* New upstream release (http://www.openssh.com/txt/release-6.1).

  - Enable pre-auth sandboxing by default for new installs.
  - Allow "PermitOpen none" to refuse all port-forwarding requests
    (closes: #543683).

18 files changed, 114 insertions, 1194 deletions

diff --git a/debian/changelog b/debian/changelog
index f67d54cf3..98b520e21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:6.1p1-1) UNRELEASED; urgency=low
+
+  * New upstream release (http://www.openssh.com/txt/release-6.1).
+    - Enable pre-auth sandboxing by default for new installs.
+    - Allow "PermitOpen none" to refuse all port-forwarding requests
+      (closes: #543683).
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 07 Sep 2012 00:11:46 +0100
+
 openssh (1:6.0p1-3) unstable; urgency=low
 
   * debconf template translations:
diff --git a/debian/patches/configure-bashism.patch b/debian/patches/configure-bashism.patch
deleted file mode 100644
index 09f878376..000000000
--- a/debian/patches/configure-bashism.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Description: Fix a bashism in configure
-Author: Colin Watson <cjwatson@debian.org>
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2010
-Last-Update: 2012-05-18
-
-Index: b/configure
-===================================================================
---- a/configure
-+++ b/configure
-@@ -11918,7 +11918,7 @@
- 
- elif test "x$sandbox_arg" = "xseccomp_filter" || \
-      ( test -z "$sandbox_arg" && \
--       test "x$have_seccomp_filter" == "x1" && \
-+       test "x$have_seccomp_filter" = "x1" && \
-        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
-        test "x$have_seccomp_audit_arch" = "x1" && \
-        test "x$have_linux_no_new_privs" = "x1" && \
-Index: b/configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -2615,7 +2615,7 @@
-        AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
- elif test "x$sandbox_arg" = "xseccomp_filter" || \
-      ( test -z "$sandbox_arg" && \
--       test "x$have_seccomp_filter" == "x1" && \
-+       test "x$have_seccomp_filter" = "x1" && \
-        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
-        test "x$have_seccomp_audit_arch" = "x1" && \
-        test "x$have_linux_no_new_privs" = "x1" && \
diff --git a/debian/patches/cross-pkg-config.patch b/debian/patches/cross-pkg-config.patch
deleted file mode 100644
index c25d2a6e5..000000000
--- a/debian/patches/cross-pkg-config.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-Description: Allow using a cross-architecture pkg-config
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1996
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=1996
-Last-Update: 2011-04-02
-
-Index: b/configure
-===================================================================
---- a/configure
-+++ b/configure
-@@ -9194,8 +9194,9 @@
- if test "${with_libedit+set}" = set; then :
-   withval=$with_libedit;  if test "x$withval" != "xno" ; then
-                if test "x$withval" = "xyes" ; then
--                       # Extract the first word of "pkg-config", so it can be a program name with args.
--set dummy pkg-config; ac_word=$2
-+                       if test -n "$ac_tool_prefix"; then
-+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
- $as_echo_n "checking for $ac_word... " >&6; }
- if ${ac_cv_path_PKGCONFIG+:} false; then :
-@@ -9221,7 +9222,6 @@
-   done
- IFS=$as_save_IFS
- 
--  test -z "$ac_cv_path_PKGCONFIG" && ac_cv_path_PKGCONFIG="no"
-   ;;
- esac
- fi
-@@ -9235,6 +9235,63 @@
- fi
- 
- 
-+fi
-+if test -z "$ac_cv_path_PKGCONFIG"; then
-+  ac_pt_PKGCONFIG=$PKGCONFIG
-+  # Extract the first word of "pkg-config", so it can be a program name with args.
-+set dummy pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $ac_pt_PKGCONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+    ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
-+if test -n "$ac_pt_PKGCONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
-+$as_echo "$ac_pt_PKGCONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+  if test "x$ac_pt_PKGCONFIG" = x; then
-+    PKGCONFIG="no"
-+  else
-+    case $cross_compiling:$ac_tool_warned in
-+yes:)
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-+ac_tool_warned=yes ;;
-+esac
-+    PKGCONFIG=$ac_pt_PKGCONFIG
-+  fi
-+else
-+  PKGCONFIG="$ac_cv_path_PKGCONFIG"
-+fi
-+
-                        if test "x$PKGCONFIG" != "xno"; then
-                                { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $PKGCONFIG knows about libedit" >&5
- $as_echo_n "checking if $PKGCONFIG knows about libedit... " >&6; }
-Index: b/configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -1434,7 +1434,7 @@
-        [  --with-libedit[[=PATH]]   Enable libedit support for sftp],
-        [ if test "x$withval" != "xno" ; then
-                if test "x$withval" = "xyes" ; then
--                       AC_PATH_PROG([PKGCONFIG], [pkg-config], [no])
-+                       AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-                        if test "x$PKGCONFIG" != "xno"; then
-                                AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
-                                if "$PKGCONFIG" libedit; then
-Index: b/contrib/Makefile
-===================================================================
---- a/contrib/Makefile
-+++ b/contrib/Makefile
-@@ -1,3 +1,5 @@
-+PKG_CONFIG = pkg-config
-+
- all:
-        @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
- 
-@@ -7,9 +9,9 @@
-                `gnome-config --libs gnome gnomeui`
- 
- gnome-ssh-askpass2: gnome-ssh-askpass2.c
--       $(CC) `pkg-config --cflags gtk+-2.0` \
-+       $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
-                gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
--               `pkg-config --libs gtk+-2.0 x11`
-+               `$(PKG_CONFIG) --libs gtk+-2.0 x11`
- 
- clean:
-        rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index a03ce23bb..22b1e4c14 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,48 +4,48 @@ Description: Add DebianBanner server configuration option
 Author: Kees Cook <kees@debian.org>
 Bug-Debian: http://bugs.debian.org/562048
 Forwarded: not-needed
-Last-Update: 2010-02-28
+Last-Update: 2012-09-07
 
 Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -142,6 +142,7 @@
-        options->authorized_principals_file = NULL;
+@@ -146,6 +146,7 @@
         options->ip_qos_interactive = -1;
         options->ip_qos_bulk = -1;
+        options->version_addendum = NULL;
 +       options->debian_banner = -1;
  }
  
  void
-@@ -289,6 +290,8 @@
-                options->ip_qos_interactive = IPTOS_LOWDELAY;
-        if (options->ip_qos_bulk == -1)
+@@ -295,6 +296,8 @@
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->version_addendum == NULL)
+                options->version_addendum = xstrdup("");
 +       if (options->debian_banner == -1)
 +               options->debian_banner = 1;
- 
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
-@@ -338,6 +341,7 @@
+                use_privsep = PRIVSEP_NOSANDBOX;
+@@ -343,6 +346,7 @@
         sZeroKnowledgePasswordAuthentication, sHostCertificate,
         sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
-        sKexAlgorithms, sIPQoS,
+        sKexAlgorithms, sIPQoS, sVersionAddendum,
 +       sDebianBanner,
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -473,6 +477,7 @@
-        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+@@ -479,6 +483,7 @@
         { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
         { "ipqos", sIPQoS, SSHCFG_ALL },
+        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
         { NULL, sBadOption, 0 }
  };
  
-@@ -1436,6 +1441,10 @@
+@@ -1538,6 +1543,10 @@
                 }
-                break;
+                return 0;
  
 +       case sDebianBanner:
 +               intptr = &options->debian_banner;
@@ -58,34 +58,33 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -166,6 +166,8 @@
- 
-        int     num_permitted_opens;
+@@ -172,6 +172,7 @@
+        char   *authorized_principals_file;
  
+        char   *version_addendum;       /* Appended to SSH banner */
 +       int     debian_banner;
-+
-        char   *chroot_directory;
-        char   *revoked_keys_file;
-        char   *trusted_user_ca_keys;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
 Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -424,7 +424,8 @@
-                minor = PROTOCOL_MINOR_1;
+@@ -425,7 +425,8 @@
         }
-        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
--           SSH_RELEASE, newline);
+ 
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-           major, minor, SSH_RELEASE,
++           major, minor,
 +           options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
-+           newline);
-        server_version_string = xstrdup(buf);
+            *options.version_addendum == '\0' ? "" : " ",
+            options.version_addendum, newline);
  
-        /* Send our protocol version identification. */
 Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -340,6 +340,11 @@
+@@ -342,6 +342,11 @@
  .Dq no .
  The default is
  .Dq delayed .
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 8e8285a1f..0615de097 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -9,7 +9,7 @@ Index: b/dns.c
 ===================================================================
 --- a/dns.c
 +++ b/dns.c
-@@ -177,6 +177,7 @@
+@@ -196,6 +196,7 @@
  {
         u_int counter;
         int result;
@@ -17,7 +17,7 @@ Index: b/dns.c
         struct rrsetinfo *fingerprints = NULL;
  
         u_int8_t hostkey_algorithm;
-@@ -200,8 +201,19 @@
+@@ -219,8 +220,19 @@
                 return -1;
         }
  
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d78835bd6..786500feb 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
  security history.
 Author: Simon Wilkinson <simon@sxw.org.uk>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2010-02-27
+Last-Updated: 2012-09-07
 
 Index: b/ChangeLog.gssapi
 ===================================================================
@@ -176,8 +176,8 @@ Index: b/auth-krb5.c
  #ifndef HEIMDAL
  krb5_error_code
  ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
--       int tmpfd, ret;
-+       int ret;
+-       int tmpfd, ret, oerrno;
++       int ret, oerrno;
         char ccname[40];
         mode_t old_umask;
 +#ifdef USE_CCAPI
@@ -196,9 +196,9 @@ Index: b/auth-krb5.c
 +#ifndef USE_CCAPI
         old_umask = umask(0177);
         tmpfd = mkstemp(ccname + strlen("FILE:"));
-        umask(old_umask);
-@@ -249,6 +261,7 @@
-                return errno;
+        oerrno = errno;
+@@ -251,6 +263,7 @@
+                return oerrno;
         }
         close(tmpfd);
 +#endif
@@ -327,7 +327,7 @@ Index: b/clientloop.c
  /* import options */
  extern Options options;
  
-@@ -1540,6 +1544,15 @@
+@@ -1544,6 +1548,15 @@
                 /* Do channel operations unless rekeying in progress. */
                 if (!rekeying) {
                         channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1465,6 +1465,9 @@
+@@ -1471,6 +1471,9 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -357,7 +357,7 @@ Index: b/config.h.in
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-@@ -1480,6 +1483,9 @@
+@@ -1486,6 +1489,9 @@
  /* Use PIPES instead of a socketpair() */
  #undef USE_PIPES
  
@@ -1973,7 +1973,7 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -971,6 +971,8 @@
+@@ -976,6 +976,8 @@
                 }
                 break;
  #endif /* OPENSSL_HAS_ECC */
@@ -1982,7 +1982,7 @@ Index: b/key.c
         }
         return "ssh-unknown";
  }
-@@ -1276,6 +1278,8 @@
+@@ -1281,6 +1283,8 @@
             strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
                 return KEY_ECDSA_CERT;
  #endif
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
         } else {
                 mon_dispatch = mon_dispatch_postauth15;
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1803,6 +1820,13 @@
+@@ -1800,6 +1817,13 @@
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
         kex->kex_type = buffer_get_int(m);
-@@ -2009,6 +2033,9 @@
+@@ -2006,6 +2030,9 @@
         OM_uint32 major;
         u_int len;
  
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
  
-@@ -2036,6 +2063,9 @@
+@@ -2033,6 +2060,9 @@
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2053,6 +2083,7 @@
+@@ -2050,6 +2080,7 @@
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
         }
         return (0);
  }
-@@ -2064,6 +2095,9 @@
+@@ -2061,6 +2092,9 @@
         OM_uint32 ret;
         u_int len;
  
