic forwarding with SOCKS
+    
+    Upstream-Regress-ID: 95cf290470f7e5e2f691e4bc6ba19b91eced2f79
+
+commit 1b9f321605733754df60fac8c1d3283c89b74455
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Sep 26 16:55:55 2017 +1000
+
+    sync missing changes in dynamic-forward.sh
+
+commit 44fc334c7a9ebdd08addb6d5fa005369897fddeb
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon Sep 25 09:48:10 2017 +1000
+
+    Add minimal strsignal for platforms without it.
+
+commit 218e6f98df566fb9bd363f6aa47018cb65ede196
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 24 13:45:34 2017 +0000
+
+    upstream commit
+    
+    fix inverted test on channel open failure path that
+    "upgraded" a transient failure into a fatal error; reported by sthen and also
+    seen by benno@; ok sthen@
+    
+    Upstream-ID: b58b3fbb79ba224599c6cd6b60c934fc46c68472
+
+commit c704f641f7b8777497dc82e81f2ac89afec7e401
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 24 09:50:01 2017 +0000
+
+    upstream commit
+    
+    write the correct buffer when tunnel forwarding; doesn't
+    matter on OpenBSD (they are the same) but does matter on portable where we
+    use an output filter to translate os-specific tun/tap headers
+    
+    Upstream-ID: f1ca94eff48404827b12e1d12f6139ee99a72284
+
+commit 55486f5cef117354f0c64f991895835077b7c7f7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Sep 23 22:04:07 2017 +0000
+
+    upstream commit
+    
+    fix tunnel forwarding problem introduced in refactor;
+    reported by stsp@ ok markus@
+    
+    Upstream-ID: 81a731cdae1122c8522134095d1a8b60fa9dcd04
+
+commit 609d7a66ce578abf259da2d5f6f68795c2bda731
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Thu Sep 21 19:16:53 2017 +0000
+
+    upstream commit
+    
+    Add 'reverse' dynamic forwarding which combines dynamic
+    forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
+    expects SOCKS-requests.
+    
+    The SSH server code is unchanged and the parsing happens at the SSH
+    clients side. Thus the full SOCKS-request is sent over the forwarded
+    channel and the client parses c->output. Parsing happens in
+    channel_before_prepare_select(), _before_ the select bitmask is
+    computed in the pre[] handlers, but after network input processing
+    in the post[] handlers.
+    
+    help and ok djm@
+    
+    Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
+
+commit 36945fa103176c00b39731e1fc1919a0d0808b81
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Sep 20 05:19:00 2017 +0000
+
+    upstream commit
+    
+    Use strsignal in debug message instead of casting for the
+    benefit of portable where sig_atomic_t might not be int.  "much nicer"
+    deraadt@
+    
+    Upstream-ID: 2dac6c1e40511c700bd90664cd263ed2299dcf79
+
+commit 3e8d185af326bf183b6f78597d5e3d2eeb2dc40e
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Tue Sep 19 12:10:30 2017 +0000
+
+    upstream commit
+    
+    Use explicit_bzero() instead of bzero() before free() to
+    prevent the compiler from optimizing away the bzero() call.  OK djm@
+    
+    Upstream-ID: cdc6197e64c9684c7250e23d60863ee1b53cef1d
+
+commit 5b8da1f53854c0923ec6e927e86709e4d72737b6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Sep 19 04:24:22 2017 +0000
+
+    upstream commit
+    
+    fix use-after-free in ~^Z escape handler path, introduced
+    in channels.c refactor; spotted by millert@ "makes sense" deraadt@
+    
+    Upstream-ID: 8fa2cdc65c23ad6420c1e59444b0c955b0589b22
+
+commit a3839d8d2b89ff1a80cadd4dd654336710de2c9e
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Sep 18 12:03:24 2017 +0000
+
+    upstream commit
+    
+    Prevent type mismatch warning in debug on platforms where
+    sig_atomic_t != int.  ok djm@
+    
+    Upstream-ID: 306e2375eb0364a4c68e48f091739bea4f4892ed
+
+commit 30484e5e5f0b63d2c6ba32c6b85f06b6c6fa55fc
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Sep 18 09:41:52 2017 +0000
+
+    upstream commit
+    
+    Add braces missing after channels refactor.  ok markus@
+    
+    Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
+
+commit b79569190b9b76dfacc6d996faa482f16e8fc026
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Sep 19 12:29:23 2017 +1000
+
+    add freezero(3) replacement
+    
+    ok dtucker@
+
+commit 161af8f5ec0961b10cc032efb5cc1b44ced5a92e
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Sep 19 10:18:56 2017 +1000
+
+    move FORTIFY_SOURCE into hardening options group
+    
+    It's still on by default, but now it's possible to turn it off using
+    --without-hardening. This is useful since it's known to cause problems
+    with some -fsanitize options. ok dtucker@
+
+commit 09eacf856e0fe1a6e3fe597ec8032b7046292914
+Author: bluhm@openbsd.org <bluhm@openbsd.org>
+Date:   Wed Sep 13 14:58:26 2017 +0000
+
+    upstream commit
+    
+    Print SKIPPED if sudo and doas configuration is missing.
+    Prevents that running the regression test with wrong environment is reported
+    as failure.  Keep the fatal there to avoid interfering with other setups for
+    portable ssh. OK dtucker@
+    
+    Upstream-Regress-ID: f0dc60023caef496ded341ac5aade2a606fa234e
+
+commit cdede10899892f25f1ccdccd7a3fe5e5ef0aa49a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Aug 7 03:52:55 2017 +0000
+
+    upstream commit
+    
+    Remove obsolete privsep=no fallback test.
+    
+    Upstream-Regress-ID: 7d6e1baa1678ac6be50c2a1555662eb1047638df
+
+commit ec218c105daa9f5b192f7aa890fdb2d4fdc4e9d8
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Aug 7 00:53:51 2017 +0000
+
+    upstream commit
+    
+    Remove non-privsep test since disabling privsep is now
+    deprecated.
+    
+    Upstream-Regress-ID: 77ad3f3d8d52e87f514a80f285c6c1229b108ce8
+
+commit 239c57d5bc2253e27e3e6ad7ac52ec8c377ee24e
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 28 10:32:08 2017 +0000
+
+    upstream commit
+    
+    Don't call fatal from stop_sshd since it calls cleanup
+    which calls stop_sshd which will probably fail in the same way.  Instead,
+    just bail. Differentiate between sshd dying without cleanup and not shutting
+    down.
+    
+    Upstream-Regress-ID: f97315f538618b349e2b0bea02d6b0c9196c6bc4
+
+commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Sep 14 04:32:21 2017 +0000
+
+    upstream commit
+    
+    Revert commitid: gJtIN6rRTS3CHy9b.
+    
+    -------------
+    identify the case where SSHFP records are missing but other DNS RR
+    types are present and display a more useful error message for this
+    case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
+    -------------
+    
+    This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
+    are missing but the user already has the key in known_hosts
+    
+    Spotted by dtucker@
+    
+    Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
+
+commit 871f1e4374420b07550041b329627c474abc3010
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Sep 12 18:01:35 2017 +1000
+
+    adapt portable to channels API changes
+
+commit 4ec0bb9f9ad7b4eb0af110fa8eddf8fa199e46bb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Sep 12 07:55:48 2017 +0000
+
+    upstream commit
+    
+    unused variable
+    
+    Upstream-ID: 2f9ba09f2708993d35eac5aa71df910dcc52bac1
+
+commit 9145a73ce2ba30c82bbf91d7205bfd112529449f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Sep 12 07:32:04 2017 +0000
+
+    upstream commit
+    
+    fix tun/tap forwarding case in previous
+    
+    Upstream-ID: 43ebe37a930320e24bca6900dccc39857840bc53
+
+commit 9f53229c2ac97dbc6f5a03657de08a1150a9ac7e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Sep 12 06:35:31 2017 +0000
+
+    upstream commit
+    
+    Make remote channel ID a u_int
+    
+    Previously we tracked the remote channel IDs in an int, but this is
+    strictly incorrect: the wire protocol uses uint32 and there is nothing
+    in-principle stopping a SSH implementation from sending, say, 0xffff0000.
+    
+    In practice everyone numbers their channels sequentially, so this has
+    never been a problem.
+    
+    ok markus@
+    
+    Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
+
+commit dbee4119b502e3f8b6cd3282c69c537fd01d8e16
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Sep 12 06:32:07 2017 +0000
+
+    upstream commit
+    
+    refactor channels.c
+    
+    Move static state to a "struct ssh_channels" that is allocated at
+    runtime and tracked as a member of struct ssh.
+    
+    Explicitly pass "struct ssh" to all channels functions.
+    
+    Replace use of the legacy packet APIs in channels.c.
+    
+    Rework sshd_config PermitOpen handling: previously the configuration
+    parser would call directly into the channels layer. After the refactor
+    this is not possible, as the channels structures are allocated at
+    connection time and aren't available when the configuration is parsed.
+    The server config parser now tracks PermitOpen itself and explicitly
+    configures the channels code later.
+    
+    ok markus@
+    
+    Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
+
+commit abd59663df37a42152e37980113ccaa405b9a282
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Sep 7 23:48:09 2017 +0000
+
+    upstream commit
+    
+    typo in comment
+    
+    Upstream-ID: a93b1e6f30f1f9b854b5b964b9fd092d0c422c47
+
+commit 149a8cd24ce9dd47c36f571738681df5f31a326c
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Mon Sep 4 06:34:43 2017 +0000
+
+    upstream commit
+    
+    tweak previous;
+    
+    Upstream-ID: bb8cc40b61b15f6a13d81da465ac5bfc65cbfc4b
+
+commit ec9d22cc251cc5acfe7b2bcef9cc7a1fe0e949d8
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Sep 8 12:44:13 2017 +1000
+
+    Fuzzer harnesses for sig verify and pubkey parsing
+    
+    These are some basic clang libfuzzer harnesses for signature
+    verification and public key parsing. Some assembly (metaphorical)
+    required.
+
+commit de35c382894964a896a63ecd5607d3a3b93af75d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Sep 8 12:38:31 2017 +1000
+
+    Give configure ability to set CFLAGS/LDFLAGS later
+    
+    Some CFLAGS/LDFLAGS may disrupt the configure script's operation,
+    in particular santization and fuzzer options that break assumptions
+    about memory and file descriptor dispositions.
+    
+    This adds two flags to configure --with-cflags-after and
+    --with-ldflags-after that allow specifying additional compiler and
+    linker options that are added to the resultant Makefiles but not
+    used in the configure run itself.
+    
+    E.g.
+    
+    env CC=clang-3.9 ./configure \
+      --with-cflags-after=-fsantize=address \
+      --with-ldflags-after="-g -fsanitize=address"
+
+commit 22376d27a349f62c502fec3396dfe0fdcb2a40b7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 3 23:33:13 2017 +0000
+
+    upstream commit
+    
+    Expand ssh_config's StrictModes option with two new
+    settings:
+    
+    StrictModes=accept-new will automatically accept hitherto-unseen keys
+    but will refuse connections for changed or invalid hostkeys.
+    
+    StrictModes=off is the same as StrictModes=no
+    
+    Motivation:
+    
+    StrictModes=no combines two behaviours for host key processing:
+    automatically learning new hostkeys and continuing to connect to hosts
+    with invalid/changed hostkeys. The latter behaviour is quite dangerous
+    since it removes most of the protections the SSH protocol is supposed to
+    provide.
+    
+    Quite a few users want to automatically learn hostkeys however, so
+    this makes that feature available with less danger.
+    
+    At some point in the future, StrictModes=no will change to be a synonym
+    for accept-new, with its current behaviour remaining available via
+    StrictModes=off.
+    
+    bz#2400, suggested by Michael Samuel; ok markus
+    
+    Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
+
+commit ff3c42384033514e248ba5d7376aa033f4a2b99a
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Fri Sep 1 15:41:26 2017 +0000
+
+    upstream commit
+    
+    remove blank line;
+    
+    Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
+
+commit b828605d51f57851316d7ba402b4ae06cf37c55d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Sep 1 05:53:56 2017 +0000
+
+    upstream commit
+    
+    identify the case where SSHFP records are missing but
+    other DNS RR types are present and display a more useful error message for
+    this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
+    
+    Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
+
+commit 8042bad97e2789a50e8f742c3bcd665ebf0add32
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Sep 1 05:50:48 2017 +0000
+
+    upstream commit
+    
+    document available AuthenticationMethods; bz#2453 ok
+    dtucker@
+    
+    Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
+
+commit 71e5a536ec815d542b199f2ae6d646c0db9f1b58
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 30 03:59:08 2017 +0000
+
+    upstream commit
+    
+    pass packet state down to some of the channels function
+    (more to come...); ok markus@
+    
+    Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
+
+commit 6227fe5b362239c872b91bbdee4bf63cf85aebc5
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue Aug 29 13:05:58 2017 +0000
+
+    upstream commit
+    
+    sort options;
+    
+    Upstream-ID: cf21d68cf54e81968bca629aaeddc87f0c684f3c
+
+commit 530591a5795a02d01c78877d58604723918aac87
+Author: dlg@openbsd.org <dlg@openbsd.org>
+Date:   Tue Aug 29 09:42:29 2017 +0000
+
+    upstream commit
+    
+    add a -q option to ssh-add to make it quiet on success.
+    
+    if you want to silence ssh-add without this you generally redirect
+    the output to /dev/null, but that can hide error output which you
+    should see.
+    
+    ok djm@
+    
+    Upstream-ID: 2f31b9b13f99dcf587e9a8ba443458e6c0d8997c
+
+commit a54eb27dd64b5eca3ba94e15cec3535124bd5029
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Sun Aug 27 00:38:41 2017 +0000
+
+    upstream commit
+    
+    Increase the buffer sizes for user prompts to ensure that
+    they won't be truncated by snprintf.  Based on patch from cjwatson at
+    debian.org via bz#2768, ok djm@
+    
+    Upstream-ID: 6ffacf1abec8f40b469de5b94bfb29997d96af3e
+
+commit dd9d9b3381a4597b840d480b043823112039327e
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon Aug 28 16:48:27 2017 +1000
+
+    Switch Capsicum header to sys/capsicum.h.
+    
+    FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> in 2014 to
+    avoid future conflicts with POSIX capabilities (the last release that
+    didn't have it was 9.3) so switch to that.  Patch from des at des.no.
+
+commit f5e917ab105af5dd6429348d9bc463e52b263f92
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Sun Aug 27 08:55:40 2017 +1000
+
+    Add missing includes for bsd-err.c.
+    
+    Patch from cjwatson at debian.org via bz#2767.
+
+commit 878e029797cfc9754771d6f6ea17f8c89e11d225
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Aug 25 13:25:01 2017 +1000
+
+    Split platform_sys_dir_uid into its own file
+    
+    platform.o is too heavy for libssh.a use; it calls into the server on
+    many platforms. Move just the function needed by misc.c into its own
+    file.
+
+commit 07949bfe9133234eddd01715592aa0dde67745f0
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Aug 23 20:13:18 2017 +1000
+
+    misc.c needs functions from platform.c now
+
+commit b074c3c3f820000a21953441cea7699c4b17d72f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 18 05:48:04 2017 +0000
+
+    upstream commit
+    
+    add a "quiet" flag to exited_cleanly() that supresses
+    errors about exit status (failure due to signal is still reported)
+    
+    Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
+
+commit de4ae07f12dabf8815ecede54235fce5d22e3f63
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 18 05:36:45 2017 +0000
+
+    upstream commit
+    
+    Move several subprocess-related functions from various
+    locations to misc.c. Extend subprocess() to offer a little more control over
+    stdio disposition.
+    
+    feedback & ok dtucker@
+    
+    Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
+
+commit 643c2ad82910691b2240551ea8b14472f60b5078
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Aug 12 06:46:01 2017 +0000
+
+    upstream commit
+    
+    make "--" before the hostname terminate command-line
+    option processing completely; previous behaviour would not prevent further
+    options appearing after the hostname (ssh has a supported options after the
+    hostname for >20 years, so that's too late to change).
+    
+    ok deraadt@
+    
+    Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
+
+commit 0f3455356bc284d7c6f4d3c1614d31161bd5dcc2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Aug 12 06:42:52 2017 +0000
+
+    upstream commit
+    
+    Switch from aes256-cbc to aes256-ctr for encrypting
+    new-style private keys. The latter having the advantage of being supported
+    for no-OpenSSL builds; bz#2754 ok markus@
+    
+    Upstream-ID: 54179a2afd28f93470471030567ac40431e56909
+
+commit c4972d0a9bd6f898462906b4827e09b7caea2d9b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 11 04:47:12 2017 +0000
+
+    upstream commit
+    
+    refuse to a private keys when its corresponding .pub key
+    does not match. bz#2737 ok dtucker@
+    
+    Upstream-ID: 54ff5e2db00037f9db8d61690f26ef8f16e0d913
+
+commit 4b3ecbb663c919132dddb3758e17a23089413519
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 11 04:41:08 2017 +0000
+
+    upstream commit
+    
+    don't print verbose error message when ssh disconnects
+    under sftp; bz#2750; ok dtucker@
+    
+    Upstream-ID: 6d83708aed77b933c47cf155a87dc753ec01f370
+
+commit 42a8f8bc288ef8cac504c5c73f09ed610bc74a34
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Aug 11 04:16:35 2017 +0000
+
+    upstream commit
+    
+    Tweak previous keepalive commit: if last_time + keepalive
+    <= now instead of just "<" so client_alive_check will fire if the select
+    happens to return on exact second of the timeout.  ok djm@
+    
+    Upstream-ID: e02756bd6038d11bb8522bfd75a4761c3a684fcc
+
+commit b60ff20051ef96dfb207b6bfa45c0ad6c34a542a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Aug 11 03:58:36 2017 +0000
+
+    upstream commit
+    
+    Keep track of the last time we actually heard from the
+    client and use this to also schedule a client_alive_check().  Prevents
+    activity on a forwarded port from indefinitely preventing the select timeout
+    so that client_alive_check() will eventually (although not optimally) be
+    called.
