56 files changed, 266 insertions, 249 deletions

diff --git a/ChangeLog b/ChangeLog
index ed0502115..0e0dd8787 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,121 @@
+commit e91346dc2bbf460246df2ab591b7613908c1b0ad
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Aug 21 14:49:03 2015 +1000
+
+    we don't use Github for issues/pull-requests
+
+commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Aug 21 14:43:55 2015 +1000
+
+    fix URL for connect.c
+
+commit d026a8d3da0f8186598442997c7d0a28e7275414
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Aug 21 13:47:10 2015 +1000
+
+    update version numbers for 7.1
+
+commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 21 03:45:26 2015 +0000
+
+    upstream commit
+    
+    openssh-7.1
+    
+    Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
+
+commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Aug 21 03:42:19 2015 +0000
+
+    upstream commit
+    
+    fix inverted logic that broke PermitRootLogin; reported
+     by Mantas Mikulenas; ok markus@
+    
+    Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
+
+commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Thu Aug 20 22:32:42 2015 +0000
+
+    upstream commit
+    
+    Do not cast result of malloc/calloc/realloc* if stdlib.h
+     is in scope ok krw millert
+    
+    Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
+
+commit 05291e5288704d1a98bacda269eb5a0153599146
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Thu Aug 20 19:20:06 2015 +0000
+
+    upstream commit
+    
+    In the certificates section, be consistent about using
+     "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@
+    
+    Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
+
+commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 19 23:21:42 2015 +0000
+
+    upstream commit
+    
+    Better compat matching for WinSCP, add compat matching
+     for FuTTY (fork of PuTTY); ok markus@ deraadt@
+    
+    Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
+
+commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 19 23:19:01 2015 +0000
+
+    upstream commit
+    
+    fix double-free() in error path of DSA key generation
+     reported by Mateusz Kocielski; ok markus@
+    
+    Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
+
+commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 19 23:18:26 2015 +0000
+
+    upstream commit
+    
+    fix free() of uninitialised pointer reported by Mateusz
+     Kocielski; ok markus@
+    
+    Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
+
+commit c837643b93509a3ef538cb6624b678c5fe32ff79
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 19 23:17:51 2015 +0000
+
+    upstream commit
+    
+    fixed unlink([uninitialised memory]) reported by Mateusz
+     Kocielski; ok markus@
+    
+    Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
+
+commit 1f8d3d629cd553031021068eb9c646a5f1e50994
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Fri Aug 14 15:32:41 2015 +0000
+
+    upstream commit
+    
+    match myproposal.h order; from brian conway (i snuck in a
+     tweak while here)
+    
+    ok dtucker
+    
+    Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
+
 commit 1dc8d93ce69d6565747eb44446ed117187621b26
 Author: deraadt@openbsd.org <deraadt@openbsd.org>
 Date:   Thu Aug 6 14:53:21 2015 +0000
@@ -9013,134 +9131,3 @@ Date:   Wed Aug 28 12:49:43 2013 +1000
      - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
        'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
        start to use them in the future.
-
-commit f2f6c315a920a256937e1b6a3702757f3195a592
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:44:58 2013 +1000
-
-       - jmc@cvs.openbsd.org 2013/08/20 06:56:07
-         [ssh.1 ssh_config.5]
-         some proxyusefdpass tweaks;
-
-commit 1262b6638f7d01ab110fd373dd90d915c882fe1a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:44:24 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/20 00:11:38
-         [readconf.c readconf.h ssh_config.5 sshconnect.c]
-         Add a ssh_config ProxyUseFDPass option that supports the use of
-         ProxyCommands that establish a connection and then pass a connected
-         file descriptor back to ssh(1). This allows the ProxyCommand to exit
-         rather than have to shuffle data back and forth and enables ssh to use
-         getpeername, etc. to obtain address information just like it does with
-         regular directly-connected sockets. ok markus@
-
-commit b7727df37efde4dbe4f5a33b19cbf42022aabf66
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:43:49 2013 +1000
-
-       - jmc@cvs.openbsd.org 2013/08/14 08:39:27
-         [scp.1 ssh.1]
-         some Bx/Ox conversion;
-         From: Jan Stary
-
-commit d5d9d7b1fdacf0551de4c747728bd159be40590a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:43:27 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/13 18:33:08
-         [ssh-keygen.c]
-         another of the same typo
-
-commit d234afb0b3a8de1be78cbeafed5fc86912594c3c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:42:58 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/13 18:32:08
-         [ssh-keygen.c]
-         typo in error message; from Stephan Rickauer
-
-commit e0ee727b8281a7c2ae20630ce83f6b200b404059
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:42:35 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/09 03:56:42
-         [sftp.c]
-         enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
-         matching ksh's relatively recent change.