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
-@@ -2090,7 +2124,11 @@
+@@ -2087,7 +2121,11 @@
  {
         int authenticated;
  
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -2103,6 +2141,74 @@
+@@ -2100,6 +2138,74 @@
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2406,7 +2406,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -97,7 +97,10 @@
+@@ -100,7 +100,10 @@
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
@@ -2417,7 +2417,7 @@ Index: b/servconf.c
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -225,8 +228,14 @@
+@@ -229,8 +232,14 @@
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2432,7 +2432,7 @@ Index: b/servconf.c
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -318,7 +327,9 @@
+@@ -323,7 +332,9 @@
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2443,7 @@ Index: b/servconf.c
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
         sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -382,10 +393,20 @@
+@@ -387,10 +398,20 @@
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2464,7 @@ Index: b/servconf.c
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -962,10 +983,22 @@
+@@ -1031,10 +1052,22 @@
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2487,7 +2487,7 @@ Index: b/servconf.c
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -1720,7 +1753,10 @@
+@@ -1868,7 +1901,10 @@
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
  #ifdef LIBWRAP
  #include <tcpd.h>
  #include <syslog.h>
-@@ -1616,10 +1620,13 @@
+@@ -1607,10 +1611,13 @@
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -1948,6 +1955,60 @@
+@@ -1938,6 +1945,60 @@
         /* Log the connection. */
         verbose("Connection from %.500s port %d", remote_ip, remote_port);
  
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2329,6 +2390,48 @@
+@@ -2319,6 +2380,48 @@
  
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
  
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
         /* start key exchange */
         kex = kex_setup(myproposal);
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2336,6 +2439,13 @@
+@@ -2326,6 +2429,13 @@
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3035,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -75,6 +75,8 @@
+@@ -77,6 +77,8 @@
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
@@ -3048,7 +3048,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -424,12 +424,40 @@
+@@ -426,12 +426,40 @@
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 857f86456..298e8e216 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -7,7 +7,7 @@ Index: b/serverloop.c
 ===================================================================
 --- a/serverloop.c
 +++ b/serverloop.c
-@@ -680,7 +680,7 @@
+@@ -686,7 +686,7 @@
                         if (!channel_still_open())
                                 break;
                         if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index eab9914f2..0937a49e6 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
  The argument must be
  .Dq yes
  or
-@@ -1100,8 +1104,15 @@
+@@ -1099,8 +1103,15 @@
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
  .It Cm StrictHostKeyChecking
  If this flag is set to
  .Dq yes ,
-@@ -1140,6 +1151,12 @@
+@@ -1139,6 +1150,12 @@
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1037,6 +1037,9 @@
+@@ -1048,6 +1048,9 @@
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 59fc441a7..fe8ebe757 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -150,9 +150,7 @@
+@@ -152,9 +152,7 @@
  .Pa ~/.ssh/id_dsa
  or
  .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
  .Pp
  Normally this program generates the key and asks for a file in which
  to store the private key.
-@@ -198,9 +196,7 @@
+@@ -200,9 +198,7 @@
  For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
  do not exist, generate the host keys with the default key file path,
  an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
  .It Fl a Ar trials
  Specifies the number of primality tests to perform when screening DH-GEX
  candidates using the
-@@ -544,7 +540,7 @@
+@@ -556,7 +552,7 @@
  Valid generator values are 2, 3, and 5.
  .Pp
  Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
  It is important that this file contains moduli of a range of bit lengths and
  that both ends of a connection share common moduli.
  .Sh CERTIFICATES
-@@ -670,7 +666,7 @@
+@@ -682,7 +678,7 @@
  where the user wishes to log in using public key authentication.
  There is no need to keep the contents of this file secret.
  .Pp
@@ -102,7 +102,7 @@ Index: b/sshd.8
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -856,7 +856,7 @@
+@@ -858,7 +858,7 @@
  .Xr ssh 1 ) .
  It should only be writable by root.
  .Pp
@@ -111,7 +111,7 @@ Index: b/sshd.8
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
  The file format is described in
  .Xr moduli 5 .
-@@ -954,7 +954,6 @@
+@@ -956,7 +956,6 @@
  .Xr ssh-vulnkey 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -222,8 +222,7 @@
+@@ -224,8 +224,7 @@
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 64606e2e9..b396cb116 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,7 +5,7 @@ Description: Include the Debian version in our identification
  vulnerable-looking version strings.  (However, see debian-banner.patch.)
 Author: Matthew Vernon <matthew@debian.org>
 Forwarded: not-needed
-Last-Update: 2010-02-28
+Last-Update: 2012-09-07
 
 Index: b/sshconnect.c
 ===================================================================
@@ -24,21 +24,21 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -424,7 +424,7 @@
-                minor = PROTOCOL_MINOR_1;
+@@ -425,7 +425,7 @@
         }
-        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
--           SSH_VERSION, newline);
-+           SSH_RELEASE, newline);
-        server_version_string = xstrdup(buf);
  
-        /* Send our protocol version identification. */
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-           major, minor, SSH_VERSION,
++           major, minor, SSH_RELEASE,
+            *options.version_addendum == '\0' ? "" : " ",
+            options.version_addendum, newline);
+ 
 Index: b/version.h
 ===================================================================
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.0"
+ #define SSH_VERSION    "OpenSSH_6.1"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index db2cba1e1..e436fe59e 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1651,8 +1651,10 @@
+@@ -1655,8 +1655,10 @@
                 exit_status = 0;
         }
  