+    
+    Analysis by willchan at google com via bz#2756, feedback & ok djm@
+    
+    Upstream-ID: c08721e0bbda55c6d18e2760f3fe1b17fb71169e
+
+commit 94bc1e7ffba3cbdea8c7dcdab8376bf29283128f
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 28 14:50:59 2017 +1000
+
+    Expose list of completed auth methods to PAM
+    
+    bz#2408; ok dtucker@
+
+commit c78e6eec78c88acf8d51db90ae05a3e39458603d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 21 14:38:16 2017 +1000
+
+    fix problems in tunnel forwarding portability code
+    
+    This fixes a few problems in the tun forwarding code, mostly to do
+    with host/network byte order confusion.
+    
+    Based on a  report and patch by stepe AT centaurus.uberspace.de;
+    bz#2735; ok dtucker@
+
+commit 2985d4062ebf4204bbd373456a810d558698f9f5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Jul 25 09:22:25 2017 +0000
+
+    upstream commit
+    
+    Make WinSCP patterns for SSH_OLD_DHGEX more specific to
+    exclude WinSCP 5.10.x and up.  bz#2748, from martin at winscp.net, ok djm@
+    
+    Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
+
+commit 9f0e44e1a0439ff4646495d5735baa61138930a9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jul 24 04:34:28 2017 +0000
+
+    upstream commit
+    
+    g/c unused variable; make a little more portable
+    
+    Upstream-ID: 3f5980481551cb823c6fb2858900f93fa9217dea
+
+commit 51676ec61491ec6d7cbd06082034e29b377b3bf6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Jul 23 23:37:02 2017 +0000
+
+    upstream commit
+    
+    Allow IPQoS=none in ssh/sshd to not set an explicit
+    ToS/DSCP value and just use the operating system default; ok dtucker@
+    
+    Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
+
+commit 6c1fbd5a50d8d2415f06c920dd3b1279b741072d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 21 14:24:26 2017 +1000
+
+    mention libedit
+
+commit dc2bd308768386b02c7337120203ca477e67ba62
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 19 08:30:41 2017 +0000
+
+    upstream commit
+    
+    fix support for unknown key types; ok djm@
+    
+    Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
+
+commit fd0e8fa5f89d21290b1fb5f9d110ca4f113d81d9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 19 01:15:02 2017 +0000
+
+    upstream commit
+    
+    switch from select() to poll() for the ssh-agent
+    mainloop; ok markus
+    
+    Upstream-ID: 4a94888ee67b3fd948fd10693973beb12f802448
+
+commit b1e72df2b813ecc15bd0152167bf4af5f91c36d3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 14 03:18:21 2017 +0000
+
+    upstream commit
+    
+    Make ""Killed by signal 1" LogLevel verbose so it's not
+    shown at the default level.  Prevents it from appearing during ssh -J and
+    equivalent ProxyCommand configs. bz#1906, bz#2744, feedback&ok markus@
+    
+    Upstream-ID: debfaa7e859b272246c2f2633335d288d2e2ae28
+
+commit 1f3d202770a08ee6752ed2a234b7ca6f180eb498
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Thu Jul 13 19:16:33 2017 +0000
+
+    upstream commit
+    
+    man pages with pseudo synopses which list filenames end
+    up creating very ugly output in man -k; after some discussion with ingo, we
+    feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly
+    helpful at page top, is contained already in FILES, and there are
+    sufficiently few that just zapping them is simple;
+    
+    ok schwarze, who also helpfully ran things through a build to check
+    output;
+    
+    Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
+
+commit 7f13a4827fb28957161de4249bd6d71954f1f2ed
+Author: espie@openbsd.org <espie@openbsd.org>
+Date:   Mon Jul 10 14:09:59 2017 +0000
+
+    upstream commit
+    
+    zap redundant Makefile variables. okay djm@
+    
+    Upstream-ID: e39b3902fe1d6c4a7ba6a3c58e072219f3c1e604
+
+commit dc44dd3a9e2c9795394e6a7e1e71c929cbc70ce0
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Sat Jul 8 18:32:54 2017 +0000
+
+    upstream commit
+    
+    slightly rework previous, to avoid an article issue;
+    
+    Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
+
+commit 853edbe057a84ebd0024c8003e4da21bf2b469f7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 7 03:53:12 2017 +0000
+
+    upstream commit
+    
+    When generating all hostkeys (ssh-keygen -A), clobber
+    existing keys if they exist but are zero length. zero-length keys could
+    previously be made if ssh-keygen failed part way through generating them, so
+    avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@
+    
+    Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
+
+commit 43616876ba68a2ffaece6a6c792def4b039f2d6e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jul 1 22:55:44 2017 +0000
+
+    upstream commit
+    
+    actually remove these files
+    
+    Upstream-ID: 1bd41cba06a7752de4df304305a8153ebfb6b0ac
+
+commit 83fa3a044891887369ce8b487ce88d713a04df48
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jul 1 13:50:45 2017 +0000
+
+    upstream commit
+    
+    remove post-SSHv1 removal dead code from rsa.c and merge
+    the remaining bit that it still used into ssh-rsa.c; ok markus
+    
+    Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
+
+commit 738c73dca2c99ee78c531b4cbeefc2008fe438f0
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 14 14:26:36 2017 +1000
+
+    make explicit_bzero/memset safe for sz=0
+
+commit 8433d51e067e0829f5521c0c646b6fd3fe17e732
+Author: Tim Rice <tim@multitalents.net>
+Date:   Tue Jul 11 18:47:56 2017 -0700
+
+    modified:   configure.ac
+    UnixWare needs BROKEN_TCGETATTR_ICANON like Solaris
+    Analysis by Robbie Zhang
+
+commit ff3507aea9c7d30cd098e7801e156c68faff7cc7
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 7 11:21:27 2017 +1000
+
+    typo
+
+commit d79bceb9311a9c137d268f5bc481705db4151810
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 30 04:17:23 2017 +0000
+
+    upstream commit
+    
+    Only call close once in confree().  ssh_packet_close will
+    close the FD so only explicitly close non-SSH channels.  bz#2734, from
+    bagajjal at microsoft.com, ok djm@
+    
+    Upstream-ID: a81ce0c8b023527167739fccf1732b154718ab02
+
+commit 197dc9728f062e23ce374f44c95a2b5f9ffa4075
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Thu Jun 29 15:40:25 2017 +1000
+
+    Update link for my patches.
+
+commit a98339edbc1fc21342a390f345179a9c3031bef7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jun 28 01:09:22 2017 +0000
+
+    upstream commit
+    
+    Allow ssh-keygen to use a key held in ssh-agent as a CA when
+    signing certificates. bz#2377 ok markus
+    
+    Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
+
+commit c9cdef35524bd59007e17d5bd2502dade69e2dfb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 06:35:24 2017 +0000
+
+    upstream commit
+    
+    regress test for ExposeAuthInfo
+    
+    Upstream-Regress-ID: 190e5b6866376f4061c411ab157ca4d4e7ae86fd
+
+commit f17ee61cad25d210edab69d04ed447ad55fe80c1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 07:08:57 2017 +0000
+
+    upstream commit
+    
+    correct env var name
+    
+    Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
+
+commit 40962198e3b132cecdb32e9350acd4294e6a1082
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Sat Jun 24 06:57:04 2017 +0000
+
+    upstream commit
+    
+    spelling;
+    
+    Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
+
+commit 33f86265d7e8a0e88d3a81745d746efbdd397370
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 06:38:11 2017 +0000
+
+    upstream commit
+    
+    don't pass pointer to struct sshcipher between privsep
+    processes, just redo the lookup in each using the already-passed cipher name.
+    bz#2704 based on patch from Brooks Davis; ok markus dtucker
+    
+    Upstream-ID: 2eab434c09bdf549dafd7da3e32a0d2d540adbe0
+
+commit 8f574959272ac7fe9239c4f5d10fd913f8920ab0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 06:34:38 2017 +0000
+
+    upstream commit
+    
+    refactor authentication logging
+    
+    optionally record successful auth methods and public credentials
+    used in a file accessible to user sessions
+    
+    feedback and ok markus@
+    
+    Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
+
+commit e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Sat Jun 24 06:28:50 2017 +0000
+
+    upstream commit
+    
+    word fix;
+    
+    Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5
+
+commit 4540428cd0adf039bcf5a8a27f2d5cdf09191513
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 05:37:44 2017 +0000
+
+    upstream commit
+    
+    switch sshconnect.c from (slightly abused) select() to
+    poll(); ok deraadt@ a while back
+    
+    Upstream-ID: efc1937fc591bbe70ac9e9542bb984f354c8c175
+
+commit 6f8ca3b92540fa1a9b91670edc98d15448e3d765
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 05:35:05 2017 +0000
+
+    upstream commit
+    
+    use HostKeyAlias if specified instead of hostname for
+    matching host certificate principal names; bz#2728; ok dtucker@
+    
+    Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
+
+commit 8904ffce057b80a7472955f1ec00d7d5c250076c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 24 05:24:11 2017 +0000
+
+    upstream commit
+    
+    no need to call log_init to reinitialise logged PID in
+    child sessions, since we haven't called openlog() in log_init() since 1999;
+    ok markus@
+    
+    Upstream-ID: 0906e4002af5d83d3d544df75e1187c932a3cf2e
+
+commit e238645d789cd7eb47541b66aea2a887ea122c9b
+Author: mestre@openbsd.org <mestre@openbsd.org>
+Date:   Fri Jun 23 07:24:48 2017 +0000
+
+    upstream commit
+    
+    When using the escape sequence &~ the code path is
+    client_loop() -> client_simple_escape_filter() -> process_escapes() -> fork()
+    and the pledge for this path lacks the proc promise and therefore aborts the
+    process. The solution is to just add proc the promise to this specific
+    pledge.
+    
+    Reported by Gregoire Jadi gjadi ! omecha.info
+    Insight with tb@, OK jca@
+    
+    Upstream-ID: 63c05e30c28209519f476023b65b0b1b0387a05b
+
+commit 5abbb31c4e7a6caa922cc1cbb14e87a77f9d19d3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 23 03:30:42 2017 +0000
+
+    upstream commit
+    
+    Import regenerated moduli.
+    
+    Upstream-ID: b25bf747544265b39af74fe0716dc8d9f5b63b95
+
+commit 849c5468b6d9b4365784c5dd88e3f1fb568ba38f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 23 03:25:53 2017 +0000
+
+    upstream commit
+    
+    Run the screen twice so we end up with more candidate
+    groups.  ok djm@
+    
+    Upstream-ID: b92c93266d8234d493857bb822260dacf4366157
+
+commit 4626e39c7053c6486c1c8b708ec757e464623f5f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jun 14 00:31:38 2017 +0000
+
+    upstream commit
+    
+    Add user@host prefix to client's "Permisison denied"
+    messages, useful in particular when using "stacked" connections where it's
+    not clear which host is denying.  bz#2720, ok djm@ markus@
+    
+    Upstream-ID: de88e1e9dcb050c98e85377482d1287a9fe0d2be
+
+commit c948030d54911b2d3cddb96a7a8e9269e15d11cd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jun 13 12:13:59 2017 +0000
+
+    upstream commit
+    
+    Do not require that unknown EXT_INFO extension values not
+    contain \0 characters. This would cause fatal connection errors if an
+    implementation sent e.g. string-encoded sub-values inside a value.
+    
+    Reported by Denis Bider; ok markus@
+    
+    Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
+
+commit 6026f48dfca78b713e4a7f681ffa42a0afe0929e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jun 13 11:22:15 2017 +0000
+
+    upstream commit
+    
+    missing prototype.
+    
+    Upstream-ID: f443d2be9910fd2165a0667956d03343c46f66c9
+
+commit bcd1485075aa72ba9418003f5cc27af2b049c51b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sat Jun 10 23:41:25 2017 +1000
+
+    portability for sftp globbed ls sort by mtime
+    
+    Include replacement timespeccmp() for systems that lack it.
+    Support time_t struct stat->st_mtime in addition to
+    timespec stat->st_mtim, as well as unsorted fallback.
+
+commit 072e172f1d302d2a2c6043ecbfb4004406717b96
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 10 06:36:46 2017 +0000
+
+    upstream commit
+    
+    print '?' instead of incorrect link count (that the
+    protocol doesn't provide) for remote listings. bz#2710 ok dtucker@
+    
+    Upstream-ID: c611f98a66302cea452ef10f13fff8cf0385242e
+
+commit 72be5b2f8e7dc37235e8c4b8d0bc7b5ee1301505
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jun 10 06:33:34 2017 +0000
+
+    upstream commit
+    
+    implement sorting for globbed ls; bz#2649 ok dtucker@
+    
+    Upstream-ID: ed3110f351cc9703411bf847ba864041fb7216a8
+
+commit 5b2f34a74aa6a524cd57e856b23e1b7b25007721
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 9 06:47:13 2017 +0000
+
+    upstream commit
+    
+    return failure rather than fatal() for more cases during
+    mux negotiations. Causes the session to fall back to a non-mux connection if
+    they occur. bz#2707 ok dtucker@
+    
+    Upstream-ID: d2a7892f464d434e1f615334a1c9d0cdb83b29ab
+
+commit 7f5637c4a67a49ef256cb4eedf14e8590ac30976
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 9 06:43:01 2017 +0000
+
+    upstream commit
+    
+    in description of public key authentication, mention that
+    the server will send debug messages to the client for some error conditions
+    after authentication has completed. bz#2709 ok dtucker
+    
+    Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
+
+commit 2076e4adb986512ce8c415dd194fd4e52136c4b4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 9 06:40:24 2017 +0000
+
+    upstream commit
+    
+    better translate libcrypto errors by looking deeper in
+    the accursed error stack for codes that indicate the wrong passphrase was
+    supplied for a PEM key. bz#2699 ok dtucker@
+    
+    Upstream-ID: 4da4286326d570f4f0489459bb71f6297e54b681
+
+commit ad0531614cbe8ec424af3c0fa90c34a8e1ebee4c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 9 04:40:04 2017 +0000
+
+    upstream commit
+    
+    Add comments referring to the relevant RFC sections for
+    rekeying behaviour.
+    
+    Upstream-ID: 6fc8e82485757a27633f9175ad00468f49a07d40
+
+commit ce9134260b9b1247e2385a1afed00c26112ba479
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jun 9 14:43:47 2017 +1000
+
+    drop two more privileges in the Solaris sandbox
+    
+    Drop PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO.
+    Patch from huieying.lee AT oracle.com via bz#2723
+
+commit e0f609c8a2ab940374689ab8c854199c3c285a76
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Jun 9 13:36:29 2017 +1000
+
+    Wrap stdint.h include in #ifdef.
+
+commit 1de5e47a85850526a4fdaf77185134046c050f75
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jun 7 01:48:15 2017 +0000
+
+    upstream commit
+    
+    unbreak after sshv1 purge
+    
+    Upstream-Regress-ID: 8ea01a92d5f571b9fba88c1463a4254a7552d51b
+
+commit 550c053168123fcc0791f9952abad684704b5760
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Jun 6 09:12:17 2017 +0000
+
+    upstream commit
+    
+    Fix compression output stats broken in rev 1.201.  Patch
+    originally by Russell Coker via Debian bug #797964 and Christoph Biedl.  ok
+    djm@
+    
+    Upstream-ID: 83a1903b95ec2e4ed100703debb4b4a313b01016
+
+commit 55d06c6e72a9abf1c06a7ac2749ba733134a1f39
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 2 06:06:10 2017 +0000
+
+    upstream commit
+    
+    rationalise the long list of manual CDIAGFLAGS that we
+    add; most of these were redundant to -Wall -Wextra
+    
+    Upstream-ID: ea80f445e819719ccdcb237022cacfac990fdc5c
+
+commit 1527d9f61e6d50f6c2b4a3fa5b45829034b1b0b1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 1 06:59:21 2017 +0000
+
+    upstream commit
+    
+    no need to bzero allocated space now that we use use
+    recallocarray; ok deraadt@
+    
+    Upstream-ID: 53333c62ccf97de60b8cb570608c1ba5ca5803c8
+
+commit cc812baf39b93d5355565da98648d8c31f955990
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 1 06:58:25 2017 +0000
+
+    upstream commit
+    
+    unconditionally zero init size of buffer; ok markus@
+    deraadt@
+    
+    Upstream-ID: 218963e846d8f26763ba25afe79294547b99da29
+
+commit 65eb8fae0d7ba45ef4483a3cf0ae7fd0dbc7c226
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jun 1 16:25:09 2017 +1000
+
+    avoid compiler warning
+
+commit 2d75d74272dc2a0521fce13cfe6388800c9a2406
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 1 06:16:43 2017 +0000
+
+    upstream commit
+    
+    some warnings spotted by clang; ok markus@
+    
+    Upstream-ID: 24381d68ca249c5cee4388ceb0f383fa5b43991b
+
+commit 151c6e433a5f5af761c78de87d7b5d30a453cf5e
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jun 1 15:25:13 2017 +1000
+
+    add recallocarray replacement and dependency
+    
+    recallocarray() needs getpagesize() so add a tiny replacement for that.