-
-commit fec029f1dc2c338f3fae3fa82aabc988dc07868c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:42:12 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/09 03:39:13
-         [sftp-client.c]
-         two problems found by a to-be-committed regress test: 1) msg_id was not
-         being initialised so was starting at a random value from the heap
-         (harmless, but confusing). 2) some error conditions were not being
-         propagated back to the caller
-
-commit 036d30743fc914089f9849ca52d615891d47e616
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:41:46 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/09 03:37:25
-         [sftp.c]
-         do getopt parsing for all sftp commands (with an empty optstring for
-         commands without arguments) to ensure consistent behaviour
-
-commit c7dba12bf95eb1d69711881a153cc286c1987663
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:41:15 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/08 05:04:03
-         [sftp-client.c sftp-client.h sftp.c]
-         add a "-l" flag for the rename command to force it to use the silly
-         standard SSH_FXP_RENAME command instead of the POSIX-rename- like
-         posix-rename@openssh.com extension.
-    
-         intended for use in regress tests, so no documentation.
-
-commit 034f27a0c09e69fe3589045b41f03f6e345b63f5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:40:44 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/08 04:52:04
-         [sftp.c]
-         fix two year old regression: symlinking a file would incorrectly
-         canonicalise the target path. bz#2129 report from delphij AT freebsd.org
-
-commit c6895c5c67492144dd28589e5788f783be9152ed
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:40:21 2013 +1000
-
-       - jmc@cvs.openbsd.org 2013/08/07 06:24:51
-         [sftp.1 sftp.c]
-         sort -a;
-
-commit a6d6c1f38ac9b4a5e1bd4df889e1020a8370ed55
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:40:01 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/06 23:06:01
-         [servconf.c]
-         add cast to avoid format warning; from portable
-
-commit eec840673bce3f69ad269672fba7ed8ff05f154f
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:39:39 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/06 23:05:01
-         [sftp.1]
-         document top-level -a option (the -a option to 'get' was already
-         documented)
-
-commit 02e878070d0eddad4e11f2c82644b275418eb112
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Aug 21 02:38:51 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/08/06 23:03:49
-         [sftp.c]
-         fix some whitespace at EOL
-         make list of commands an enum rather than a long list of defines
-         add -a to usage()
diff --git a/README b/README
index c566f7b1b..9bbd3bac2 100644
--- a/README
+++ b/README
@@ -1,4 +1,8 @@
-See http://www.openssh.com/txt/release-7.0 for the release notes.
+See http://www.openssh.com/txt/release-7.1 for the release notes.