diff --git a/debian/patches/sandbox-fallback.patch b/debian/patches/sandbox-fallback.patch
deleted file mode 100644
index 124504b36..000000000
--- a/debian/patches/sandbox-fallback.patch
+++ /dev/null
@@ -1,925 +0,0 @@
-Description: Add a sandbox fallback mechanism
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2011
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2011
-Last-Update: 2012-05-26
-
-Index: b/Makefile.in
-===================================================================
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -93,8 +93,8 @@
-        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-        sftp-server.o sftp-common.o \
-        roaming_common.o roaming_serv.o \
--       sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
--       sandbox-seccomp-filter.o
-+       sandbox.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o \
-+       sandbox-darwin.o sandbox-seccomp-filter.o
- 
- MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
- MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
-Index: b/configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -126,25 +126,6 @@
-        #include <linux/seccomp.h>
- ])
- fi
--if test "x$have_seccomp_filter" = "x1" ; then
--AC_MSG_CHECKING([kernel for seccomp_filter support])
--AC_RUN_IFELSE([AC_LANG_PROGRAM([[
--               #include <errno.h>
--               #include <linux/seccomp.h>
--               #include <stdlib.h>
--               #include <sys/prctl.h>
--       ]],
--       [[ errno = 0;
--          prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
--          exit(errno == EFAULT ? 0 : 1); ]])],
--       [ AC_MSG_RESULT([yes]) ], [
--               AC_MSG_RESULT([no])
--               # Disable seccomp filter as a target
--               have_seccomp_filter=0
--       ],
--       [ AC_MSG_RESULT([cross-compiling, assuming yes]) ]
--)
--fi
- 
- use_stack_protector=1
- AC_ARG_WITH([stackprotect],
-@@ -2599,21 +2580,24 @@
-                fi
-        ]
- )
-+SANDBOX_STYLE=""
- if test "x$sandbox_arg" = "xsystrace" || \
-    ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
-        test "x$have_systr_policy_kill" != "x1" && \
-                AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
--       SANDBOX_STYLE="systrace"
-+       SANDBOX_STYLE="$SANDBOX_STYLE systrace"
-        AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
--elif test "x$sandbox_arg" = "xdarwin" || \
-+fi
-+if test "x$sandbox_arg" = "xdarwin" || \
-      ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
-        test "x$ac_cv_header_sandbox_h" = "xyes") ; then
-        test "x$ac_cv_func_sandbox_init" != "xyes" -o \
-             "x$ac_cv_header_sandbox_h" != "xyes" && \
-                AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
--       SANDBOX_STYLE="darwin"
-+       SANDBOX_STYLE="$SANDBOX_STYLE darwin"
-        AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
--elif test "x$sandbox_arg" = "xseccomp_filter" || \
-+fi
-+if test "x$sandbox_arg" = "xseccomp_filter" || \
-      ( test -z "$sandbox_arg" && \
-        test "x$have_seccomp_filter" = "x1" && \
-        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
-@@ -2628,21 +2612,24 @@
-                AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
-        test "x$ac_cv_func_prctl" != "xyes" && \
-                AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
--       SANDBOX_STYLE="seccomp_filter"
-+       SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter"
-        AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
--elif test "x$sandbox_arg" = "xrlimit" || \
-+fi
-+if test "x$sandbox_arg" = "xrlimit" || \
-      ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
-        test "x$ac_cv_func_setrlimit" != "xyes" && \
-                AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
--       SANDBOX_STYLE="rlimit"
-+       SANDBOX_STYLE="$SANDBOX_STYLE rlimit"
-        AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
--elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
-+fi
-+if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
-      test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
--       SANDBOX_STYLE="none"
--       AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
--else
-+       SANDBOX_STYLE="$SANDBOX_STYLE none"
-+fi
-+if test -z "$SANDBOX_STYLE" ; then
-        AC_MSG_ERROR([unsupported --with-sandbox])
- fi
-+SANDBOX_STYLE="${SANDBOX_STYLE# }"
- 
- # Cheap hack to ensure NEWS-OS libraries are arranged right.
- if test ! -z "$SONY" ; then
-Index: b/configure
-===================================================================
---- a/configure
-+++ b/configure
-@@ -5598,48 +5598,6 @@
- fi
- 
- fi
--if test "x$have_seccomp_filter" = "x1" ; then
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
--$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
--if test "$cross_compiling" = yes; then :
--   { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5
--$as_echo "cross-compiling, assuming yes" >&6; }
--
--else
--  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h.  */
--
--               #include <errno.h>
--               #include <linux/seccomp.h>
--               #include <stdlib.h>
--               #include <sys/prctl.h>
--
--int
--main ()
--{
-- errno = 0;
--          prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
--          exit(errno == EFAULT ? 0 : 1);
--  ;
--  return 0;
--}
--_ACEOF
--if ac_fn_c_try_run "$LINENO"; then :
--   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
--else
--
--               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--               # Disable seccomp filter as a target
--               have_seccomp_filter=0
--
--fi
--rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
--  conftest.$ac_objext conftest.beam conftest.$ac_ext
--fi
--
--fi
- 
- use_stack_protector=1
- 
-@@ -11898,25 +11856,28 @@
- 
- fi
- 
-+SANDBOX_STYLE=""
- if test "x$sandbox_arg" = "xsystrace" || \
-    ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