+
+commit 01e6f78924da308447e71e9a32c8a6104ef4e888
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jun 1 15:16:24 2017 +1000
+
+    add *.0 manpage droppings
+
+commit 4b2e2d3fd9dccff357e1e26ce9a5f2e103837a36
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 1 04:51:58 2017 +0000
+
+    upstream commit
+    
+    fix casts re constness
+    
+    Upstream-ID: e38f2bac162b37dbaf784d349c8327a6626fa266
+
+commit 75b8af8de805c0694b37fcf80ce82783b2acc86f
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed May 31 10:54:00 2017 +0000
+
+    upstream commit
+    
+    make sure we don't pass a NULL string to vfprintf
+    (triggered by the principals-command regress test); ok bluhm
+    
+    Upstream-ID: eb49854f274ab37a0b57056a6af379a0b7111990
+
+commit 84008608c9ee944d9f72f5100f31ccff743b10f2
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed May 31 10:04:29 2017 +0000
+
+    upstream commit
+    
+    use SO_ZEROIZE for privsep communication (if available)
+    
+    Upstream-ID: abcbb6d2f8039fc4367a6a78096e5d5c39de4a62
+
+commit 9e509d4ec97cb3d71696f1a2f1fdad254cbbce11
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Wed May 31 09:15:42 2017 +0000
+
+    upstream commit
+    
+    Switch to recallocarray() for a few operations.  Both
+    growth and shrinkage are handled safely, and there also is no need for
+    preallocation dances. Future changes in this area will be less error prone.
+    Review and one bug found by markus
+    
+    Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
+
+commit dc5dc45662773c0f7745c29cf77ae2d52723e55e
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Wed May 31 08:58:52 2017 +0000
+
+    upstream commit
+    
+    These shutdown() SHUT_RDWR are not needed before close()
+    ok djm markus claudio
+    
+    Upstream-ID: 36f13ae4ba10f5618cb9347933101eb4a98dbcb5
+
+commit 1e0cdf8efb745d0d1116e1aa22bdc99ee731695e
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed May 31 08:09:45 2017 +0000
+
+    upstream commit
+    
+    clear session keys from memory; ok djm@
+    
+    Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
+
+commit 92e9fe633130376a95dd533df6e5e6a578c1e6b8
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed May 31 07:00:13 2017 +0000
+
+    upstream commit
+    
+    remove now obsolete ctx from ssh_dispatch_run; ok djm@
+    
+    Upstream-ID: 9870aabf7f4d71660c31fda91b942b19a8e68d29
+
+commit 17ad5b346043c5bbc5befa864d0dbeb76be39390
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed May 31 05:34:14 2017 +0000
+
+    upstream commit
+    
+    use the ssh_dispatch_run_fatal variant
+    
+    Upstream-ID: 28c5b364e37c755d1b22652b8cd6735a05c625d8
+
+commit 39896b777320a6574dd06707aebac5fb98e666da
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 31 05:08:46 2017 +0000
+
+    upstream commit
+    
+    another ctx => ssh conversion (in GSSAPI code)
+    
+    Upstream-ID: 4d6574c3948075c60608d8e045af42fe5b5d8ae0
+
+commit 6116bd4ed354a71a733c8fd0f0467ce612f12911
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed May 31 14:56:07 2017 +1000
+
+    fix conversion of kexc25519s.c to struct ssh too
+    
+    git cvsimport missed this commit for some reason
+
+commit d40dbdc85b6fb2fd78485ba02225511b8cbf20d7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 31 04:29:44 2017 +0000
+
+    upstream commit
+    
+    spell out that custom options/extensions should follow the
+    usual SSH naming rules, e.g. "extension@example.com"
+    
+    Upstream-ID: ab326666d2fad40769ec96b5a6de4015ffd97b8d
+
+commit 2a108277f976e8d0955c8b29d1dfde04dcbb3d5b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 31 04:17:12 2017 +0000
+
+    upstream commit
+    
+    one more void *ctx => struct ssh *ssh conversion
+    
+    Upstream-ID: d299d043471c10214cf52c03daa10f1c232759e2
+
+commit c04e979503e97f52b750d3b98caa6fe004ab2ab9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 31 00:43:04 2017 +0000
+
+    upstream commit
+    
+    fix possible OOB strlen() in SOCKS4A hostname parsing;
+    ok markus@
+    
+    Upstream-ID: c67297cbeb0e5a19d81752aa18ec44d31270cd11
+
+commit a3bb250c93bfe556838c46ed965066afce61cffa
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 30 19:38:17 2017 +0000
+
+    upstream commit
+    
+    tweak previous;
+    
+    Upstream-ID: 66987651046c42d142f7318c9695fb81a6d14031
+
+commit 1112b534a6a7a07190e497e6bf86b0d5c5fb02dc
+Author: bluhm@openbsd.org <bluhm@openbsd.org>
+Date:   Tue May 30 18:58:37 2017 +0000
+
+    upstream commit
+    
+    Add RemoteCommand option to specify a command in the
+    ssh config file instead of giving it on the client's command line.  This
+    command will be executed on the remote host.  The feature allows to automate
+    tasks using ssh config. OK markus@
+    
+    Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
+
+commit eb272ea4099fd6157846f15c129ac5727933aa69
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:29:59 2017 +0000
+
+    upstream commit
+    
+    switch auth2 to ssh_dispatch API; ok djm@
+    
+    Upstream-ID: a752ca19e2782900dd83060b5c6344008106215f
+
+commit 5a146bbd4fdf5c571f9fb438e5210d28cead76d9
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:27:22 2017 +0000
+
+    upstream commit
+    
+    switch auth2-none.c to modern APIs; ok djm@
+    
+    Upstream-ID: 07252b58e064d332214bcabbeae8e08c44b2001b
+
+commit 60306b2d2f029f91927c6aa7c8e08068519a0fa2
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:26:49 2017 +0000
+
+    upstream commit
+    
+    switch auth2-passwd.c to modern APIs; ok djm@
+    
+    Upstream-ID: cba0a8b72b4f97adfb7e3b3fd2f8ba3159981fc7
+
+commit eb76698b91338bd798c978d4db2d6af624d185e4
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:25:42 2017 +0000
+
+    upstream commit
+    
+    switch auth2-hostbased.c to modern APIs; ok djm@
+    
+    Upstream-ID: 146af25c36daeeb83d5dbbb8ca52b5d25de88f4e
+
+commit 2ae666a8fc20b3b871b2f1b90ad65cc027336ccd
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:23:52 2017 +0000
+
+    upstream commit
+    
+    protocol handlers all get struct ssh passed; ok djm@
+    
+    Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
+
+commit 94583beb24a6c5fd19cedb9104ab2d2d5cd052b6
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:19:15 2017 +0000
+
+    upstream commit
+    
+    ssh: pass struct ssh to auth functions, too; ok djm@
+    
+    Upstream-ID: d13c509cc782f8f19728fbea47ac7cf36f6e85dd
+
+commit 5f4082d886c6173b9e90b9768c9a38a3bfd92c2b
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:18:15 2017 +0000
+
+    upstream commit
+    
+    sshd: pass struct ssh to auth functions; ok djm@
+    
+    Upstream-ID: b00a80c3460884ebcdd14ef550154c761aebe488
+
+commit 7da5df11ac788bc1133d8d598d298e33500524cc
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:16:41 2017 +0000
+
+    upstream commit
+    
+    remove unused wrapper functions from key.[ch]; ok djm@
+    
+    Upstream-ID: ea0f4016666a6817fc11f439dd4be06bab69707e
+
+commit ff7371afd08ac0bbd957d90451d4dcd0da087ef5
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:15:17 2017 +0000
+
+    upstream commit
+    
+    sshkey_new() might return NULL (pkcs#11 code only); ok
+    djm@
+    
+    Upstream-ID: de9f2ad4a42c0b430caaa7d08dea7bac943075dd
+
+commit beb965bbc5a984fa69fb1e2b45ebe766ae09d1ef
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:13:40 2017 +0000
+
+    upstream commit
+    
+    switch sshconnect.c to modern APIs; ok djm@
+    
+    Upstream-ID: 27be17f84b950d5e139b7a9b281aa487187945ad
+
+commit 00ed75c92d1f95fe50032835106c368fa22f0f02
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 14:10:53 2017 +0000
+
+    upstream commit
+    
+    switch auth2-pubkey.c to modern APIs; with & ok djm@
+    
+    Upstream-ID: 8f08d4316eb1b0c4ffe4a206c05cdd45ed1daf07
+
+commit 54d90ace1d3535b44d92a8611952dc109a74a031
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 08:52:19 2017 +0000
+
+    upstream commit
+    
+    switch from Key typedef with struct sshkey; ok djm@
+    
+    Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
+
+commit c221219b1fbee47028dcaf66613f4f8d6b7640e9
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 08:49:58 2017 +0000
+
+    upstream commit
+    
+    remove ssh1 references; ok djm@
+    
+    Upstream-ID: fc23b7578e7b0a8daaec72946d7f5e58ffff5a3d
+
+commit afbfa68fa18081ef05a9cd294958509a5d3cda8b
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue May 30 08:49:32 2017 +0000
+
+    upstream commit
+    
+    revise sshkey_load_public(): remove ssh1 related
+    comments, remove extra open()/close() on keyfile, prevent leak of 'pub' if
+    'keyp' is NULL, replace strlcpy+cat with asprintf; ok djm@
+    
+    Upstream-ID: 6175e47cab5b4794dcd99c1175549a483ec673ca
+
+commit 813f55336a24fdfc45e7ed655fccc7d792e8f859
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri May 26 20:34:49 2017 +0000
+
+    upstream commit
+    
+    sshbuf_consume: reset empty buffer; ok djm@
+    
+    Upstream-ID: 0d4583ba57f69e369d38bbd7843d85cac37fa821
+
+commit 6cf711752cc2a7ffaad1fb4de18cae65715ed8bb
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri May 26 19:35:50 2017 +0000
+
+    upstream commit
+    
+    remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@
+    
+    Upstream-ID: e2e225b6ac67b84dd024f38819afff2554fafe42
+
+commit 364f0d5edea27767fb0f915ea7fc61aded88d3e8
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri May 26 19:34:12 2017 +0000
+
+    upstream commit
+    
+    remove channel_input_close_confirmation (ssh1 only); ok
+    djm@
+    
+    Upstream-ID: 8e7c8c38f322d255bb0294a5c0ebef53fdf576f1
+
+commit 8ba0fd40082751dbbc23a830433488bbfb1abdca
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 26 01:40:07 2017 +0000
+
+    upstream commit
+    
+    fix references to obsolete v00 cert format; spotted by
+    Jakub Jelen
+    
+    Upstream-ID: 7600ce193ab8fd19451acfe24fc2eb39d46b2c4f
+
+commit dcc714c65cfb81eb6903095b4590719e8690f3da
+Author: Mike Frysinger <vapier@chromium.org>
+Date:   Wed May 24 23:21:19 2017 -0400
+
+    configure: actually set cache vars when cross-compiling
+    
+    The cross-compiling fallback message says it's assuming the test
+    passed, but it didn't actually set the cache var which causes
+    later tests to fail.
+
+commit 947a3e829a5b8832a4768fd764283709a4ca7955
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat May 20 02:35:47 2017 +0000
+
+    upstream commit
+    
+    there's no reason to artificially limit the key path
+    here, just check that it fits PATH_MAX; spotted by Matthew Patton
+    
+    Upstream-ID: 858addaf2009c9cf04d80164a41b2088edb30b58
+
+commit 773224802d7cb250bb8b461546fcce10567b4b2e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 19 21:07:17 2017 +0000
+
+    upstream commit
+    
+    Now that we no longer support SSHv1, replace the contents
+    of this file with a pointer to
+    https://tools.ietf.org/html/draft-miller-ssh-agent-00 It's better edited,
+    doesn't need to document stuff we no longer implement and does document stuff
+    that we do implement (RSA SHA256/512 signature flags)
+    
+    Upstream-ID: da8cdc46bbcc266efabd565ddddd0d8e556f846e
+
+commit 54cd41a4663fad66406dd3c8fe0e4760ccd8a899
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 17 01:24:17 2017 +0000
+
+    upstream commit
+    
+    allow LogLevel in sshd_config Match blocks; ok dtucker
+    bz#2717
+    
+    Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
+
+commit 277abcda3f1b08d2376686f0ef20320160d4c8ab
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 16 16:56:15 2017 +0000
+
+    upstream commit
+    
+    remove duplicate check; spotted by Jakub Jelen
+    
+    Upstream-ID: 30c2996c1767616a8fdc49d4cee088efac69c3b0
+
+commit adb47ce839c977fa197e770c1be8f852508d65aa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 16 16:54:05 2017 +0000
+
+    upstream commit
+    
+    mention that Ed25519 keys are valid as CA keys; spotted
+    by Jakub Jelen
+    
+    Upstream-ID: d3f6db58b30418cb1c3058211b893a1ffed3dfd4
+
+commit 6bdf70f01e700348bb4d8c064c31a0ab90896df6
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue May 9 14:35:03 2017 +1000
+
+    clean up regress files and add a .gitignore
+
+commit 7bdb2eeb1d3c26acdc409bd94532eefa252e440b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 22:57:38 2017 +0000
+
+    upstream commit
+    
+    remove hmac-ripemd160; ok dtucker
+    
+    Upstream-ID: 896e737ea0bad6e23327d1c127e02d5e9e9c654d
+
+commit 5f02bb1f99f70bb422be8a5c2b77ef853f1db554
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 06:11:06 2017 +0000
+
+    upstream commit
+    
+    make requesting bad ECDSA bits yield the same error
+    (SSH_ERR_KEY_LENGTH) as the same mistake for RSA/DSA
+    
+    Upstream-ID: bf40d3fee567c271e33f05ef8e4e0fa0b6f0ece6
+
+commit d757a4b633e8874629a1442c7c2e7b1b55d28c19
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 06:08:42 2017 +0000
+
+    upstream commit
+    
+    fix for new SSH_ERR_KEY_LENGTH error value
+    
+    Upstream-Regress-ID: c38a6e6174d4c3feca3518df150d4fbae0dca8dc
+
+commit 2e58a69508ac49c02d1bb6057300fa6a76db1045
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 06:03:39 2017 +0000
+
+    upstream commit
+    
+    helps if I commit the correct version of the file. fix
+    missing return statement.
+    
+    Upstream-ID: c86394a3beeb1ec6611e659bfa830254f325546c
+
+commit effaf526bfa57c0ac9056ca236becf52385ce8af
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 01:52:49 2017 +0000
+
+    upstream commit
+    
+    remove arcfour, blowfish and CAST here too
+    
+    Upstream-Regress-ID: c613b3bcbef75df1fe84ca4dc2d3ef253dc5e920
+
+commit 7461a5bc571696273252df28a1f1578968cae506
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 8 00:21:36 2017 +0000
+
+    upstream commit
+    
+    I was too aggressive with the scalpel in the last commit;
+    unbreak sshd, spotted quickly by naddy@
+    
+    Upstream-ID: fb7e75d2b2c7e6ca57dee00ca645e322dd49adbf
+
+commit bd636f40911094a39c2920bf87d2ec340533c152
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun May 7 23:15:59 2017 +0000
+
+    upstream commit
+    
+    Refuse RSA keys <1024 bits in length. Improve reporting
+    for keys that do not meet this requirement. ok markus@
+    
+    Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
+
+commit 70c1218fc45757a030285051eb4d209403f54785
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun May 7 23:13:42 2017 +0000
+
+    upstream commit
+    
+    Don't offer CBC ciphers by default in the client. ok
+    markus@
+    
+    Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
+
+commit acaf34fd823235d549c633c0146ee03ac5956e82
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun May 7 23:12:57 2017 +0000
+
+    upstream commit
+    
+    As promised in last release announcement: remove
+    support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
+    
+    Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
+
+commit 3e371bd2124427403971db853fb2e36ce789b6fd
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Fri May 5 10:42:49 2017 +0000
+
+    upstream commit
+    
+    more simplification and removal of SSHv1-related code;
+    ok djm@
+    
+    Upstream-ID: d2f041aa0b79c0ebd98c68a01e5a0bfab2cf3b55
+
+commit 2e9c324b3a7f15c092d118c2ac9490939f6228fd
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Fri May 5 10:41:58 2017 +0000
+
+    upstream commit
+    
+    remove superfluous protocol 2 mentions; ok jmc@
+    
+    Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
+
+commit 744bde79c3361e2153cb395a2ecdcee6c713585d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu May 4 06:10:57 2017 +0000
+
+    upstream commit
+    
+    since a couple of people have asked, leave a comment
+    explaining why we retain SSH v.1 support in the "delete all keys from agent"
+    path.