+
+Please read http://www.openssh.com/report.html for bug reporting
+instructions and note that we do not use Github for bug reporting or
+patch/pull-request management.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
diff --git a/auth.c b/auth.c
index 8255d22d3..25be63277 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */
+/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -354,7 +354,7 @@ auth_root_allowed(const char *method)
         case PERMIT_NO_PASSWD:
                 if (strcmp(method, "publickey") == 0 ||
                     strcmp(method, "hostbased") == 0 ||
-                    strcmp(method, "gssapi-with-mic"))
+                    strcmp(method, "gssapi-with-mic") == 0)
                         return 1;
                 break;
         case PERMIT_FORCED_ONLY:
diff --git a/compat.c b/compat.c
index eef5fbba5..55838044c 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.96 2015/07/28 23:20:42 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -176,6 +176,7 @@ compat_datafellows(const char *version)
                   "PuTTY_Release_0.63*,"
                   "PuTTY_Release_0.64*",
                                         SSH_OLD_DHGEX },
+                { "FuTTY*",             SSH_OLD_DHGEX }, /* Putty Fork */
                 { "Probe-*",
                                         SSH_BUG_PROBE },
                 { "TeraTerm SSH*,"
@@ -189,7 +190,17 @@ compat_datafellows(const char *version)
                   "TTSSH/2.70*,"
                   "TTSSH/2.71*,"
                   "TTSSH/2.72*",        SSH_BUG_HOSTKEYS },
-                { "WinSCP*",            SSH_OLD_DHGEX },
+                { "WinSCP_release_4*,"
+                  "WinSCP_release_5.0*,"
+                  "WinSCP_release_5.1*,"
+                  "WinSCP_release_5.5*,"
+                  "WinSCP_release_5.6*,"
+                  "WinSCP_release_5.7,"
+                  "WinSCP_release_5.7.1,"
+                  "WinSCP_release_5.7.2,"
+                  "WinSCP_release_5.7.3,"
+                  "WinSCP_release_5.7.4",
+                                        SSH_OLD_DHGEX },
                 { NULL,                 0 }
         };
 
diff --git a/contrib/README b/contrib/README
index c00223865..60e19ba9f 100644
--- a/contrib/README
+++ b/contrib/README
@@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
 https CONNECT style proxy server. His page for connect.c has extensive
 documentation on its use as well as compiled versions for Win32.
 
-http://www.taiyo.co.jp/~gotoh/ssh/connect.html
+https://bitbucket.org/gotoh/connect/wiki/Home
 
 
 X11 SSH Askpass:
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 5de787555..5b27106fb 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 7.0p1
+%define ver 7.1p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index dd9692da1..596895882 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        7.0p1
+Version:        7.1p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 77f37fc00..3e36366c8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d
-6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d
-58ddb8ad21f21f5358db0204c4ba9abf94a1ca11
-58ddb8ad21f21f5358db0204c4ba9abf94a1ca11
-openssh_7.0p1.orig.tar.gz
-d8337c9eab91d360d104f6dd805f8b32089c063c
-1493376
+733c4de05612fe398ac3dc7d31d318d7012fda05
+733c4de05612fe398ac3dc7d31d318d7012fda05
+651211fd4a199b299540c00c54a46e27fadb04be
+651211fd4a199b299540c00c54a46e27fadb04be
+openssh_7.1p1.orig.tar.gz
+ed22af19f962262c493fcc6ed8c8826b2761d9b6
+1493170
diff --git a/debian/README.Debian b/debian/README.Debian
index 9d029585c..d26e5a39d 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -20,7 +20,7 @@ PermitRootLogin
 
 As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
 without-password" (or the synonymous "PermitRootLogin prohibit-password" as
-of 1:7.0p1-1).  This disables password authentication for root, foiling
+of 1:7.1p1-1).  This disables password authentication for root, foiling
 password dictionary attacks on the root user.  Some sites may wish to use
 the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
 but note that "PermitRootLogin no" will break setups that SSH to root with a
diff --git a/debian/changelog b/debian/changelog
index 262b74285..2ce43a7f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-openssh (1:7.0p1-1) UNRELEASED; urgency=medium
+openssh (1:7.1p1-1) UNRELEASED; urgency=medium
 
   * New upstream release (http://www.openssh.com/txt/release-7.0, closes:
     #785190):
@@ -43,6 +43,17 @@ openssh (1:7.0p1-1) UNRELEASED; urgency=medium
     - sshd(8): Clarify documentation for UseDNS option.
     - Check realpath(3) behaviour matches what sftp-server requires and use
       a replacement if necessary.