-        test "x$have_systr_policy_kill" != "x1" && \
-                as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5
--       SANDBOX_STYLE="systrace"
-+       SANDBOX_STYLE="$SANDBOX_STYLE systrace"
- 
- $as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h
- 
--elif test "x$sandbox_arg" = "xdarwin" || \
-+fi
-+if test "x$sandbox_arg" = "xdarwin" || \
-      ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
-        test "x$ac_cv_header_sandbox_h" = "xyes") ; then
-        test "x$ac_cv_func_sandbox_init" != "xyes" -o \
-             "x$ac_cv_header_sandbox_h" != "xyes" && \
-                as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5
--       SANDBOX_STYLE="darwin"
-+       SANDBOX_STYLE="$SANDBOX_STYLE darwin"
- 
- $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h
- 
--elif test "x$sandbox_arg" = "xseccomp_filter" || \
-+fi
-+if test "x$sandbox_arg" = "xseccomp_filter" || \
-      ( test -z "$sandbox_arg" && \
-        test "x$have_seccomp_filter" = "x1" && \
-        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
-@@ -11931,27 +11892,28 @@
-                as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5
-        test "x$ac_cv_func_prctl" != "xyes" && \
-                as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5
--       SANDBOX_STYLE="seccomp_filter"
-+       SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter"
- 
- $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
- 
--elif test "x$sandbox_arg" = "xrlimit" || \
-+fi
-+if test "x$sandbox_arg" = "xrlimit" || \
-      ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
-        test "x$ac_cv_func_setrlimit" != "xyes" && \
-                as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5
--       SANDBOX_STYLE="rlimit"
-+       SANDBOX_STYLE="$SANDBOX_STYLE rlimit"
- 
- $as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h
- 
--elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
-+fi
-+if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
-      test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
--       SANDBOX_STYLE="none"
--
--$as_echo "#define SANDBOX_NULL 1" >>confdefs.h
--
--else
-+       SANDBOX_STYLE="$SANDBOX_STYLE none"
-+fi
-+if test -z "$SANDBOX_STYLE" ; then
-        as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5
- fi
-+SANDBOX_STYLE="${SANDBOX_STYLE# }"
- 
- # Cheap hack to ensure NEWS-OS libraries are arranged right.
- if test ! -z "$SONY" ; then
-Index: b/config.h.in
-===================================================================
---- a/config.h.in
-+++ b/config.h.in
-@@ -1365,9 +1365,6 @@
- /* Sandbox using Darwin sandbox_init(3) */
- #undef SANDBOX_DARWIN
- 
--/* no privsep sandboxing */
--#undef SANDBOX_NULL
--
- /* Sandbox using setrlimit(2) */
- #undef SANDBOX_RLIMIT
- 
-Index: b/sandbox-darwin.c
-===================================================================
---- a/sandbox-darwin.c
-+++ b/sandbox-darwin.c
-@@ -16,10 +16,12 @@
- 
- #include "includes.h"
- 
--#ifdef SANDBOX_DARWIN
--
- #include <sys/types.h>
- 
-+#include "ssh-sandbox.h"
-+
-+#ifdef SANDBOX_DARWIN
-+
- #include <sandbox.h>
- 
- #include <errno.h>
-@@ -30,7 +32,6 @@
- #include <unistd.h>
- 
- #include "log.h"
--#include "sandbox.h"
- #include "xmalloc.h"
- 
- /* Darwin/OS X sandbox */
-@@ -39,8 +40,14 @@
-        pid_t child_pid;
- };
- 
--struct ssh_sandbox *
--ssh_sandbox_init(void)
-+static int
-+sandbox_darwin_probe(void)
-+{
-+       return 1;
-+}
-+
-+static void *
-+sandbox_darwin_init(void)
- {
-        struct ssh_sandbox *box;
- 
-@@ -55,9 +62,10 @@
-        return box;
- }
- 
--void
--ssh_sandbox_child(struct ssh_sandbox *box)
-+static void
-+sandbox_darwin_child(void *vbox)
- {
-+       struct ssh_sandbox *box = vbox;
-        char *errmsg;
-        struct rlimit rl_zero;
- 
-@@ -82,17 +90,39 @@
-                        __func__, strerror(errno));
- }
- 
--void
--ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+static void
-+sandbox_darwin_parent_finish(void *vbox)
- {
--       free(box);
-+       free(vbox);
-        debug3("%s: finished", __func__);
- }
- 
--void
--ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+static void
-+sandbox_darwin_parent_preauth(void *box, pid_t child_pid)
- {
-+       struct ssh_sandbox *box = vbox;
-+
-        box->child_pid = child_pid;
- }
- 
-+Sandbox ssh_sandbox_darwin = {
-+       "darwin",
-+       sandbox_darwin_probe,
-+       sandbox_darwin_init,
-+       sandbox_darwin_child,
-+       sandbox_darwin_parent_finish,
-+       sandbox_darwin_parent_preauth
-+};
-+
-+#else /* !SANDBOX_DARWIN */
-+
-+Sandbox ssh_sandbox_darwin = {
-+       "darwin",
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL
-+};
-+
- #endif /* SANDBOX_DARWIN */
-Index: b/sandbox-null.c
-===================================================================
---- a/sandbox-null.c
-+++ b/sandbox-null.c
-@@ -17,8 +17,6 @@
- 
- #include "includes.h"
- 
--#ifdef SANDBOX_NULL
--
- #include <sys/types.h>
- 
- #include <errno.h>
-@@ -38,8 +36,14 @@
-        int junk;
- };
- 
--struct ssh_sandbox *
--ssh_sandbox_init(void)
-+static int
-+sandbox_null_probe(void)
-+{
-+       return 1;
-+}
-+
-+static void *
-+sandbox_null_init(void)
- {
-        struct ssh_sandbox *box;
- 
-@@ -51,22 +55,29 @@
-        return box;
- }
- 
--void
--ssh_sandbox_child(struct ssh_sandbox *box)
-+static void
-+sandbox_null_child(void *vbox)
- {
-        /* Nothing to do here */
- }
- 
--void
--ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+static void
-+sandbox_null_parent_finish(void *vbox)
- {
--       free(box);
-+       free(vbox);
- }
- 
--void
--ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+static void
-+sandbox_null_parent_preauth(void *box, pid_t child_pid)
- {
-        /* Nothing to do here */
- }
- 
--#endif /* SANDBOX_NULL */
-+Sandbox ssh_sandbox_null = {
-+       "null",
-+       sandbox_null_probe,
-+       sandbox_null_init,
-+       sandbox_null_child,
-+       sandbox_null_parent_finish,
-+       sandbox_null_parent_preauth
-+};