+    
+    Upstream-ID: 4b42dcfa339813c15fe9248a2c1b7ed41c21bbb4
+
+commit 0c378ff6d98d80bc465a4a6a787670fb9cc701ee
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu May 4 01:33:21 2017 +0000
+
+    upstream commit
+    
+    another tentacle: cipher_set_key_string() was only ever
+    used for SSHv1
+    
+    Upstream-ID: 7fd31eb6c48946f7e7cc12af0699fe8eb637e94a
+
+commit 9a82e24b986e3e0dc70849dbb2c19aa6c707b37f
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Wed May 3 21:49:18 2017 +0000
+
+    upstream commit
+    
+    restore mistakenly deleted description of the
+    ConnectionAttempts option ok markus@
+    
+    Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
+
+commit 768405fddf64ff83aa6ef701ebb3c1f82d98a2f3
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Wed May 3 21:08:09 2017 +0000
+
+    upstream commit
+    
+    remove miscellaneous SSH1 leftovers; ok markus@
+    
+    Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
+
+commit 1a1b24f8229bf7a21f89df21987433283265527a
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed May 3 10:01:44 2017 +0000
+
+    upstream commit
+    
+    more protocol 1 bits removed; ok djm
+    
+    Upstream-ID: b5b977eaf756915acb56aef3604a650e27f7c2b9
+
+commit 2b6f799e9b230cf13a7eefc05ecead7d8569d6b5
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed May 3 06:32:02 2017 +0000
+
+    upstream commit
+    
+    more protocol 1 stuff to go; ok djm
+    
+    Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
+
+commit f10c0d32cde2084d2a0b19bc47d80cb93e85a093
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 17:04:09 2017 +0000
+
+    upstream commit
+    
+    rsa1 is no longer valid;
+    
+    Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
+
+commit 42b690b4fd0faef78c4d68225948b6e5c46c5163
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 14:06:37 2017 +0000
+
+    upstream commit
+    
+    add PubKeyAcceptedKeyTypes to the -o list: scp(1) has
+    it, so i guess this should too;
+    
+    Upstream-ID: 7fab32e869ca5831d09ab0c40d210b461d527a2c
+
+commit d852603214defd93e054de2877b20cc79c19d0c6
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 13:44:51 2017 +0000
+
+    upstream commit
+    
+    remove now obsolete protocol1 options from the -o
+    lists;
+    
+    Upstream-ID: 828e478a440bc5f9947672c392420510a362b3dd
+
+commit 8b60ce8d8111e604c711c4cdd9579ffe0edced74
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 09:05:58 2017 +0000
+
+    upstream commit
+    
+    more -O shuffle; ok djm
+    
+    Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
+
+commit 3575f0b12afe6b561681582fd3c34067d1196231
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 2 08:54:19 2017 +0000
+
+    upstream commit
+    
+    remove -1 / -2 options; pointed out by jmc@
+    
+    Upstream-ID: 65d2a816000741a95df1c7cfdb5fa8469fcc7daa
+
+commit 4f1ca823bad12e4f9614895eefe0d0073b84a28f
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 08:06:33 2017 +0000
+
+    upstream commit
+    
+    remove options -12 from usage();
+    
+    Upstream-ID: db7ceef25132e63b50ed05289bf447fece1d1270
+
+commit 6b84897f7fd39956b849eac7810319d8a9958568
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue May 2 07:13:31 2017 +0000
+
+    upstream commit
+    
+    tidy up -O somewhat; ok djm
+    
+    Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
+
+commit d1c6b7fdbdfe4a7a37ecd48a97f0796b061c2868
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 1 22:09:48 2017 +0000
+
+    upstream commit
+    
+    when freeing a bitmap, zero all it bytes; spotted by Ilya
+    Kaliman
+    
+    Upstream-ID: 834ac024f2c82389d6ea6b1c7d6701b3836e28e4
+
+commit 0f163983016c2988a92e039d18a7569f9ea8e071
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 1 14:08:26 2017 +0000
+
+    upstream commit
+    
+    this one I did forget to "cvs rm"
+    
+    Upstream-ID: 5781670c0578fe89663c9085ed3ba477cf7e7913
+
+commit 21ed00a8e26fe8a772bcca782175fafc2b0890ed
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 1 09:27:45 2017 +0000
+
+    upstream commit
+    
+    don't know why cvs didn't exterminate these the first
+    time around, I use rm -f and everuthing...
+    
+    pointed out by sobrado@
+    
+    Upstream-ID: a6c44a0c2885330d322ee01fcfd7f6f209b1e15d
+
+commit d29ba6f45086703fdcb894532848ada3427dfde6
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon May 1 13:53:07 2017 +1000
+
+    Define INT32_MAX and INT64_MAX if needed.
+
+commit 329037e389f02ec95c8e16bf93ffede94d3d44ce
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon May 1 13:19:41 2017 +1000
+
+    Wrap stdint.h in HAVE_STDINT_H
+
+commit f382362e8dfb6b277f16779ab1936399d7f2af78
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 1 02:27:11 2017 +0000
+
+    upstream commit
+    
+    remove unused variable
+    
+    Upstream-ID: 66011f00819d0e71b14700449a98414033284516
+
+commit dd369320d2435b630a5974ab270d686dcd92d024
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:34:55 2017 +0000
+
+    upstream commit
+    
+    eliminate explicit specification of protocol in tests and
+    loops over protocol. We only support SSHv2 now.
+    
+    Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
+
+commit 557f921aad004be15805e09fd9572969eb3d9321
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:33:48 2017 +0000
+
+    upstream commit
+    
+    remove SSHv1 support from unit tests
+    
+    Upstream-Regress-ID: 395ca2aa48f1f7d23eefff6cb849ea733ca8bbfe
+
+commit e77e1562716fb3da413e4c2397811017b762f5e3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 1 00:03:18 2017 +0000
+
+    upstream commit
+    
+    fixup setting ciphercontext->plaintext (lost in SSHv1 purge),
+    though it isn't really used for much anymore.
+    
+    Upstream-ID: 859b8bce84ff4865b32097db5430349d04b9b747
+
+commit f7849e6c83a4e0f602dea6c834a24091c622d68e
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon May 1 09:55:56 2017 +1000
+
+    remove configure --with-ssh1
+
+commit f4a6a88ddb6dba6d2f7bfb9e2c9879fcc9633043
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:29:10 2017 +0000
+
+    upstream commit
+    
+    flense SSHv1 support from ssh-agent, considerably
+    simplifying it
+    
+    ok markus
+    
+    Upstream-ID: 71d772cdcefcb29f76e01252e8361e6fc2dfc365
+
+commit 930e8d2827853bc2e196c20c3e000263cc87fb75
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:28:41 2017 +0000
+
+    upstream commit
+    
+    obliterate ssh1.h and some dead code that used it
+    
+    ok markus@
+    
+    Upstream-ID: 1ca9159a9fb95618f9d51e069ac8e1131a087343
+
+commit a3710d5d529a34b8f56aa62db798c70e85d576a0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:28:12 2017 +0000
+
+    upstream commit
+    
+    exterminate the -1 flag from scp
+    
+    ok markus@
+    
+    Upstream-ID: 26d247f7065da15056b209cef5f594ff591b89db
+
+commit aebd0abfaa8a41e75d50f9f7934267b0a2d9acb4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:26:54 2017 +0000
+
+    upstream commit
+    
+    purge the last traces of SSHv1 from the TTY modes
+    handling code
+    
+    ok markus
+    
+    Upstream-ID: 963a19f1e06577377c38a3b7ce468f121b966195
+
+commit dfa641f758d4b8b2608ab1b00abaf88df0a8e36a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:26:16 2017 +0000
+
+    upstream commit
+    
+    remove the (in)famous SSHv1 CRC compensation attack
+    detector.
+    
+    Despite your cameo in The Matrix movies, you will not be missed.
+    
+    ok markus
+    
+    Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0
+
+commit e5d3bd36ef67d82092861f39b5bf422cb12b31a6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:25:03 2017 +0000
+
+    upstream commit
+    
+    undo some local debugging stuff that I committed by
+    accident
+    
+    Upstream-ID: fe5b31f69a60d47171836911f144acff77810217
+
+commit 3d6d09f2e90f4ad650ebda6520bf2da446f37f14
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:23:54 2017 +0000
+
+    upstream commit
+    
+    remove SSHv1 support from packet and buffer APIs
+    
+    ok markus@
+    
+    Upstream-ID: bfc290053d40b806ecac46317d300677d80e1dc9
+
+commit 05164358577c82de18ed7373196bc7dbd8a3f79c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:21:54 2017 +0000
+
+    upstream commit
+    
+    remove SSHv1-related buffers from client code
+    
+    Upstream-ID: dca5d01108f891861ceaf7ba1c0f2eb274e0c7dd
+
+commit 873d3e7d9a4707d0934fb4c4299354418f91b541
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:18:44 2017 +0000
+
+    upstream commit
+    
+    remove KEY_RSA1
+    
+    ok markus@
+    
+    Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
+
+commit 788ac799a6efa40517f2ac0d895a610394298ffc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:18:22 2017 +0000
+
+    upstream commit
+    
+    remove SSHv1 configuration options and man pages bits
+    
+    ok markus@
+    
+    Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
+
+commit e6882463a8ae0594aacb6d6575a6318a41973d84
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:17:37 2017 +0000
+
+    upstream commit
+    
+    remove SSH1 make flag and associated files ok markus@
+    
+    Upstream-ID: ba9feacc5787337c413db7cf26ea3d53f854cfef
+
+commit cdccebdf85204bf7542b7fcc1aa2ea3f36661833
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:15:04 2017 +0000
+
+    upstream commit
+    
+    remove SSHv1 ciphers; ok markus@
+    
+    Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
+
+commit 97f4d3083b036ce3e68d6346a6140a22123d5864
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:13:25 2017 +0000
+
+    upstream commit
+    
+    remove compat20/compat13/compat15 variables
+    
+    ok markus@
+    
+    Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
+
+commit 99f95ba82673d33215dce17bfa1512b57f54ec09
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:11:45 2017 +0000
+
+    upstream commit
+    
+    remove options.protocol and client Protocol
+    configuration knob
+    
+    ok markus@
+    
+    Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
+
+commit 56912dea6ef63dae4eb1194e5d88973a7c6c5740
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Apr 30 23:10:43 2017 +0000
+
+    upstream commit
+    
+    unifdef WITH_SSH1 ok markus@
+    
+    Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
+
+commit d4084cd230f7319056559b00db8b99296dad49d5
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Sat Apr 29 06:06:01 2017 +0000
+
+    upstream commit
+    
+    tweak previous;
+    
+    Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
+
+commit 249516e428e8461b46340a5df5d5ed1fbad2ccce
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Apr 29 04:12:25 2017 +0000
+
+    upstream commit
+    
+    allow ssh-keygen to include arbitrary string or flag
+    certificate extensions and critical options. ok markus@ dtucker@
+    
+    Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
+
+commit 47a287bb6ac936c26b4f3ae63279c02902ded3b9
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Fri Apr 28 06:15:03 2017 +0000
+
+    upstream commit
+    
+    sort;
+    
+    Upstream-ID: 7e6b56e52b039cf44d0418e9de9aca20a2d2d15a
+
+commit 36465a76a79ad5040800711b41cf5f32249d5120
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Apr 28 14:44:28 2017 +1000
+
+    Typo.
+    
+    Upstream-Regress-ID: 1e6b51ddf767cbad0a4e63eb08026c127e654308
+
+commit 9d18cb7bdeb00b20205fd13d412aae8c0e0457ed
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Apr 28 14:41:17 2017 +1000
+
+    Add 2 regress commits I applied by hand.
+    
+    Upstream-Regress-ID: 30c20180c87cbc99fa1020489fe7fd8245b6420c
+    Upstream-Regress-ID: 1e6b51ddf767cbad0a4e63eb08026c127e654308
+
+commit 9504ea6b27f9f0ece64e88582ebb9235e664a100
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Apr 28 14:33:43 2017 +1000
+
+    Merge integrity.sh rev 1.22.
+    
+    Merge missing bits from Colin Watson's patch in bz#2658 which make integrity
+    tests more robust against timeouts.  ok djm@
+
+commit 06ec837a34542627e2183a412d6a9d2236f22140
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Apr 28 14:30:03 2017 +1000
+
+    Id sync for integrity.sh rev 1.21 which pulls in some shell portability fixes
+
+commit e0194b471efe7d3daedc9cc66686cb1ab69d3be8
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Mon Apr 17 11:02:31 2017 +0000
+
+    upstream commit
+    
+    Change COMPILER_VERSION tests which limited additional
+    warnings to gcc4 to instead skip them on gcc3 as clang can handle
+    -Wpointer-sign and -Wold-style-definition.
+    
+    Upstream-Regress-ID: e48d7dc13e48d9334b8195ef884dfbc51316012f
+
+commit 6830be90e71f46bcd182a9202b151eaf2b299434
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Apr 28 03:24:53 2017 +0000
+
+    upstream commit
+    
+    include key fingerprint in "Offering public key" debug
+    message
+    
+    Upstream-ID: 964749f820c2ed4cf6a866268b1a05e907315c52
+
+commit 066437187e16dcafcbc19f9402ef0e6575899b1d
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Fri Apr 28 03:21:12 2017 +0000
+
+    upstream commit
+    
+    Avoid relying on implementation-specific behavior when
+    detecting whether the timestamp or file size overflowed.  If time_t and off_t
+    are not either 32-bit or 64-bit scp will exit with an error. OK djm@
+    
+    Upstream-ID: f31caae73ddab6df496b7bbbf7da431e267ad135
+
+commit 68d3a2a059183ebd83b15e54984ffaced04d2742
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Apr 28 03:20:27 2017 +0000
+
+    upstream commit
+    
+    Add SyslogFacility option to ssh(1) matching the
+    equivalent option in sshd(8).  bz#2705, patch from erahn at arista.com, ok
+    djm@
+    
+    Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
+
+commit e13aad66e73a14b062d13aee4e98f1e21a3f6a14
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Thu Apr 27 13:40:05 2017 +0000
+
+    upstream commit
+    
+    remove a static array unused since rev 1.306 spotted by
+    clang ok djm@
+    
+    Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
+
+commit 91bd2181866659f00714903e78e1c3edd4c45f3d
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Thu Apr 27 11:53:12 2017 +0000
+
+    upstream commit
+    
+    Avoid potential signed int overflow when parsing the file
+    size. Use strtoul() instead of parsing manually.  OK djm@
+    
+    Upstream-ID: 1f82640861c7d905bbb05e7d935d46b0419ced02
+
+commit 17a54a03f5a1d35e33cc24e22cd7a9d0f6865dc4
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Tue Apr 25 08:32:27 2017 +1000
+
+    Fix typo in "socketcall".
+    
+    Pointed out by jjelen at redhat.com.
+
+commit 8b0eee148f7cf8b248c30d1bae57300f2cc5aafd
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon Apr 24 19:40:31 2017 +1000
+
+    Deny socketcall in seccomp filter on ppc64le.
+    
+    OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
+    in privsep child. The socket() syscall is already denied in the seccomp
+    filter, but in ppc64le kernel, it is implemented using socketcall()
+    syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
+    therefore fails hard.
+    
+    Patch from jjelen at redhat.com.
+
+commit f8500b2be599053daa05248a86a743232ec6a536
+Author: schwarze@openbsd.org <schwarze@openbsd.org>
+Date:   Mon Apr 17 14:31:23 2017 +0000
+
+    upstream commit
+    
+    Recognize nl_langinfo(CODESET) return values "646" and ""
+    as aliases for "US-ASCII", useful for different versions of NetBSD and
+    Solaris. Found by dtucker@ and by Tom G. Christensen <tgc at jupiterrise dot
+    com>. OK dtucker@ deraadt@
+    
+    Upstream-ID: 38c2133817cbcae75c88c63599ac54228f0fa384
+
+commit 7480dfedf8c5c93baaabef444b3def9331e86ad5
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Mon Apr 17 11:02:31 2017 +0000
+
+    upstream commit
+    
+    Change COMPILER_VERSION tests which limited additional
+    warnings to gcc4 to instead skip them on gcc3 as clang can handle
+    -Wpointer-sign and -Wold-style-definition.
+    
+    Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a
+
+commit 4d827f0d75a53d3952288ab882efbddea7ffadfe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Apr 4 00:24:56 2017 +0000
+
+    upstream commit
+    
+    disallow creation (of empty files) in read-only mode;
+    reported by Michal Zalewski, feedback & ok deraadt@
+    
+    Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
+
+commit ef47843af0a904a21c920e619c5aec97b65dd9ac
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Sun Mar 26 00:18:52 2017 +0000
+
+    upstream commit
+    
+    incorrect renditions of this quote bother me
+    
+    Upstream-ID: 1662be3ebb7a71d543da088119c31d4d463a9e49
+
+commit d9048861bea842c4eba9c2dbbf97064cc2a5ef02
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Mar 31 11:04:43 2017 +1100
+
+    Check for and use gcc's -pipe.
+    
+    Speeds up configure and build by a couple of percent.  ok djm@
+
+commit 282cad2240c4fbc104c2f2df86d688192cbbe4bb
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 16:34:44 2017 +1100
+
+    Import fmt_scaled.c rev 1.16 from OpenBSD.