+  * New upstream release (http://www.openssh.com/txt/release-7.1):
+    - sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
+      prohibit-password/without-password that could, depending on
+      compile-time configuration, permit password authentication to root
+      while preventing other forms of authentication.  This problem was
+      reported by Mantas Mikulenas.
+    - ssh(1), sshd(8): Add compatibility workarounds for FuTTY.
+    - ssh(1), sshd(8): Refine compatibility workarounds for WinSCP.
+    - Fix a number of memory faults (double-free, free of uninitialised
+      memory, etc) in ssh(1) and ssh-keygen(1).  Reported by Mateusz
+      Kocielski.
   * Change "PermitRootLogin without-password" to the new preferred spelling
     of "PermitRootLogin prohibit-password" in sshd_config, and update
     documentation to reflect the new upstream default.
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 72e993d0a..2c6c53d88 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -314,7 +314,7 @@ if [ "$action" = configure ]; then
            db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
             set_config_option PermitRootLogin prohibit-password
         fi
-        if dpkg --compare-versions "$2" lt-nl 1:7.0p1-1 && \
+        if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
            [ "$(get_config_option PermitRootLogin)" = without-password ]; then
             set_config_option PermitRootLogin prohibit-password
         fi
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 2ed4f2a4c..e5cbafbfe 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From 1b41ad6426301c5131aa93d0915f6c5e69cff645 Mon Sep 17 00:00:00 2001
+From 36dac160eeb9000539ca78f9734bb220258df146 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6d2e5b544..b1d1dac27 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 0eeaf623887ccabc08ba20150618daca817fcba5 Mon Sep 17 00:00:00 2001
+From ca0198a88f1eaae2962454c228e79437dc6080bf Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 35659cd33..59de3b115 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From bb18ca3880d333834c89f535032cdf12bc362fdf Mon Sep 17 00:00:00 2001
+From e4e2b402150f28abadcd565941ab51c2bcbac8ce Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -80,7 +80,7 @@ index 778ba17..161fa37 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index e3ac37b..d9f5199 100644
+index 0d4fb7f..6024e0e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -94,7 +94,7 @@ index e3ac37b..d9f5199 100644
             options.version_addendum, newline);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 154e87e..641e1fa 100644
+index c8ee35d..b149bd3 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -533,6 +533,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index aae4e7d34..ddc9de44a 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d Mon Sep 17 00:00:00 2001
+From 733c4de05612fe398ac3dc7d31d318d7012fda05 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -107,7 +107,7 @@ index 228e5ab..c9386aa 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index 5bc04b0..aaa435a 100644
+index 680ca17..981197d 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -144,7 +144,7 @@ index 5bc04b0..aaa435a 100644
  See the X11 SECURITY extension specification for full details on
  the restrictions imposed on untrusted clients.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 7e40a27..92c23bc 100644
+index 0828592..0be7250 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 922798aea..3d4341ff2 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 460260ae3681984ef9fbc0f19fb5d46668eede4e Mon Sep 17 00:00:00 2001
+From a8e8eba67d79734c2f0b85c54aa5d60132b6e2e8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,7 +18,7 @@ Patch-Name: dnssec-sshfp.patch
  3 files changed, 21 insertions(+), 6 deletions(-)
 
 diff --git a/dns.c b/dns.c
-index f201b60..a406f58 100644
+index e813afe..fce2e30 100644
 --- a/dns.c
 +++ b/dns.c
 @@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index b27e19f2b..42d83959b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From def9d74686cb82e98686c1357babd9d24b8b7c54 Mon Sep 17 00:00:00 2001
+From 133721fc651693820cf41563418d26fccdedd742 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index b07e866..5bc04b0 100644
+index 37f3ab8..680ca17 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index c1fcbcd37..357d7318e 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 49f2be4bc5297798aa3cd54ba1417804c14f8d38 Mon Sep 17 00:00:00 2001
+From fc8c21a1b1b6710b2b41a8daef56d00bfb19885d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 91fb20bb3..ba9825f40 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 820ff9bbc530c4f736c883caf4a773fa397ffacc Mon Sep 17 00:00:00 2001
+From d45f510086dc79305ea6cfd336908798fbbda563 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 3d6dfac9a..4ab9ca373 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 233e78235070e871b658c8f289e600bd52a99711 Mon Sep 17 00:00:00 2001
+From 09c4d9b7d41ab3c9973f07e0109e931f57c59c43 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -2540,7 +2540,7 @@ index 03a228f..228e5ab 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 5b0975f..b2dc49b 100644
+index a47f3ca..cac8cda 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed.