-Index: b/sandbox-rlimit.c
-===================================================================
---- a/sandbox-rlimit.c
-+++ b/sandbox-rlimit.c
-@@ -17,9 +17,12 @@
- 
- #include "includes.h"
- 
-+#include <sys/types.h>
-+
-+#include "ssh-sandbox.h"
-+
- #ifdef SANDBOX_RLIMIT
- 
--#include <sys/types.h>
- #include <sys/param.h>
- #include <sys/time.h>
- #include <sys/resource.h>
-@@ -32,7 +35,6 @@
- #include <unistd.h>
- 
- #include "log.h"
--#include "ssh-sandbox.h"
- #include "xmalloc.h"
- 
- /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */
-@@ -41,8 +43,14 @@
-        pid_t child_pid;
- };
- 
--struct ssh_sandbox *
--ssh_sandbox_init(void)
-+static int
-+sandbox_rlimit_probe(void)
-+{
-+       return 1;
-+}
-+
-+static void *
-+sandbox_rlimit_init(void)
- {
-        struct ssh_sandbox *box;
- 
-@@ -57,8 +65,8 @@
-        return box;
- }
- 
--void
--ssh_sandbox_child(struct ssh_sandbox *box)
-+static void
-+sandbox_rlimit_child(void *vbox)
- {
-        struct rlimit rl_zero;
- 
-@@ -77,17 +85,39 @@
- #endif
- }
- 
--void
--ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+static void
-+sandbox_rlimit_parent_finish(void *vbox)
- {
--       free(box);
-+       free(vbox);
-        debug3("%s: finished", __func__);
- }
- 
--void
--ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+static void
-+sandbox_rlimit_parent_preauth(void *vbox, pid_t child_pid)
- {
-+       struct ssh_sandbox *box = vbox;
-+
-        box->child_pid = child_pid;
- }
- 
-+Sandbox ssh_sandbox_rlimit = {
-+       "rlimit",
-+       sandbox_rlimit_probe,
-+       sandbox_rlimit_init,
-+       sandbox_rlimit_child,
-+       sandbox_rlimit_parent_finish,
-+       sandbox_rlimit_parent_preauth
-+};
-+
-+#else /* !SANDBOX_RLIMIT */
-+
-+Sandbox ssh_sandbox_rlimit = {
-+       "rlimit",
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL
-+};
-+
- #endif /* SANDBOX_RLIMIT */
-Index: b/sandbox-seccomp-filter.c
-===================================================================
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -35,11 +35,15 @@
- 
- #include "includes.h"
- 
-+#include <sys/types.h>
-+
-+#include "ssh-sandbox.h"
-+
- #ifdef SANDBOX_SECCOMP_FILTER
- 
--#include <sys/types.h>
- #include <sys/resource.h>
- #include <sys/prctl.h>
-+#include <sys/wait.h>
- 
- #include <linux/audit.h>
- #include <linux/filter.h>
-@@ -57,7 +61,6 @@
- #include <unistd.h>
- 
- #include "log.h"
--#include "ssh-sandbox.h"
- #include "xmalloc.h"
- 
- /* Linux seccomp_filter sandbox */
-@@ -122,8 +125,33 @@
-        pid_t child_pid;
- };
- 
--struct ssh_sandbox *
--ssh_sandbox_init(void)
-+static int
-+sandbox_seccomp_filter_probe(void)
-+{
-+       int status;
-+       pid_t pid;
-+
-+       pid = fork();
-+       if (pid == -1) {
-+               fatal("fork of seccomp_filter probe child failed");
-+       } else if (pid != 0) {
-+               /* parent */
-+               while (waitpid(pid, &status, 0) < 0) {
-+                       if (errno == EINTR)
-+                               continue;
-+                       fatal("%s: waitpid: %s", __func__, strerror(errno));
-+               }
-+               return (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-+       } else {
-+               /* child */
-+               errno = 0;
-+               prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
-+               _exit(errno == EFAULT ? 0 : 1);
-+       }
-+}
-+
-+static void *
-+sandbox_seccomp_filter_init(void)
- {
-        struct ssh_sandbox *box;
- 
-@@ -143,7 +171,8 @@
- void mm_log_handler(LogLevel level, const char *msg, void *ctx);
- 
- static void
--ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context)
-+sandbox_seccomp_filter_violation(int signum, siginfo_t *info,
-+    void *void_context)
- {
-        char msg[256];
- 
-@@ -155,7 +184,7 @@
- }
- 
- static void
--ssh_sandbox_child_debugging(void)
-+sandbox_seccomp_filter_child_debugging(void)
- {
-        struct sigaction act;
-        sigset_t mask;
-@@ -165,7 +194,7 @@
-        sigemptyset(&mask);
-        sigaddset(&mask, SIGSYS);
- 
--       act.sa_sigaction = &ssh_sandbox_violation;
-+       act.sa_sigaction = &sandbox_seccomp_filter_violation;
-        act.sa_flags = SA_SIGINFO;
-        if (sigaction(SIGSYS, &act, NULL) == -1)
-                fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));
-@@ -175,8 +204,8 @@
- }
- #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
- 
--void
--ssh_sandbox_child(struct ssh_sandbox *box)
-+static void
-+sandbox_seccomp_filter_child(void *vbox)
- {
-        struct rlimit rl_zero;
- 
-@@ -193,7 +222,7 @@
-                        __func__, strerror(errno));
- 
- #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
--       ssh_sandbox_child_debugging();
-+       sandbox_seccomp_filter_child_debugging();
- #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
- 
-        debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
-@@ -206,17 +235,39 @@
-                      __func__, strerror(errno));
- }
- 
--void
--ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+static void
-+sandbox_seccomp_filter_parent_finish(void *vbox)
- {
--       free(box);
-+       free(vbox);
-        debug3("%s: finished", __func__);
- }
- 
--void
--ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+static void
-+sandbox_seccomp_filter_parent_preauth(void *vbox, pid_t child_pid)
- {
-+       struct ssh_sandbox *box = vbox;
-+
-        box->child_pid = child_pid;
- }
- 
-+Sandbox ssh_sandbox_seccomp_filter = {
-+       "seccomp_filter",
-+       sandbox_seccomp_filter_probe,
-+       sandbox_seccomp_filter_init,
-+       sandbox_seccomp_filter_child,
-+       sandbox_seccomp_filter_parent_finish,
-+       sandbox_seccomp_filter_parent_preauth
-+};
-+
-+#else /* !SANDBOX_SECCOMP_FILTER */
-+
-+Sandbox ssh_sandbox_seccomp_filter = {
-+       "seccomp_filter",
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL
-+};
-+
- #endif /* SANDBOX_SECCOMP_FILTER */
-Index: b/sandbox-systrace.c
-===================================================================