+    
+    Fix overly-conservative overflow checks on mulitplications and add checks
+    on additions.  This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
+    will still be flagged as a range error).  ok millert@
+
+commit c73a229e4edf98920f395e19fd310684fc6bb951
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 16:34:02 2017 +1100
+
+    Import fmt_scaled.c rev 1.15 from OpenBSD.
+    
+    Collapse underflow and overflow checks into a single block.
+    ok djm@ millert@
+
+commit d427b73bf5a564f663d16546dbcbd84ba8b9d4af
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 16:32:57 2017 +1100
+
+    Import fmt_scaled.c rev 1.14 from OpenBSD.
+    
+    Catch integer underflow in scan_scaled reported by Nicolas Iooss.
+    ok deraadt@ djm@
+
+commit d13281f2964abc5f2e535e1613c77fc61b0c53e7
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 12:39:39 2017 +1100
+
+    Don't check privsep user or path when unprivileged
+    
+    If running with privsep (mandatory now) as a non-privileged user, we
+    don't chroot or change to an unprivileged user however we still checked
+    the existence of the user and directory.  Don't do those checks if we're
+    not going to use them.  Based in part on a patch from Lionel Fourquaux
+    via Corinna Vinschen, ok djm@
+
+commit f2742a481fe151e493765a3fbdef200df2ea7037
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 10:50:31 2017 +1100
+
+    Remove SHA256 EVP wrapper implementation.
+    
+    All supported versions of OpenSSL should now have SHA256 so remove our
+    EVP wrapper implementaion.  ok djm@
+
+commit 5346f271fc76549caf4a8e65b5fba319be422fe9
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 10:23:58 2017 +1100
+
+    Remove check for OpenSSL < 0.9.8g.
+    
+    We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC
+    in OpenSSL < 0.9.8g.
+
+commit 8fed0a5fe7b4e78a6810b133d8e91be9742ee0a1
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 10:16:15 2017 +1100
+
+    Remove compat code for OpenSSL < 0.9.7.
+    
+    Resyncs that code with OpenBSD upstream.
+
+commit 608ec1f62ff22fdccc3952e51463d79c43cbd0d3
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Mar 29 09:50:54 2017 +1100
+
+    Remove SSHv1 code path.
+    
+    Server-side support for Protocol 1 has been removed so remove !compat20
+    PAM code path.
+
+commit 7af27bf538cbc493d609753f9a6d43168d438f1b
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Mar 24 09:44:56 2017 +1100
+
+    Enable ldns when using ldns-config.
+    
+    Actually enable ldns when attempting to use ldns-config.  bz#2697, patch
+    from fredrik at fornwall.net.
+
+commit 58b8cfa2a062b72139d7229ae8de567f55776f24
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Mar 22 12:43:02 2017 +1100
+
+    Missing header on Linux/s390
+    
+    Patch from Jakub Jelen
+
+commit 096fb65084593f9f3c1fc91b6d9052759a272a00
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Mar 20 22:08:06 2017 +0000
+
+    upstream commit
+    
+    remove /usr/bin/time calls around tests, makes diffing test
+    runs harder. Based on patch from Mike Frysinger
+    
+    Upstream-Regress-ID: 81c1083b14dcf473b23d2817882f40b346ebc95c
+
+commit 6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 21 08:47:55 2017 +1100
+
+    Fix syntax error on Linux/X32
+    
+    Patch from Mike Frysinger
+
 commit d38f05dbdd291212bc95ea80648b72b7177e9f4e
 Author: Darren Tucker <dtucker@zip.com.au>
 Date:   Mon Mar 20 13:38:27 2017 +1100
@@ -6838,2557 +9349,3 @@ Date:   Tue Sep 22 08:33:23 2015 +0000
     fix two typos.
     
     Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
-
-commit 8408218c1ca88cb17d15278174a24a94a6f65fe1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 21 04:31:00 2015 +0000
-
-    upstream commit
-    
-    fix possible hang on closed output; bz#2469 reported by Tomas
-     Kuthan ok markus@
-    
-    Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
-
-commit 0097248f90a00865082e8c146b905a6555cc146f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 11 04:55:01 2015 +0000
-
-    upstream commit
-    
-    skip if running as root; many systems (inc OpenBSD) allow
-     root to ptrace arbitrary processes
-    
-    Upstream-Regress-ID: be2b925df89360dff36f972951fa0fa793769038
-
-commit 9c06c814aff925e11a5cc592c06929c258a014f6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 11 03:44:21 2015 +0000
-
-    upstream commit
-    
-    try all supported key types here; bz#2455 reported by
-     Jakub Jelen
-    
-    Upstream-Regress-ID: 188cb7d9031cdbac3a0fa58b428b8fa2b2482bba
-
-commit 3c019a936b43f3e2773f3edbde7c114d73caaa4c
-Author: tim@openbsd.org <tim@openbsd.org>
-Date:   Sun Sep 13 14:39:16 2015 +0000
-
-    upstream commit
-    
-    - Fix error message: passphrase needs to be at least 5
-     characters, not 4. - Remove unused function argument. - Remove two
-     unnecessary variables.
-    
-    OK djm@
-    
-    Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30
-
-commit 2681cdb6e0de7c1af549dac37a9531af202b4434
-Author: tim@openbsd.org <tim@openbsd.org>
-Date:   Sun Sep 13 13:48:19 2015 +0000
-
-    upstream commit
-    
-    When adding keys to the agent, don't ignore the comment
-     of keys for which the user is prompted for a passphrase.
-    
-    Tweak and OK djm@
-    
-    Upstream-ID: dc737c620a5a8d282cc4f66e3b9b624e9abefbec
-
-commit 14692f7b8251cdda847e648a82735eef8a4d2a33
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date:   Fri Sep 11 08:50:04 2015 +0000
-
-    upstream commit
-    
-    Use explicit_bzero() when zeroing before free()
-    
-    from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu)
-    ok millert@ djm@
-    
-    Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
-
-commit 846f6fa4cfa8483a9195971dbdd162220f199d85
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Sep 11 06:55:46 2015 +0000
-
-    upstream commit
-    
-    sync -Q in usage() to SYNOPSIS; since it's drastically
-     shorter, i've reformatted the block to sync with the man (80 cols) and saved
-     a line;
-    
-    Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
-
-commit 95923e0520a8647417ee6dcdff44694703dfeef0
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Sep 11 06:51:39 2015 +0000
-
-    upstream commit
-    
-    tweak previous;
-    
-    Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
-
-commit 86ac462f833b05d8ed9de9c50ccb295d7faa79ff
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Sep 11 05:27:02 2015 +0000
-
-    upstream commit
-    
-    Update usage to match man page.
-    
-    Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
-
-commit 674b3b68c1d36b2562324927cd03857b565e05e8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 11 03:47:28 2015 +0000
-
-    upstream commit
-    
-    expand %i in ControlPath to UID; bz#2449
-    
-    patch from Christian Hesse w/ feedback from dtucker@
-    
-    Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
-
-commit c0f55db7ee00c8202b05cb4b9ad4ce72cc45df41
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 11 03:42:32 2015 +0000
-
-    upstream commit
-    
-    mention -Q key-plain and -Q key-cert; bz#2455 pointed out
-     by Jakub Jelen
-    
-    Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
-
-commit cfffbdb10fdf0f02d3f4232232eef7ec3876c383
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Mon Sep 14 16:24:21 2015 +1000
-
-    Use ssh-keygen -A when generating host keys.
-    
-    Use ssh-keygen -A instead of per-keytype invocations when generating host
-    keys.  Add tests when doing host-key-force since we can't use ssh-keygen -A
-    since it can't specify alternate locations.  bz#2459, ok djm@
-
-commit 366bada1e9e124654aac55b72b6ccf878755b0dc
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Sep 11 13:29:22 2015 +1000
-
-    Correct default value for --with-ssh1.
-    
-    bz#2457, from konto-mindrot.org at walimnieto.com.
-
-commit 2bca8a43e7dd9b04d7070824ffebb823c72587b2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 11 03:13:36 2015 +0000
-
-    upstream commit
-    
-    more clarity on what AuthorizedKeysFile=none does; based
-     on diff by Thiebaud Weksteen
-    
-    Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
-
-commit 61942ea4a01e6db4fdf37ad61de81312ffe310e9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 9 00:52:44 2015 +0000
-
-    upstream commit
-    
-    openssh_RSA_verify return type is int, so don't make it
-     size_t within the function itself with only negative numbers or zero assigned
-     to it. bz#2460
-    
-    Upstream-ID: b6e794b0c7fc4f9f329509263c8668d35f83ea55
-
-commit 4f7cc2f8cc861a21e6dbd7f6c25652afb38b9b96
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Sep 4 08:21:47 2015 +0000
-
-    upstream commit
-    
-    Plug minor memory leaks when options are used more than
-     once.  bz#2182, patch from Tiago Cunha, ok deraadt djm
-    
-    Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
-
-commit 7ad8b287c8453a3e61dbc0d34d467632b8b06fc8
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Sep 11 13:11:02 2015 +1000
-
-    Force resolution of _res for correct detection.
-    
-    bz#2259, from sconeu at yahoo.com.
-
-commit 26ad18247213ff72b4438abe7fc660c958810fa2
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Sep 10 10:57:41 2015 +1000
-
-    allow getrandom syscall; from Felix von Leitner
-
-commit 5245bc1e6b129a10a928f73f11c3aa32656c44b4
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Sep 4 06:40:45 2015 +0000
-
-    upstream commit
-    
-    full stop belongs outside the brackets, not inside;
-    
-    Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
-
-commit a85768a9321d74b41219eeb3c9be9f1702cbf6a5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 04:56:09 2015 +0000
-
-    upstream commit
-    
-    add a debug2() right before DNS resolution; it's a place
-     where ssh could previously silently hang for a while. bz#2433
-    
-    Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
-
-commit 46152af8d27aa34d5d26ed1c371dc8aa142d4730
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 04:55:24 2015 +0000
-
-    upstream commit
-    
-    correct function name in error messages
-    
-    Upstream-ID: 92fb2798617ad9561370897f4ab60adef2ff4c0e
-
-commit a954cdb799a4d83c2d40fbf3e7b9f187fbfd72fc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 04:47:50 2015 +0000
-
-    upstream commit
-    
-    better document ExitOnForwardFailure; bz#2444, ok
-     dtucker@
-    
-    Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
-
-commit f54d8ac2474b6fc3afa081cf759b48a6c89d3319
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 04:44:08 2015 +0000
-
-    upstream commit
-    
-    don't record hostbased authentication hostkeys as user
-     keys in test for multiple authentication with the same key
-    
-    Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
-
-commit ac3451dd65f27ecf85dc045c46d49e2bbcb8dddd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 03:57:38 2015 +0000
-
-    upstream commit
-    
-    remove extra newline in nethack-mode hostkey; from
-     Christian Hesse bz#2686
-    
-    Upstream-ID: 4f56368b1cc47baeea0531912186f66007fd5b92
-
-commit 9e3ed9ebb1a7e47c155c28399ddf09b306ea05df
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 4 04:23:10 2015 +0000
-
-    upstream commit
-    
-    trim junk from end of file; bz#2455 from Jakub Jelen
-    
-    Upstream-Regress-ID: a4e64e8931e40d23874b047074444eff919cdfe6
-
-commit f3a3ea180afff080bab82087ee0b60db9fd84f6c
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date:   Wed Sep 2 07:51:12 2015 +0000
-
-    upstream commit
-    
-    Fix occurrences of "r = func() != 0" which result in the
-     wrong error codes being returned due to != having higher precedence than =.
-    
-    ok deraadt@ markus@
-    
-    Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
-
-commit f498a98cf83feeb7ea01c15cd1c98b3111361f3a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Sep 3 09:11:22 2015 +1000
-
-    don't check for yp_match; ok tim@
-
-commit 9690b78b7848b0b376980a61d51b1613e187ddb5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 23:57:48 2015 +0000
-
-    upstream commit
-    
-    Improve printing of KEX offers and decisions
-    
-    The debug output now labels the client and server offers and the
-    negotiated options. ok markus@
-    
-    Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
-
-commit 60a92470e21340e1a3fc10f9c7140d8e1519dc55
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 23:53:08 2015 +0000
-
-    upstream commit
-    
-    Fix printing (ssh -G ...) of HostKeyAlgorithms=+...
-     Reported by Bryan Drewery
-    
-    Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293
-
-commit 6310f60fffca2d1e464168e7d1f7e3b6b0268897
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 23:52:30 2015 +0000
-
-    upstream commit
-    
-    Fix expansion of HostkeyAlgorithms=+...
-    
-    Reported by Bryan Drewery
-    
-    Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
-
-commit e774e5ea56237fd626a8161f9005023dff3e76c9
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Fri Aug 21 23:29:31 2015 +0000
-
-    upstream commit
-    
-    Improve size == 0, count == 0 checking in mm_zalloc,
-     which is "array" like. Discussed with tedu, millert, otto.... and ok djm
-    
-    Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
-
-commit 189de02d9ad6f3645417c0ddf359b923aae5f926
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 15:45:02 2015 +1000
-
-    expose POLLHUP and POLLNVAL for netcat.c
-
-commit e91346dc2bbf460246df2ab591b7613908c1b0ad
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 14:49:03 2015 +1000
-
-    we don't use Github for issues/pull-requests
-
-commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 14:43:55 2015 +1000
-
-    fix URL for connect.c
-
-commit d026a8d3da0f8186598442997c7d0a28e7275414
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 13:47:10 2015 +1000
-
-    update version numbers for 7.1
-
-commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 03:45:26 2015 +0000
-
-    upstream commit
-    
-    openssh-7.1
-    
-    Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
-
-commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 03:42:19 2015 +0000
-
-    upstream commit
-    
-    fix inverted logic that broke PermitRootLogin; reported
-     by Mantas Mikulenas; ok markus@
-    
-    Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
-
-commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Aug 20 22:32:42 2015 +0000
-
-    upstream commit
-    
-    Do not cast result of malloc/calloc/realloc* if stdlib.h
-     is in scope ok krw millert
-    
-    Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
-
-commit 05291e5288704d1a98bacda269eb5a0153599146
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Thu Aug 20 19:20:06 2015 +0000
-
-    upstream commit
-    
-    In the certificates section, be consistent about using
-     "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@
-    
-    Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
-
-commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:21:42 2015 +0000
-
-    upstream commit
-    
-    Better compat matching for WinSCP, add compat matching
-     for FuTTY (fork of PuTTY); ok markus@ deraadt@
-    
-    Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
-
-commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:19:01 2015 +0000
-
-    upstream commit
-    
-    fix double-free() in error path of DSA key generation
-     reported by Mateusz Kocielski; ok markus@
-    
-    Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
-
-commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:18:26 2015 +0000
-
-    upstream commit
-    
-    fix free() of uninitialised pointer reported by Mateusz
-     Kocielski; ok markus@
-    
-    Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
-
-commit c837643b93509a3ef538cb6624b678c5fe32ff79
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:17:51 2015 +0000
-
-    upstream commit
-    
-    fixed unlink([uninitialised memory]) reported by Mateusz
-     Kocielski; ok markus@
-    
-    Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
-
-commit 1f8d3d629cd553031021068eb9c646a5f1e50994
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Aug 14 15:32:41 2015 +0000
-
-    upstream commit
-    
-    match myproposal.h order; from brian conway (i snuck in a
-     tweak while here)
-    
-    ok dtucker
-    
-    Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
-
-commit 1dc8d93ce69d6565747eb44446ed117187621b26
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Aug 6 14:53:21 2015 +0000
-
-    upstream commit
-    
-    add prohibit-password as a synonymn for without-password,
-     since the without-password is causing too many questions.  Harden it to ban
-     all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
-     djm, ok markus
-    
-    Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
-
-commit 90a95a4745a531b62b81ce3b025e892bdc434de5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:53:41 2015 +1000
-
-    update version in README
-
-commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:53:09 2015 +1000
-
-    update versions in *.spec
-
-commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:34:12 2015 +1000
-
-    set sshpam_ctxt to NULL after free
-    
-    Avoids use-after-free in monitor when privsep child is compromised.
-    Reported by Moritz Jodeit; ok dtucker@
-
-commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:33:24 2015 +1000
-
-    Don't resend username to PAM; it already has it.
-    
-    Pointed out by Moritz Jodeit; ok dtucker@
-
-commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Mon Jul 27 12:14:25 2015 +1000
-
-    Import updated moduli file from OpenBSD.
-
-commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Aug 10 11:13:44 2015 +1000
-
-    let principals-command.sh work for noexec /var/run
-
-commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 6 11:43:42 2015 +1000
-
-    work around echo -n / sed behaviour in tests
-
-commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 5 05:27:33 2015 +0000
-
-    upstream commit
-    
-    adjust for RSA minimum modulus switch; ok deraadt@
-    
-    Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
-
-commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Aug 4 05:23:06 2015 +0000
-
-    upstream commit
-    
-    backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
-     release; problems spotted by sthen@ ok deraadt@ markus@
-    
-    Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
-
-commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Aug 2 09:56:42 2015 +0000
-
-    upstream commit
-    
-    openssh 7.0; ok deraadt@
-    
-    Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
-
-commit 3d5728a0f6874ce4efb16913a12963595070f3a9
-Author: chris@openbsd.org <chris@openbsd.org>
-Date:   Fri Jul 31 15:38:09 2015 +0000
-
-    upstream commit
-    
-    Allow PermitRootLogin to be overridden by config
-    
-    ok markus@ deeradt@
-    
-    Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
-
-commit 6f941396b6835ad18018845f515b0c4fe20be21a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jul 30 23:09:15 2015 +0000
-
-    upstream commit
-    
-    fix pty permissions; patch from Nikolay Edigaryev; ok
-     deraadt
-    
-    Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
-
-commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Jul 30 19:23:02 2015 +0000
-
-    upstream commit
-    
-    change default: PermitRootLogin without-password matching
-     install script changes coming as well ok djm markus
-    
-    Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
-
-commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 30 12:31:39 2015 +1000
-
-    downgrade OOM adjustment logging: verbose -> debug
-
-commit f9eca249d4961f28ae4b09186d7dc91de74b5895
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jul 30 00:01:34 2015 +0000
-
-    upstream commit
-    
-    Allow ssh_config and sshd_config kex parameters options be
-     prefixed by a '+' to indicate that the specified items be appended to the
-     default rather than replacing it.
-    
-    approach suggested by dtucker@, feedback dlg@, ok markus@
-    
-    Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
-
-commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 29 08:34:54 2015 +0000
-
-    upstream commit
-    
-    fix bug in previous; was printing incorrect string for
-     failed host key algorithms negotiation
-    
-    Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
-
-commit f319912b0d0e1675b8bb051ed8213792c788bcb2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 29 04:43:06 2015 +0000
-
-    upstream commit
-    
-    include the peer's offer when logging a failure to
-     negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
-    
-    Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
-
-commit b6ea0e573042eb85d84defb19227c89eb74cf05a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 28 23:20:42 2015 +0000
-
-    upstream commit
-    
-    add Cisco to the list of clients that choke on the
-     hostkeys update extension. Pointed out by Howard Kash
-    
-    Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
-
-commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date:   Mon Jul 27 16:29:23 2015 +0000
-
-    upstream commit
-    
-    Permit kbind(2) use in the sandbox now, to ease testing
-     of ld.so work using it
-    
-    reminded by miod@, ok deraadt@
-    
-    Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
-
-commit ebe27ebe520098bbc0fe58945a87ce8490121edb
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 18:44:12 2015 +0000
-
-    upstream commit
-    
-    Move .Pp before .Bl, not after to quiet mandoc -Tlint.
-     Noticed by jmc@
-    
-    Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
-
-commit d5d91d0da819611167782c66ab629159169d94d4
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 18:42:35 2015 +0000
-
-    upstream commit
-    
-    Sync usage with SYNOPSIS
-    
-    Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
-
-commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 15:39:52 2015 +0000
-
-    upstream commit
-    
-    Better desciption of Unix domain socket forwarding.
-     bz#2423; ok jmc@
-    
-    Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
-
-commit d56fd1828074a4031b18b8faa0bf949669eb18a0
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Jul 20 11:19:51 2015 +1000
-
-    make realpath.c compile -Wsign-compare clean
-
-commit c63c9a691dca26bb7648827f5a13668832948929
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 20 00:30:01 2015 +0000
-
-    upstream commit
-    
-    mention that the default of UseDNS=no implies that
-     hostnames cannot be used for host matching in sshd_config and
-     authorized_keys; bz#2045, ok dtucker@
-    
-    Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
-
-commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 08:02:17 2015 +0000
-
-    upstream commit
-    
-    don't ignore PKCS#11 hosted keys that return empty
-     CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
-    
-    Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
-
-commit b15fd989c8c62074397160147a8d5bc34b3f3c63
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 08:00:21 2015 +0000
-
-    upstream commit
-    
-    skip uninitialised PKCS#11 slots; patch from Jakub Jelen
-     in bz#2427 ok markus@
-    
-    Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
-
-commit 5b64f85bb811246c59ebab70aed331f26ba37b18
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 07:57:14 2015 +0000
-
-    upstream commit
-    
-    only query each keyboard-interactive device once per
-     authentication request regardless of how many times it is listed; ok markus@
-    
-    Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
-
-commit cd7324d0667794eb5c236d8a4e0f236251babc2d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:34:27 2015 +0000
-
-    upstream commit
-    
-    remove -u flag to diff (only used for error output) to make
-     things easier for -portable
-    
-    Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
-
-commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:09:19 2015 +0000
-
-    upstream commit
-    
-    direct-streamlocal@openssh.com Unix domain foward
-     messages do not contain a "reserved for future use" field and in fact,
-     serverloop.c checks that there isn't one. Remove erroneous mention from
-     PROTOCOL description. bz#2421 from Daniel Black
-    
-    Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
-
-commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:04:27 2015 +0000
-
-    upstream commit
-    
-    describe magic for setting up Unix domain socket fowards
-     via the mux channel; bz#2422 patch from Daniel Black
-    
-    Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
-
-commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Jul 17 12:52:34 2015 +1000
-
-    Check if realpath works on nonexistent files.
-    
-    On some platforms the native realpath doesn't work with non-existent
-    files (this is actually specified in some versions of POSIX), however
-    the sftp spec says its realpath with "canonicalize any given path name".
-    On those platforms, use realpath from the compat library.
-    
-    In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
-    the realpath symbol to the checked version, so redefine ours to
-    something else so we pick up the compat version we want.
-    
-    bz#2428, ok djm@
-
-commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 02:47:45 2015 +0000
-
-    upstream commit
-    
-    fix incorrect test for SSH1 keys when compiled without SSH1
-     support
-    
-    Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
-
-commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 15 08:00:11 2015 +0000
-
-    upstream commit
-    
-    fix NULL-deref when SSH1 reenabled
-    
-    Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
-
-commit 41e38c4d49dd60908484e6703316651333f16b93
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 15 07:19:50 2015 +0000
-
-    upstream commit
-    
-    regen RSA1 test keys; the last batch was missing their
-     private parts
-    
-    Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
-
-commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Fri Jul 10 06:23:25 2015 +0000
-
-    upstream commit
-    
-    Adapt tests, now that DSA if off by default; use
-     PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
-    
-    Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
-
-commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Jul 7 14:54:16 2015 +0000
-
-    upstream commit
-    
-    regen test data after mktestdata.sh changes
-    
-    Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
-
-commit 7c8c174c69f681d4910fa41c37646763692b28e2
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Jul 7 14:53:30 2015 +0000
-
-    upstream commit
-    
-    adapt tests to new minimum RSA size and default FP format
-    
-    Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
-
-commit 6a977a4b68747ade189e43d302f33403fd4a47ac
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 04:39:23 2015 +0000
-
-    upstream commit
-    
-    legacy v00 certificates are gone; adapt and don't try to
-     test them; "sure" markus@ dtucker@
-    
-    Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
-
-commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 23:11:18 2015 +0000
-
-    upstream commit
-    
-    don't expect SSH v.1 in unittests
-    
-    Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
-
-commit 3c099845798a817cdde513c39074ec2063781f18
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 15 06:38:50 2015 +0000
-
-    upstream commit
-    
-    turn SSH1 back on to match src/usr.bin/ssh being tested
-    
-    Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
-
-commit b1dc2b33689668c75e95f873a42d5aea1f4af1db
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 13 04:57:14 2015 +0000
-
-    upstream commit
-    
-    Add "PuTTY_Local:" to the clients to which we do not
-     offer DH-GEX. This was the string that was used for development versions
-     prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
-     there are some extant products based on those versions.  bx2424 from Jay
-     Rouman, ok markus@ djm@
-    
-    Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
-
-commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Fri Jul 10 06:21:53 2015 +0000
-
-    upstream commit
-    
-    Turn off DSA by default; add HostKeyAlgorithms to the
-     server and PubkeyAcceptedKeyTypes to the client side, so it still can be
-     tested or turned back on; feedback and ok djm@
-    
-    Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
-
-commit 16db0a7ee9a87945cc594d13863cfcb86038db59
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Thu Jul 9 09:49:46 2015 +0000
-
-    upstream commit
-    
-    re-enable ed25519-certs if compiled w/o openssl; ok djm
-    
-    Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
-
-commit c355bf306ac33de6545ce9dac22b84a194601e2f
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 8 20:24:02 2015 +0000
-
-    upstream commit
-    
-    no need to include the old buffer/key API
-    
-    Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
-
-commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 8 19:09:25 2015 +0000
-
-    upstream commit
-    
-    typedefs for Cipher&CipherContext are unused
-    
-    Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
-
-commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 8 19:04:21 2015 +0000
-
-    upstream commit
-    
-    xmalloc.h is unused
-    
-    Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
-
-commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 8 19:01:15 2015 +0000
-
-    upstream commit
-    
-    compress.c is gone
-    
-    Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
-
-commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 04:05:54 2015 +0000
-
-    upstream commit
-    
-    another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
-     cranking
-    
-    Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
-
-commit b1f383da5cd3cb921fc7776f17a14f44b8a31757
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 03:56:25 2015 +0000
-
-    upstream commit
-    
-    add an XXX reminder for getting correct key paths from
-     sshd_config
-    
-    Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
-
-commit 933935ce8d093996c34d7efa4d59113163080680
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 03:49:45 2015 +0000
-
-    upstream commit
-    
-    refuse to generate or accept RSA keys smaller than 1024
-     bits; feedback and ok dtucker@
-    
-    Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
-
-commit bdfd29f60b74f3e678297269dc6247a5699583c1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 03:47:00 2015 +0000
-
-    upstream commit
-    
-    turn off 1024 bit diffie-hellman-group1-sha1 key
-     exchange method (already off in server, this turns it off in the client by
-     default too) ok dtucker@
-    
-    Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
-
-commit c28fc62d789d860c75e23a9fa9fb250eb2beca57
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 03:43:18 2015 +0000
-
-    upstream commit
-    
-    delete support for legacy v00 certificates; "sure"
-     markus@ dtucker@
-    
-    Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
-
-commit 564d63e1b4a9637a209d42a9d49646781fc9caef
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 23:10:47 2015 +0000
-
-    upstream commit
-    
-    Compile-time disable SSH v.1 again
-    
-    Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
-
-commit 868109b650504dd9bcccdb1f51d0906f967c20ff
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 02:39:06 2015 +0000
-
-    upstream commit
-    
-    twiddle PermitRootLogin back
-    
-    Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
-
-commit 7de4b03a6e4071d454b72927ffaf52949fa34545
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 02:32:17 2015 +0000
-
-    upstream commit
-    
-    twiddle; (this commit marks the openssh-6.9 release)
-    
-    Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
-
-commit 1bf477d3cdf1a864646d59820878783d42357a1d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 02:26:31 2015 +0000
-
-    upstream commit
-    
-    better refuse ForwardX11Trusted=no connections attempted
-     after ForwardX11Timeout expires; reported by Jann Horn
-    
-    Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
-
-commit 47aa7a0f8551b471fcae0447c1d78464f6dba869
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 01:56:13 2015 +0000
-
-    upstream commit
-    
-    put back default PermitRootLogin=no
-    
-    Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
-
-commit 984b064fe2a23733733262f88d2e1b2a1a501662
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 01:55:13 2015 +0000
-
-    upstream commit
-    
-    openssh-6.9
-    
-    Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
-
-commit d921082ed670f516652eeba50705e1e9f6325346
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 01:55:00 2015 +0000
-
-    upstream commit
-    
-    reset default PermitRootLogin to 'yes' (momentarily, for
-     release)
-    
-    Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
-
-commit 66295e0e1ba860e527f191b6325d2d77dec4dbce
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jul 1 11:49:12 2015 +1000
-
-    crank version numbers for release
-
-commit 37035c07d4f26bb1fbe000d2acf78efdb008681d
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jul 1 10:49:37 2015 +1000
-
-    s/--with-ssh1/--without-ssh1/
-
-commit 629df770dbadc2accfbe1c81b3f31f876d0acd84
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 30 05:25:07 2015 +0000
-
-    upstream commit
-    
-    fatal() when a remote window update causes the window
-     value to overflow. Reported by Georg Wicherski, ok markus@
-    
-    Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
-
-commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 30 05:23:25 2015 +0000
-
-    upstream commit
-    
-    Fix math error in remote window calculations that causes
-     eventual stalls for datagram channels. Reported by Georg Wicherski, ok
-     markus@
-    
-    Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
-
-commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Jun 30 16:05:40 2015 +1000
-
-    skip IPv6-related portions on hosts without IPv6
-    
-    with Tim Rice
-
-commit 512caddf590857af6aa12218461b5c0441028cf5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 29 22:35:12 2015 +0000
-
-    upstream commit
-    
-    add getpid to sandbox, reachable by grace_alarm_handler
-    
-    reported by Jakub Jelen; bz#2419
-    
-    Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
-
-commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 26 05:13:20 2015 +0000
-
-    upstream commit
-    
-    Fix \-escaping bug that caused forward path parsing to skip
-     two characters and skip past the end of the string.
-    
-    Based on patch by Salvador Fandino; ok dtucker@
-    
-    Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
-
-commit bc20205c91c9920361d12b15d253d4997dba494a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jun 25 09:51:39 2015 +1000
-
-    add missing pselect6
-    
-    patch from Jakub Jelen
-
-commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 24 23:47:23 2015 +0000
-
-    upstream commit
-    
-    correct test to sshkey_sign(); spotted by Albert S.
-    
-    Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
-
-commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Jun 24 01:49:19 2015 +0000
-
-    upstream commit
-    
-    Revert previous commit.  We still want to call setgroups
-     in the case where there are zero groups to remove any that we might otherwise
-     inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
-     to setgroups is always a static global it's always valid to dereference in
-     this case.  ok deraadt@ djm@
-    
-    Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
-
-commit 882f8bf94f79528caa65b0ba71c185d705bb7195
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Jun 24 01:49:19 2015 +0000
-
-    upstream commit
-    
-    Revert previous commit.  We still want to call setgroups in
-     the case where there are zero groups to remove any that we might otherwise
-     inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
-     to setgroups is always a static global it's always valid to dereference in
-     this case.  ok deraadt@ djm@
-    
-    Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
-
-commit 9488538a726951e82b3a4374f3c558d72c80a89b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 22 23:42:16 2015 +0000
-
-    upstream commit
-    
-    Don't count successful partial authentication as failures
-     in monitor; this may have caused the monitor to refuse multiple
-     authentications that would otherwise have successfully completed; ok markus@
-    
-    Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
-
-commit 63b78d003bd8ca111a736e6cea6333da50f5f09b
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jun 22 12:29:57 2015 +0000
-
-    upstream commit
-    
-    Don't call setgroups if we have zero groups; there's no
-     guarantee that it won't try to deref the pointer.  Based on a patch from mail
-     at quitesimple.org, ok djm deraadt
-    
-    Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
-
-commit 5c15e22c691c79a47747bcf5490126656f97cecd
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jun 18 15:07:56 2015 +1000
-
-    fix syntax error
-
-commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403
-Author: jsing@openbsd.org <jsing@openbsd.org>
-Date:   Mon Jun 15 18:44:22 2015 +0000
-
-    upstream commit
-    
-    If AuthorizedPrincipalsCommand is specified, however
-     AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
-     potentially fail due to key_cert_check_authority() failing to locate a
-     principal that matches the username, even though an authorized principal has
-     already been matched in the output of the subprocess. Fix this by using the
-     same logic to determine if pw->pw_name should be passed, as is used to
-     determine if a authorized principal must be matched earlier on.
-    
-    ok djm@
-    
-    Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
-
-commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905
-Author: jsing@openbsd.org <jsing@openbsd.org>
-Date:   Mon Jun 15 18:42:19 2015 +0000
-
-    upstream commit
-    
-    Make the arguments to match_principals_command() similar
-     to match_principals_file(), by changing the last argument a struct
-     sshkey_cert * and dereferencing key->cert in the caller.
-    
-    No functional change.
-    
-    ok djm@
-    
-    Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
-
-commit 97e2e1596c202a4693468378b16b2353fd2d6c5e
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jun 17 14:36:54 2015 +1000
-
-    trivial optimisation for seccomp-bpf
-    
-    When doing arg inspection and the syscall doesn't match, skip
-    past the instruction that reloads the syscall into the accumulator,
-    since the accumulator hasn't been modified at this point.
-
-commit 99f33d7304893bd9fa04d227cb6e870171cded19
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jun 17 10:50:51 2015 +1000
-
-    aarch64 support for seccomp-bpf sandbox
-    
-    Also resort and tidy syscall list. Based on patches by Jakub Jelen
-    bz#2361; ok dtucker@
-
-commit 4ef702e1244633c1025ec7cfe044b9ab267097bf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 15 01:32:50 2015 +0000
-
-    upstream commit
-    
-    return failure on RSA signature error; reported by Albert S
-    
-    Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
-
-commit a170f22baf18af0b1acf2788b8b715605f41a1f9
-Author: Tim Rice <tim@multitalents.net>
-Date:   Tue Jun 9 22:41:13 2015 -0700
-
-    Fix t12 rules for out of tree builds.
-
-commit ec04dc4a5515c913121bc04ed261857e68fa5c18
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Fri Jun 5 15:13:13 2015 +0000
-
-    upstream commit
-    
-    For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
-     name." (we have a path, not a host name).  Based on a diff from Jared
-     Yanovich. OK djm@
-    
-    Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
-
-commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 5 03:44:14 2015 +0000
-
-    upstream commit
-    
-    typo: accidental repetition; bz#2386
-    
-    Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
-
-commit adfb24c69d1b6f5e758db200866c711e25a2ba73
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Jun 5 14:51:40 2015 +1000
-
-    Add Linux powerpc64le and powerpcle entries.