---- a/sandbox-systrace.c
-+++ b/sandbox-systrace.c
-@@ -17,9 +17,12 @@
- 
- #include "includes.h"
- 
-+#include <sys/types.h>
-+
-+#include "ssh-sandbox.h"
-+
- #ifdef SANDBOX_SYSTRACE
- 
--#include <sys/types.h>
- #include <sys/param.h>
- #include <sys/ioctl.h>
- #include <sys/syscall.h>
-@@ -38,7 +41,6 @@
- 
- #include "atomicio.h"
- #include "log.h"
--#include "ssh-sandbox.h"
- #include "xmalloc.h"
- 
- struct sandbox_policy {
-@@ -74,8 +76,14 @@
-        pid_t child_pid;
- };
- 
--struct ssh_sandbox *
--ssh_sandbox_init(void)
-+static int
-+sandbox_systrace_probe(void)
-+{
-+       return 1;
-+}
-+
-+static void *
-+sandbox_systrace_init(void)
- {
-        struct ssh_sandbox *box;
-        int s[2];
-@@ -92,9 +100,10 @@
-        return box;
- }
- 
--void
--ssh_sandbox_child(struct ssh_sandbox *box)
-+static void
-+sandbox_systrace_child(void *vbox)
- {
-+       struct ssh_sandbox *box = vbox;
-        char whatever = 0;
- 
-        close(box->parent_sock);
-@@ -110,7 +119,7 @@
- }
- 
- static void
--ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
-+sandbox_systrace_parent(struct ssh_sandbox *box, pid_t child_pid,
-     const struct sandbox_policy *allowed_syscalls)
- {
-        int dev_systrace, i, j, found;
-@@ -179,9 +188,11 @@
-        close(box->parent_sock);
- }
- 
--void
--ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+static void
-+sandbox_systrace_parent_finish(void *vbox)
- {
-+       struct ssh_sandbox *box = vbox;
-+
-        /* Closing this before the child exits will terminate it */
-        close(box->systrace_fd);
- 
-@@ -189,10 +200,32 @@
-        debug3("%s: finished", __func__);
- }
- 
--void
--ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+static void
-+sandbox_systrace_parent_preauth(void *vbox, pid_t child_pid)
- {
-+       struct ssh_sandbox *box = vbox;
-+
-        ssh_sandbox_parent(box, child_pid, preauth_policy);
- }
- 
-+Sandbox ssh_sandbox_systrace = {
-+       "systrace",
-+       sandbox_systrace_probe,
-+       sandbox_systrace_init,
-+       sandbox_systrace_child,
-+       sandbox_systrace_parent_finish,
-+       sandbox_systrace_parent_preauth
-+};
-+
-+#else /* !SANDBOX_SYSTRACE */
-+
-+Sandbox ssh_sandbox_systrace = {
-+       "systrace",
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL,
-+       NULL
-+};
-+
- #endif /* SANDBOX_SYSTRACE */
-Index: b/sandbox.c
-===================================================================
---- /dev/null
-+++ b/sandbox.c
-@@ -0,0 +1,82 @@
-+/* $Id$ */
-+/*
-+ * Copyright (c) 2012 Colin Watson <cjwatson@debian.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+#include <sys/types.h>
-+
-+#include <stdlib.h>
-+#include <stdarg.h>
-+
-+#include "log.h"
-+#include "ssh-sandbox.h"
-+
-+static Sandbox *sandboxes[] = {
-+       &ssh_sandbox_systrace,
-+       &ssh_sandbox_darwin,
-+       &ssh_sandbox_seccomp_filter,
-+       &ssh_sandbox_rlimit,
-+       &ssh_sandbox_null,
-+       NULL
-+};
-+
-+static Sandbox *selected;
-+
-+static void
-+sandbox_select(void)
-+{
-+       Sandbox **sandbox;
-+
-+       if (selected)
-+               return;
-+
-+       for (sandbox = sandboxes; sandbox; sandbox++) {
-+               if ((*sandbox)->probe && (*sandbox)->probe()) {
-+                       selected = *sandbox;
-+                       return;
-+               }
-+       }
-+
-+       /* should never happen, as ssh_sandbox_null always succeeds */
-+       fatal("no sandbox implementation found");
-+}
-+
-+void *
-+ssh_sandbox_init(void)
-+{
-+       sandbox_select();
-+       return selected->init();
-+}
-+
-+void
-+ssh_sandbox_child(void *box)
-+{
-+       sandbox_select();
-+       return selected->child(box);
-+}
-+
-+void
-+ssh_sandbox_parent_finish(void *box)
-+{
-+       sandbox_select();
-+       return selected->parent_finish(box);
-+}
-+
-+void
-+ssh_sandbox_parent_preauth(void *box, pid_t child_pid)
-+{
-+       sandbox_select();
-+       return selected->parent_preauth(box, child_pid);
-+}
-Index: b/ssh-sandbox.h
-===================================================================
---- a/ssh-sandbox.h
-+++ b/ssh-sandbox.h
-@@ -15,9 +15,24 @@
-  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-  */
- 
--struct ssh_sandbox;
-+typedef struct Sandbox Sandbox;
- 
--struct ssh_sandbox *ssh_sandbox_init(void);
--void ssh_sandbox_child(struct ssh_sandbox *);
--void ssh_sandbox_parent_finish(struct ssh_sandbox *);
--void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);
-+struct Sandbox {
-+       const char      *name;
-+       int             (*probe)(void);
-+       void            *(*init)(void);
-+       void            (*child)(void *);
-+       void            (*parent_finish)(void *);
-+       void            (*parent_preauth)(void *, pid_t);
-+};
-+
-+void *ssh_sandbox_init(void);
-+void ssh_sandbox_child(void *);
-+void ssh_sandbox_parent_finish(void *);
-+void ssh_sandbox_parent_preauth(void *, pid_t);
-+
-+extern Sandbox ssh_sandbox_systrace;
-+extern Sandbox ssh_sandbox_darwin;
-+extern Sandbox ssh_sandbox_seccomp_filter;
-+extern Sandbox ssh_sandbox_rlimit;
-+extern Sandbox ssh_sandbox_null;
-Index: b/sshd.c
-===================================================================
---- a/sshd.c
-+++ b/sshd.c
-@@ -631,7 +631,7 @@
- {
-        int status;
-        pid_t pid;
--       struct ssh_sandbox *box = NULL;
-+       void *box = NULL;
- 
-        /* Set up unprivileged child process to deal with network data */
-        pmonitor = monitor_init();
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 0d696989a..80fe3247b 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -108,7 +108,7 @@ Index: b/monitor.c
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -811,6 +813,7 @@
+@@ -808,6 +810,7 @@
         else {
                 /* Allow service/style information on the auth context */
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
         }
  #ifdef USE_PAM
-@@ -843,14 +846,37 @@
+@@ -840,14 +843,37 @@
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
         return (0);
  }
  