-    
-    Stopgap to resolve bz#2409 because we are so close to release and will
-    update config.guess and friends shortly after the release.  ok djm@
-
-commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da
-Merge: 6397eed d2480bc
-Author: Tim Rice <tim@multitalents.net>
-Date:   Wed Jun 3 21:43:13 2015 -0700
-
-    Merge branch 'master' of git.mindrot.org:/var/git/openssh
-
-commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc
-Author: Tim Rice <tim@multitalents.net>
-Date:   Wed Jun 3 21:41:11 2015 -0700
-
-    Remove unneeded backslashes. Patch from Ángel González
-
-commit d2480bcac1caf31b03068de877a47d6e1027bf6d
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Jun 4 14:10:55 2015 +1000
-
-    Remove redundant include of stdarg.h.  bz#2410
-
-commit 5e67859a623826ccdf2df284cbb37e2d8e2787eb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 2 09:10:40 2015 +0000
-
-    upstream commit
-    
-    mention CheckHostIP adding addresses to known_hosts;
-     bz#1993; ok dtucker@
-    
-    Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
-
-commit d7a58bbac6583e33fd5eca8e2c2cc70c57617818
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Tue Jun 2 20:15:26 2015 +1000
-
-    Replace strcpy with strlcpy.
-    
-    ok djm, sanity check by Corinna Vinschen.
-
-commit 51a1c2115265c6e80ede8a5c9dccada9aeed7143
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri May 29 18:27:21 2015 +1000
-
-    skip, rather than fatal when run without SUDO set
-
-commit 599f01142a376645b15cbc9349d7e8975e1cf245
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri May 29 18:03:15 2015 +1000
-
-    fix merge botch that left ",," in KEX algs
-
-commit 0c2a81dfc21822f2423edd30751e5ec53467b347
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri May 29 17:08:28 2015 +1000
-
-    re-enable SSH protocol 1 at compile time
-
-commit db438f9285d64282d3ac9e8c0944f59f037c0151
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 29 03:05:13 2015 +0000
-
-    upstream commit
-    
-    make this work without SUDO set; ok dtucker@
-    
-    Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715
-
-commit 1d9a2e2849c9864fe75daabf433436341c968e14
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 28 07:37:31 2015 +0000
-
-    upstream commit
-    
-    wrap all moduli-related code in #ifdef WITH_OPENSSL.
-     based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@
-    
-    Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
-
-commit 496aeb25bc2d6c434171292e4714771b594bd00e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu May 28 05:41:29 2015 +0000
-
-    upstream commit
-    
-    Increase the allowed length of the known host file name
-     in the log message to be consistent with other cases.  Part of bz#1993, ok
-     deraadt.
-    
-    Upstream-ID: a9e97567be49f25daf286721450968251ff78397
-
-commit dd2cfeb586c646ff8d70eb93567b2e559ace5b14
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu May 28 05:09:45 2015 +0000
-
-    upstream commit
-    
-    Fix typo (keywork->keyword)
-    
-    Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
-
-commit 9cc6842493fbf23025ccc1edab064869640d3bec
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 28 04:50:53 2015 +0000
-
-    upstream commit
-    
-    add error message on ftruncate failure; bz#2176
-    
-    Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf
-
-commit d1958793a0072c22be26d136dbda5ae263e717a0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 28 04:40:13 2015 +0000
-
-    upstream commit
-    
-    make ssh-keygen default to ed25519 keys when compiled
-     without OpenSSL; bz#2388, ok dtucker@
-    
-    Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
-
-commit 3ecde664c9fc5fb3667aedf9e6671462600f6496
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed May 27 23:51:10 2015 +0000
-
-    upstream commit
-    
-    Reorder client proposal to prefer
-     diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1.  ok djm@
-    
-    Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
-
-commit 40f64292b907afd0a674fdbf3e4c2356d17a7d68
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed May 27 23:39:18 2015 +0000
-
-    upstream commit
-    
-    Add a stronger (4k bit) fallback group that sshd can use
-     when the moduli file is missing or broken, sourced from RFC3526.  bz#2302, ok
-     markus@ (earlier version), djm@
-    
-    Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
-
-commit 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu May 28 10:03:40 2015 +1000
-
-    New moduli file from OpenBSD, removing 1k groups.
-    
-    Remove 1k bit groups.  ok deraadt@, markus@
-
-commit a71ba58adf34e599f30cdda6e9b93ae6e3937eea
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed May 27 05:15:02 2015 +0000
-
-    upstream commit
-    
-    support PKCS#11 devices with external PIN entry devices
-     bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
-    
-    Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
-
-commit b282fec1aa05246ed3482270eb70fc3ec5f39a00
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue May 26 23:23:40 2015 +0000
-
-    upstream commit
-    
-    Cap DH-GEX group size at 4kbits for Cisco implementations.
-     Some of them will choke when asked for preferred sizes >4k instead of
-     returning the 4k group that they do have.  bz#2209, ok djm@
-    
-    Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
-
-commit 3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun May 24 23:39:16 2015 +0000
-
-    upstream commit
-    
-    add missing 'c' option to getopt(), case statement was
-     already there; from Felix Bolte
-    
-    Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081
-
-commit 64a89ec07660abba4d0da7c0095b7371c98bab62
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date:   Sat May 23 14:28:37 2015 +0000
-
-    upstream commit
-    
-    fix a memory leak in an error path ok markus@ dtucker@
-    
-    Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598
-
-commit f948737449257d2cb83ffcfe7275eb79b677fd4a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 22 05:28:45 2015 +0000
-
-    upstream commit
-    
-    mention ssh-keygen -E for comparing legacy MD5
-     fingerprints; bz#2332
-    
-    Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
-
-commit 0882332616e4f0272c31cc47bf2018f9cb258a4e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 22 04:45:52 2015 +0000
-
-    upstream commit
-    
-    Reorder EscapeChar option parsing to avoid a single-byte
-     out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
-    
-    Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
-
-commit d7c31da4d42c115843edee2074d7d501f8804420
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 22 03:50:02 2015 +0000
-
-    upstream commit
-    
-    add knob to relax GSSAPI host credential check for
-     multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
-     (kerberos/GSSAPI is not compiled by default on OpenBSD)
-    
-    Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
-
-commit aa72196a00be6e0b666215edcffbc10af234cb0e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri May 22 17:49:46 2015 +1000
-
-    Include signal.h for sig_atomic_t, used by kex.h.
-    
-    bz#2402, from tomas.kuthan at oracle com.
-
-commit 8b02481143d75e91c49d1bfae0876ac1fbf9511a
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri May 22 12:47:24 2015 +1000
-
-    Import updated moduli file from OpenBSD.
-
-commit 4739e8d5e1c0be49624082bd9f6b077e9e758db9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 12:01:19 2015 +0000
-
-    upstream commit
-    
-    Support "ssh-keygen -lF hostname" to find search known_hosts
-     and print key hashes. Already advertised by ssh-keygen(1), but not delivered
-     by code; ok dtucker@
-    
-    Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
-
-commit e97201feca10b5196da35819ae516d0b87cf3a50
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu May 21 17:55:15 2015 +1000
-
-    conditionalise util.h inclusion
-
-commit 13640798c7dd011ece0a7d02841fe48e94cfa0e0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 06:44:25 2015 +0000
-
-    upstream commit
-    
-    regress test for AuthorizedPrincipalsCommand
-    
-    Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
-
-commit 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 06:40:02 2015 +0000
-
-    upstream commit
-    
-    regress test for AuthorizedKeysCommand arguments
-    
-    Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
-
-commit bcc50d816187fa9a03907ac1f3a52f04a52e10d1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 06:43:30 2015 +0000
-
-    upstream commit
-    
-    add AuthorizedPrincipalsCommand that allows getting
-     authorized_principals from a subprocess rather than a file, which is quite
-     useful in deployments with large userbases
-    
-    feedback and ok markus@
-    
-    Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
-
-commit 24232a3e5ab467678a86aa67968bbb915caffed4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 06:38:35 2015 +0000
-
-    upstream commit
-    
-    support arguments to AuthorizedKeysCommand
-    
-    bz#2081 loosely based on patch by Sami Hartikainen
-    feedback and ok markus@
-    
-    Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
-
-commit d80fbe41a57c72420c87a628444da16d09d66ca7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu May 21 04:55:51 2015 +0000
-
-    upstream commit
-    
-    refactor: split base64 encoding of pubkey into its own
-     sshkey_to_base64() function and out of sshkey_write(); ok markus@
-    
-    Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
-
-commit 7cc44ef74133a473734bbcbd3484f24d6a7328c5
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Mon May 18 15:06:05 2015 +0000
-
-    upstream commit
-    
-    getentropy() and sendsyslog() have been around long
-     enough. openssh-portable may want the #ifdef's but not base. discussed with
-     djm few weeks back
-    
-    Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
-
-commit 9173d0fbe44de7ebcad8a15618e13a8b8d78902e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri May 15 05:44:21 2015 +0000
-
-    upstream commit
-    
-    Use a salted hash of the lock passphrase instead of plain
-     text and do constant-time comparisons of it. Should prevent leaking any
-     information about it via timing, pointed out by Ryan Castellucci.  Add a 0.1s
-     incrementing delay for each failed unlock attempt up to 10s.  ok markus@
-     (earlier version), djm@
-    
-    Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
-
-commit d028d5d3a697c71b21e4066d8672cacab3caa0a8
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue May 5 19:10:58 2015 +1000
-
-    upstream commit
-    
-       - tedu@cvs.openbsd.org 2015/01/12 03:20:04
-         [bcrypt_pbkdf.c]
-         rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
-         nor are they the same size.
-
-commit f6391d4e59b058984163ab28f4e317e7a72478f1
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue May 5 19:10:23 2015 +1000
-
-    upstream commit
-    
-       - deraadt@cvs.openbsd.org 2015/01/08 00:30:07
-         [bcrypt_pbkdf.c]
-         declare a local version of MIN(), call it MINIMUM()
-
-commit 8ac6b13cc9113eb47cd9e86c97d7b26b4b71b77f
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue May 5 19:09:46 2015 +1000
-
-    upstream commit
-    
-       - djm@cvs.openbsd.org 2014/12/30 01:41:43
-         [bcrypt_pbkdf.c]
-         typo in comment: ouput => output
-
-commit 1f792489d5cf86a4f4e3003e6e9177654033f0f2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon May 4 06:10:48 2015 +0000
-
-    upstream commit
-    
-    Remove pattern length argument from match_pattern_list(), we
-     only ever use it for strlen(pattern).
-    
-    Prompted by hanno AT hboeck.de pointing an out-of-bound read
-    error caused by an incorrect pattern length found using AFL
-    and his own tools.
-    
-    ok markus@
-
-commit 639d6bc57b1942393ed12fb48f00bc05d4e093e4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 07:10:01 2015 +0000
-
-    upstream commit
-    
-    refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
-     to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
-    
-    Improves error messages on TCP connection resets. bz#2257
-    
-    ok dtucker@
-
-commit 9559d7de34c572d4d3fd990ca211f8ec99f62c4d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 07:08:08 2015 +0000
-
-    upstream commit
-    
-    a couple of parse targets were missing activep checks,
-     causing them to be misapplied in match context; bz#2272 diagnosis and
-     original patch from Sami Hartikainen ok dtucker@
-
-commit 7e8528cad04b2775c3b7db08abf8fb42e47e6b2a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 04:17:51 2015 +0000
-
-    upstream commit
-    
-    make handling of AuthorizedPrincipalsFile=none more
-     consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
-
-commit ca430d4d9cc0f62eca3b1fb1e2928395b7ce80f7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 04:03:20 2015 +0000
-
-    upstream commit
-    
-    remove failed remote forwards established by muliplexing
-     from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok
-     dtucker@
-
-commit 8312cfb8ad88657517b3e23ac8c56c8e38eb9792
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 04:01:58 2015 +0000
-
-    upstream commit
-    
-    reduce stderr spam when using ssh -S /path/mux -O forward
-     -R 0:... ok dtucker@
-
-commit 179be0f5e62f1f492462571944e45a3da660d82b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 03:23:51 2015 +0000
-
-    upstream commit
-    
-    prevent authorized_keys options picked up on public key
-     tests without a corresponding private key authentication being applied to
-     other authentication methods. Reported by halex@, ok markus@
-
-commit a42d67be65b719a430b7fcaba2a4e4118382723a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 03:20:54 2015 +0000
-
-    upstream commit
-    
-    Don't make parsing of authorized_keys' environment=
-     option conditional on PermitUserEnv - always parse it, but only use the
-     result if the option is enabled. This prevents the syntax of authorized_keys
-     changing depending on which sshd_config options were enabled.
-    
-    bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
-
-commit e661a86353e11592c7ed6a847e19a83609f49e77
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon May 4 06:10:48 2015 +0000
-
-    upstream commit
-    
-    Remove pattern length argument from match_pattern_list(), we
-     only ever use it for strlen(pattern).
-    
-    Prompted by hanno AT hboeck.de pointing an out-of-bound read
-    error caused by an incorrect pattern length found using AFL
-    and his own tools.
-    
-    ok markus@
-
-commit 0ef1de742be2ee4b10381193fe90730925b7f027
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Apr 23 05:01:19 2015 +0000
-
-    upstream commit
-    
-    Add a simple regression test for sshd's configuration
-     parser.  Right now, all it does is run the output of sshd -T back through
-     itself and ensure the output is valid and invariant.
-
-commit 368f83c793275faa2c52f60eaa9bdac155c4254b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Apr 22 01:38:36 2015 +0000
-
-    upstream commit
-    
-    use correct key for nested certificate test
-
-commit 8d4d1bfddbbd7d21f545dc6997081d1ea1fbc99a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 1 07:11:47 2015 +0000
-
-    upstream commit
-    
-    mention that the user's shell from /etc/passwd is used
-     for commands too; bz#1459 ok dtucker@
-
-commit 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 07:29:00 2015 +0000
-
-    upstream commit
-    
-    whitespace
-    
-    Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
-
-commit 8377d5008ad260048192e1e56ad7d15a56d103dd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 07:26:13 2015 +0000
-
-    upstream commit
-    
-    whitespace at EOL
-    
-    Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
-
-commit c28a3436fa8737709ea88e4437f8f23a6ab50359
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 06:45:13 2015 +0000
-
-    upstream commit
-    
-    moar whitespace at eol
-    
-    Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
-
-commit 2b64c490468fd4ca35ac8d5cc31c0520dc1508bb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 06:41:56 2015 +0000
-
-    upstream commit
-    
-    whitespace at EOL
-    
-    Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
-
-commit 4e636cf201ce6e7e3b9088568218f9d4e2c51712
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 03:56:51 2015 +0000
-
-    upstream commit
-    
-    whitespace at EOL
-
-commit 38b8272f823dc1dd4e29dbcee83943ed48bb12fa
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon May 4 01:47:53 2015 +0000
-
-    upstream commit
-    
-    Use diff w/out -u for better portability
-
-commit 297060f42d5189a4065ea1b6f0afdf6371fb0507
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri May 8 03:25:07 2015 +0000
-
-    upstream commit
-    
-    Use xcalloc for permitted_adm_opens instead of xmalloc to
-     ensure it's zeroed. Fixes post-auth crash with permitopen=none.  bz#2355, ok
-     djm@
-
-commit 63ebf019be863b2d90492a85e248cf55a6e87403
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 8 03:17:49 2015 +0000
-
-    upstream commit
-    
-    don't choke on new-format private keys encrypted with an
-     AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@
-
-commit f8484dac678ab3098ae522a5f03bb2530f822987
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed May 6 05:45:17 2015 +0000
-
-    upstream commit
-    
-    Clarify pseudo-terminal request behaviour and use
-     "pseudo-terminal" consistently.  bz#1716, ok jmc@ "I like it" deraadt@.
-
-commit ea139507bef8bad26e86ed99a42c7233ad115c38
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed May 6 04:07:18 2015 +0000
-
-    upstream commit
-    
-    Blacklist DH-GEX for specific PuTTY versions known to
-     send non-RFC4419 DH-GEX messages rather than all versions of PuTTY.
-     According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX
-     messages.  ok djm@
-
-commit b58234f00ee3872eb84f6e9e572a9a34e902e36e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue May 5 10:17:49 2015 +0000
-
-    upstream commit
-    
-    WinSCP doesn't implement RFC4419 DH-GEX so flag it so we
-     don't offer that KEX method.  ok markus@
-
-commit d5b1507a207253b39e810e91e68f9598691b7a29
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date:   Tue May 5 02:48:17 2015 +0000
-
-    upstream commit
-    
-    use the sizeof the struct not the sizeof a pointer to the
-     struct in ssh_digest_start()
-    
-    This file is only used if ssh is built with OPENSSL=no
-    
-    ok markus@
-
-commit a647b9b8e616c231594b2710c925d31b1b8afea3
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri May 8 11:07:27 2015 +1000
-
-    Put brackets around mblen() compat constant.
-    
-    This might help with the reported problem cross compiling for Android
-    ("error: expected identifier or '(' before numeric constant") but
-    shouldn't hurt in any case.
-
-commit d1680d36e17244d9af3843aeb5025cb8e40d6c07
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Apr 30 09:18:11 2015 +1000
-
-    xrealloc -> xreallocarray in portable code too.