-@@ -1438,7 +1464,7 @@
+@@ -1435,7 +1461,7 @@
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -436,7 +436,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -734,7 +734,7 @@
+@@ -736,7 +736,7 @@
         RAND_seed(rnd, sizeof(rnd));
  
         /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index f51fa2ce5..5ac0f32b1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,9 +38,6 @@ doc-hash-tab-completion.patch
 
 # Miscellaneous bug fixes
 auth-log-verbosity.patch
-cross-pkg-config.patch
-configure-bashism.patch
-sandbox-fallback.patch
 
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index d60816d46..c13cb3412 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -130,7 +130,7 @@ Index: b/auth.c
  #include "auth.h"
  #include "auth-options.h"
  #include "canohost.h"
-@@ -606,10 +607,34 @@
+@@ -608,10 +609,34 @@
  
  /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
  int
@@ -462,7 +462,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -104,6 +104,7 @@
+@@ -107,6 +107,7 @@
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -470,7 +470,7 @@ Index: b/servconf.c
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
         options->use_login = -1;
-@@ -242,6 +243,8 @@
+@@ -246,6 +247,8 @@
                 options->kbd_interactive_authentication = 0;
         if (options->challenge_response_authentication == -1)
                 options->challenge_response_authentication = 1;
@@ -479,7 +479,7 @@ Index: b/servconf.c
         if (options->permit_empty_passwd == -1)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1)
-@@ -318,7 +321,7 @@
+@@ -323,7 +326,7 @@
         sListenAddress, sAddressFamily,
         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +488,7 @@ Index: b/servconf.c
         sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
         sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -428,6 +431,7 @@
+@@ -433,6 +436,7 @@
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +496,7 @@ Index: b/servconf.c
         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
         { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1047,6 +1051,10 @@
+@@ -1116,6 +1120,10 @@
                 intptr = &options->tcp_keep_alive;
                 goto parse_flag;
  
@@ -507,7 +507,7 @@ Index: b/servconf.c
         case sEmptyPasswd:
                 intptr = &options->permit_empty_passwd;
                 goto parse_flag;
-@@ -1773,6 +1781,7 @@
+@@ -1921,6 +1929,7 @@
         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
         dump_cfg_fmtint(sStrictModes, o->strict_modes);
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -582,7 +582,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -679,6 +679,7 @@
+@@ -691,6 +691,7 @@
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
@@ -1245,7 +1245,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1492,7 +1492,7 @@
+@@ -1495,7 +1495,7 @@
  static void
  load_public_identity_files(void)
  {
@@ -1254,7 +1254,7 @@ Index: b/ssh.c
         char *pwdir = NULL, *pwname = NULL;
         int i = 0;
         Key *public;
-@@ -1549,6 +1549,22 @@
+@@ -1552,6 +1552,22 @@
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
@@ -1281,7 +1281,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1188,6 +1188,23 @@
+@@ -1187,6 +1187,23 @@
  .Dq any .
  The default is
  .Dq any:any .
@@ -1331,7 +1331,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -951,6 +951,7 @@
+@@ -953,6 +953,7 @@
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1343,7 +1343,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1602,6 +1602,11 @@
+@@ -1593,6 +1593,11 @@
                         sensitive_data.host_keys[i] = NULL;
                         continue;
                 }
@@ -1359,7 +1359,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -795,6 +795,20 @@
+@@ -803,6 +803,20 @@
  Specifies whether password authentication is allowed.
  The default is
  .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 2acf9704f..b71ff9df9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -38,7 +38,7 @@ Index: b/clientloop.c
  }
  
  /*
-@@ -634,7 +639,7 @@
+@@ -636,7 +641,7 @@
          */
  
         timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1089,7 +1089,10 @@
+@@ -1088,7 +1088,10 @@
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 07e2974aa..3dfc89027 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -26,7 +26,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -680,7 +680,7 @@
+@@ -714,7 +714,7 @@
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 8e4ee3eb1..1368ccb3c 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1343,6 +1343,8 @@
+@@ -1342,6 +1342,8 @@
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
 ===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -380,8 +380,7 @@
+@@ -381,8 +381,7 @@
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
                         logit("Authentication refused for %.100s: "
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
-@@ -442,8 +441,7 @@
+@@ -443,8 +442,7 @@
  
         /* check the open file to avoid races */
         if (fstat(fileno(f), &st) < 0 ||
@@ -84,7 +84,7 @@ Index: b/auth.c
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -458,8 +456,7 @@
+@@ -459,8 +457,7 @@
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||