-
-commit 531a57a3893f9fcd4aaaba8c312b612bbbcc021e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Apr 29 03:48:56 2015 +0000
-
-    upstream commit
-    
-    Allow ListenAddress, Port and AddressFamily in any
-     order.  bz#68, ok djm@, jmc@ (for the man page bit).
-
-commit c1d5bcf1aaf1209af02f79e48ba1cbc76a87b56f
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Tue Apr 28 13:47:38 2015 +0000
-
-    upstream commit
-    
-    enviroment -> environment: apologies to darren for not
-     spotting that first time round...
-
-commit 43beea053db191cac47c2cd8d3dc1930158aff1a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Apr 28 10:25:15 2015 +0000
-
-    upstream commit
-    
-    Fix typo in previous
-
-commit 85b96ef41374f3ddc9139581f87da09b2cd9199e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Apr 28 10:17:58 2015 +0000
-
-    upstream commit
-    
-    Document that the TERM environment variable is not
-     subject to SendEnv and AcceptEnv.  bz#2386, based loosely on a patch from
-     jjelen at redhat, help and ok jmc@
-
-commit 88a7c598a94ff53f76df228eeaae238d2d467565
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Apr 27 21:42:48 2015 +0000
-
-    upstream commit
-    
-    Make sshd default to PermitRootLogin=no; ok deraadt@
-     rpe@
-
-commit 734226b4480a6c736096c729fcf6f391400599c7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Apr 27 01:52:30 2015 +0000
-
-    upstream commit
-    
-    fix compilation with OPENSSL=no; ok dtucker@
-
-commit a4b9d2ce1eb7703eaf0809b0c8a82ded8aa4f1c6
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Apr 27 00:37:53 2015 +0000
-
-    upstream commit
-    
-    Include stdio.h for FILE (used in sshkey.h) so it
-     compiles with OPENSSL=no.
-
-commit dbcc652f4ca11fe04e5930c7ef18a219318c6cda
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Apr 27 00:21:21 2015 +0000
-
-    upstream commit
-    
-    allow "sshd -f none" to skip reading the config file,
-     much like "ssh -F none" does. ok dtucker
-
-commit b7ca276fca316c952f0b90f5adb1448c8481eedc
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Apr 24 06:26:49 2015 +0000
-
-    upstream commit
-    
-    combine -Dd onto one line and update usage();
-
-commit 2ea974630d7017e4c7666d14d9dc939707613e96
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 24 05:26:44 2015 +0000
-
-    upstream commit
-    
-    add ssh-agent -D to leave ssh-agent in foreground
-     without enabling debug mode; bz#2381 ok dtucker@
-
-commit 8ac2ffd7aa06042f6b924c87139f2fea5c5682f7
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Fri Apr 24 01:36:24 2015 +0000
-
-    upstream commit
-    
-    2*len -> use xreallocarray() ok djm
-
-commit 657a5fbc0d0aff309079ff8fb386f17e964963c2
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Fri Apr 24 01:36:00 2015 +0000
-
-    upstream commit
-    
-    rename xrealloc() to xreallocarray() since it follows
-     that form. ok djm
-
-commit 1108ae242fdd2c304307b68ddf46aebe43ebffaa
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Apr 23 04:59:10 2015 +0000
-
-    upstream commit
-    
-    Two small fixes for sshd -T: ListenAddress'es are added
-     to a list head so reverse the order when printing them to ensure the
-     behaviour remains the same, and print StreamLocalBindMask as octal with
-     leading zero.  ok deraadt@
-
-commit bd902b8473e1168f19378d5d0ae68d0c203525df
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Apr 23 04:53:53 2015 +0000
-
-    upstream commit
-    
-    Check for and reject missing arguments for
-     VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com,
-     ok djm@
-
-commit ca42c1758575e592239de1d5755140e054b91a0d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Apr 22 01:24:01 2015 +0000
-
-    upstream commit
-    
-    unknown certificate extensions are non-fatal, so don't
-     fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok
-     dtucker@
-
-commit 39bfbf7caad231cc4bda6909fb1af0705bca04d8
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date:   Tue Apr 21 07:01:00 2015 +0000
-
-    upstream commit
-    
-    Add back a backslash removed in rev 1.42 so
-     KEX_SERVER_ENCRYPT will include aes again.
-    
-    ok deraadt@
-
-commit 6b0d576bb87eca3efd2b309fcfe4edfefc289f9c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 17 13:32:09 2015 +0000
-
-    upstream commit
-    
-    s/recommended/required/ that private keys be og-r this
-     wording change was made a while ago but got accidentally reverted
-
-commit 44a8e7ce6f3ab4c2eb1ae49115c210b98e53c4df
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 17 13:25:52 2015 +0000
-
-    upstream commit
-    
-    don't try to cleanup NULL KEX proposals in
-     kex_prop_free(); found by Jukka Taimisto and Markus Hietava
-
-commit 3038a191872d2882052306098c1810d14835e704
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 17 13:19:22 2015 +0000
-
-    upstream commit
-    
-    use error/logit/fatal instead of fprintf(stderr, ...)
-     and exit(0), fix a few errors that were being printed to stdout instead of
-     stderr and a few non-errors that were going to stderr instead of stdout
-     bz#2325; ok dtucker
-
-commit a58be33cb6cd24441fa7e634db0e5babdd56f07f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 17 13:16:48 2015 +0000
-
-    upstream commit
-    
-    debug log missing DISPLAY environment when X11
-     forwarding requested; bz#1682 ok dtucker@
-
-commit 17d4d9d9fbc8fb80e322f94d95eecc604588a474
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 17 04:32:31 2015 +0000
-
-    upstream commit
-    
-    don't call record_login() in monitor when UseLogin is
-     enabled; bz#278 reported by drk AT sgi.com; ok dtucker
-
-commit 40132ff87b6cbc3dc05fb5df2e9d8e3afa06aafd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Apr 17 04:12:35 2015 +0000
-
-    upstream commit
-    
-    Add some missing options to sshd -T and fix the output
-     of VersionAddendum HostCertificate.  bz#2346, patch from jjelen at redhat
-     com, ok djm.
-
-commit 6cc7cfa936afde2d829e56ee6528c7ea47a42441
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Apr 16 23:25:50 2015 +0000
-
-    upstream commit
-    
-    Document "none" for PidFile XAuthLocation
-     TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
-
-commit 15fdfc9b1c6808b26bc54d4d61a38b54541763ed
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Apr 15 23:23:25 2015 +0000
-
-    upstream commit
-    
-    Plug leak of address passed to logging.  bz#2373, patch
-     from jjelen at redhat, ok markus@
-
-commit bb2289e2a47d465eaaaeff3dee2a6b7777b4c291
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Apr 14 04:17:03 2015 +0000
-
-    upstream commit
-    
-    Output remote username in debug output since with Host
-     and Match it's not always obvious what it will be.  bz#2368, ok djm@
-
-commit 70860b6d07461906730632f9758ff1b7c98c695a
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Apr 17 10:56:13 2015 +1000
-
-    Format UsePAM setting when using sshd -T.
-    
-    Part of bz#2346, patch from jjelen at redhat com.
-
-commit ee15d9c9f0720f5a8b0b34e4b10ecf21f9824814
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Apr 17 10:40:23 2015 +1000
-
-    Wrap endian.h include inside ifdef (bz#2370).
-
-commit 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Apr 17 09:39:58 2015 +1000
-
-    Look for '${host}-ar' before 'ar'.
-    
-    This changes configure.ac to look for '${host}-ar' as set by
-    AC_CANONICAL_HOST before looking for the unprefixed 'ar'.
-    Useful when cross-compiling when all your binutils are prefixed.
-    
-    Patch from moben at exherbo org via astrand at lysator liu se and
-    bz#2352.
-
-commit 673a1c16ad078d41558247ce739fe812c960acc8
-Author: Damien Miller <djm@google.com>
-Date:   Thu Apr 16 11:40:20 2015 +1000
-
-    remove dependency on arpa/telnet.h
-
-commit 202d443eeda1829d336595a3cfc07827e49f45ed
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Wed Apr 15 15:59:49 2015 +1000
-
-    Remove duplicate include of pwd.h.  bz#2337, patch from Mordy Ovits.
-
-commit 597986493412c499f2bc2209420cb195f97b3668
-Author: Damien Miller <djm@google.com>
-Date:   Thu Apr 9 10:14:48 2015 +1000
-
-    platform's with openpty don't need pty_release
-
-commit 318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Apr 13 02:04:08 2015 +0000
-
-    upstream commit
-    
-    deprecate ancient, pre-RFC4419 and undocumented
-     SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems
-     reasonable" dtucker@
-
-commit d8f391caef62378463a0e6b36f940170dadfe605
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Apr 10 05:16:50 2015 +0000
-
-    upstream commit
-    
-    Don't send hostkey advertisments
-     (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
-     handle them.  Newer versions should be OK.  Patch from Bryan Drewery and
-     IWAMOTO Kouichi, ok djm@
-
-commit 2c2cfe1a1c97eb9a08cc9817fd0678209680c636
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 10 00:08:55 2015 +0000
-
-    upstream commit
-    
-    include port number if a non-default one has been
-     specified; based on patch from Michael Handler
-
-commit 4492a4f222da4cf1e8eab12689196322e27b08c4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Apr 7 23:00:42 2015 +0000
-
-    upstream commit
-    
-    treat Protocol=1,2|2,1 as Protocol=2 when compiled
-     without SSH1 support; ok dtucker@ millert@
-
-commit c265e2e6e932efc6d86f6cc885dea33637a67564
-Author: miod@openbsd.org <miod@openbsd.org>
-Date:   Sun Apr 5 15:43:43 2015 +0000
-
-    upstream commit
-    
-    Do not use int for sig_atomic_t; spotted by
-     christos@netbsd; ok markus@
-
-commit e7bf3a5eda6a1b02bef6096fed78527ee11e54cc
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Tue Apr 7 10:48:04 2015 +1000
-
-    Use do{}while(0) for no-op functions.
-    
-    From FreeBSD.
-
-commit bb99844abae2b6447272f79e7fa84134802eb4df
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Tue Apr 7 10:47:15 2015 +1000
-
-    Wrap blf.h include in ifdef.  From FreeBSD.
-
-commit d9b9b43656091cf0ad55c122f08fadb07dad0abd
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Tue Apr 7 09:10:00 2015 +1000
-
-    Fix misspellings of regress CONFOPTS env variables.
-    
-    Patch from Bryan Drewery.
-
-commit 3f4ea3c9ab1d32d43c9222c4351f58ca11144156
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 3 22:17:27 2015 +0000
-
-    upstream commit
-    
-    correct return value in pubkey parsing, spotted by Ben Hawkes
-     ok markus@
-
-commit 7da2be0cb9601ed25460c83aa4d44052b967ba0f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 31 22:59:01 2015 +0000
-
-    upstream commit
-    
-    adapt to recent hostfile.c change: when parsing
-     known_hosts without fully parsing the keys therein, hostkeys_foreach() will
-     now correctly identify KEY_RSA1 keys; ok markus@ miod@
-
-commit 9e1777a0d1c706714b055811c12ab8cc21033e4a
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Mar 24 20:19:15 2015 +0000
-
-    upstream commit
-    
-    use ${SSH} for -Q instead of installed ssh
-
-commit ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Mar 16 22:46:14 2015 +0000
-
-    upstream commit
-    
-    make CLEANFILES clean up more of the tests' droppings
-
-commit 398f9ef192d820b67beba01ec234d66faca65775
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 31 22:57:06 2015 +0000
-
-    upstream commit
-    
-    downgrade error() for known_hosts parse errors to debug()
-     to quiet warnings from ssh1 keys present when compiled !ssh1.
-    
-    also identify ssh1 keys when scanning, even when compiled !ssh1
-    
-    ok markus@ miod@
-
-commit 9a47ab80030a31f2d122b8fd95bd48c408b9fcd9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 31 22:55:50 2015 +0000
-
-    upstream commit
-    
-    fd leak for !ssh1 case; found by unittests; ok markus@
-
-commit c9a0805a6280681901c270755a7cd630d7c5280e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 31 22:55:24 2015 +0000
-
-    upstream commit
-    
-    don't fatal when a !ssh1 sshd is reexeced from a w/ssh1
-     listener; reported by miod@; ok miod@ markus@
-
-commit 704d8c88988cae38fb755a6243b119731d223222
-Author: tobias@openbsd.org <tobias@openbsd.org>
-Date:   Tue Mar 31 11:06:49 2015 +0000
-
-    upstream commit
-    
-    Comments are only supported for RSA1 keys. If a user
-     tried to add one and entered his passphrase, explicitly clear it before exit.
-     This is done in all other error paths, too.
-    
-    ok djm
-
-commit 78de1673c05ea2c33e0d4a4b64ecb5186b6ea2e9
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Mon Mar 30 18:28:37 2015 +0000
-
-    upstream commit
-    
-    ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
-     diff originally from jiri b;
-
-commit 26e0bcf766fadb4a44fb6199386fb1dcab65ad00
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Mar 30 00:00:29 2015 +0000
-
-    upstream commit
-    
-    fix uninitialised memory read when parsing a config file
-     consisting of a single nul byte. Found by hanno AT hboeck.de using AFL; ok
-     dtucker
-
-commit fecede00a76fbb33a349f5121c0b2f9fbc04a777
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Thu Mar 26 19:32:19 2015 +0000
-
-    upstream commit
-    
-    sigp and lenp are not optional in ssh_agent_sign(); ok
-     djm@
-
-commit 1b0ef3813244c78669e6d4d54c624f600945327d
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Thu Mar 26 12:32:38 2015 +0000
-
-    upstream commit
-    
-    don't try to load .ssh/identity by default if SSH1 is
-     disabled; ok markus@
-
-commit f9b78852379b74a2d14e6fc94fe52af30b7e9c31
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Mar 26 07:00:04 2015 +0000
-
-    upstream commit
-    
-    ban all-zero curve25519 keys as recommended by latest
-     CFRG curves draft; ok markus
-
-commit b8afbe2c1aaf573565e4da775261dfafc8b1ba9c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Mar 26 06:59:28 2015 +0000
-
-    upstream commit
-    
-    relax bits needed check to allow
-     diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was
-     selected as symmetric cipher; ok markus
-
-commit 47842f71e31da130555353c1d57a1e5a8937f1c0
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Mar 25 19:29:58 2015 +0000
-
-    upstream commit
-    
-    ignore v1 errors on ssh-add -D; only try v2 keys on
-     -l/-L (unless WITH_SSH1) ok djm@
-
-commit 5f57e77f91bf2230c09eca96eb5ecec39e5f2da6
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Mar 25 19:21:48 2015 +0000
-
-    upstream commit
-    
-    unbreak ssh_agent_sign (lenp vs *lenp)
-
-commit 4daeb67181054f2a377677fac919ee8f9ed3490e
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Mar 24 20:10:08 2015 +0000
-
-    upstream commit
-    
-    don't leak 'setp' on error; noted by Nicholas Lemonias;
-     ok djm@
-
-commit 7d4f96f9de2a18af0d9fa75ea89a4990de0344f5
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Mar 24 20:09:11 2015 +0000
-
-    upstream commit
-    
-    consistent check for NULL as noted by Nicholas
-     Lemonias; ok djm@
-
-commit df100be51354e447d9345cf1ec22e6013c0eed50
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Mar 24 20:03:44 2015 +0000
-
-    upstream commit
-    
-    correct fmt-string for size_t as noted by Nicholas
-     Lemonias; ok djm@
-
-commit a22b9ef21285e81775732436f7c84a27bd3f71e0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 24 09:17:21 2015 +0000
-
-    upstream commit
-    
-    promote chacha20-poly1305@openssh.com to be the default
-     cipher; ok markus
-
-commit 2aa9da1a3b360cf7b13e96fe1521534b91501fb5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 24 01:29:19 2015 +0000
-
-    upstream commit
-    
-    Compile-time disable SSH protocol 1. You can turn it
-     back on using the Makefile.inc knob if you need it to talk to ancient
-     devices.
-
-commit 53097b2022154edf96b4e8526af5666f979503f7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 24 01:11:12 2015 +0000
-
-    upstream commit
-    
-    fix double-negative error message "ssh1 is not
-     unsupported"
-
-commit 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Mar 23 06:06:38 2015 +0000
-
-    upstream commit
-    
-    for ssh-keygen -A, don't try (and fail) to generate ssh
-     v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
-     without OpenSSL based on patch by Mike Frysinger; bz#2369
-
-commit 725fd22a8c41db7de73a638539a5157b7e4424ae
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Mar 18 01:44:21 2015 +0000
-
-    upstream commit
-    
-    KRL support doesn't need OpenSSL anymore, remove #ifdefs
-     from around call
-
-commit b07011c18e0b2e172c5fd09d21fb159a0bf5fcc7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Mar 16 11:09:52 2015 +0000
-
-    upstream commit
-    
-    #if 0 some more arrays used only for decrypting (we don't
-     use since we only need encrypt for AES-CTR)
-
-commit 1cb3016635898d287e9d58b50c430995652d5358
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date:   Wed Mar 11 00:48:39 2015 +0000
-
-    upstream commit
-    
-    add back the changes from rev 1.206, djm reverted this by
-     mistake in rev 1.207