@@ -2793,7 +2793,7 @@ index 7751031..e2ea826 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index c7dd8cb..32adb1f 100644
+index 65ef7e8..839c2e0 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -126,6 +126,10 @@
@@ -2959,7 +2959,7 @@ index 4d77f05..64786c9 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 58e277f..712f620 100644
+index b18d340..5491c89 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
@@ -2988,7 +2988,7 @@ index 58e277f..712f620 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index dbb16e2..14b6dc3 100644
+index 32dd8f2..5368e7c 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 504abe68d..a5ea56083 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 9fb8297943f1b331129f26606867c5dec2d05317 Mon Sep 17 00:00:00 2001
+From 4ba040812693f5823bc8643cfb82a581a5e8e5db Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 9c6fdca0b..81c8935b1 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 25698ed1091d932244f94e7c802dce05c458749a Mon Sep 17 00:00:00 2001
+From 5664b20b9d8ee691d664333b83ebb5e7560933a4 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -72,7 +72,7 @@ index 522ad37..46c343f 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 82dcf0c..f517159 100644
+index 673d0b7..4e34115 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -233,8 +233,12 @@ Valid arguments are
@@ -120,7 +120,7 @@ index 82dcf0c..f517159 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 712f620..154e87e 100644
+index 5491c89..c8ee35d 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -1510,6 +1510,9 @@ This avoids infinitely hanging sessions.
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 7c288b452..14e704132 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From 2b5cab64ee1a2c917bf1b076fb81709cc0ea97d9 Mon Sep 17 00:00:00 2001
+From 615714e35f934eb8f212070549f396c624a64b26 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 418a5d1b2..50e128020 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 20ba3686f33c1dbb34583b8731582fdc7181a831 Mon Sep 17 00:00:00 2001
+From a28ed57e3db85165476dddad441fc55f683fbaf4 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,7 +13,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 8adc943..4aff104 100644
+index cd467fd..bbde8af 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -1078,9 +1078,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 6bc7618fd..ad3164cab 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 151c2cd6257c44a9ba51bf7af75bb7d2761cf492 Mon Sep 17 00:00:00 2001
+From 576cbedac5684f24e6ff61fe70edfc81945fd7dd Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 389e8e73f..887e93aac 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From d4a383b11e186c0db65b9a2779ad5f5889563ceb Mon Sep 17 00:00:00 2001
+From b2f2bca0fb145fbf2ffdfadc3b206f212be0a7dc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 8c3317b..1a8644e 100644
+index ed17a08..c560179 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
 @@ -174,9 +174,7 @@ key in
@@ -133,7 +133,7 @@ index 2105979..42ba596 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index 641e1fa..7e40a27 100644
+index b149bd3..0828592 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -374,8 +374,7 @@ This option is only available for protocol version 2.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index e2b40654c..02f11bec0 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 4e80e6a84e57783718ca225021a597713c44c2a2 Mon Sep 17 00:00:00 2001
+From 40fc1212b3c06063cf3926aa8e8209e1fa05436f Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
  3 files changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 4aff104..2999061 100644
+index bbde8af..0ec1e54 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1)
@@ -36,7 +36,7 @@ index 4aff104..2999061 100644
         if (roaming_atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index f60c9e0..e3ac37b 100644
+index 0537bc9..0d4fb7f 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,11 +49,11 @@ index f60c9e0..e3ac37b 100644
             options.version_addendum, newline);
  
 diff --git a/version.h b/version.h
-index 7a5dbc8..f665356 100644
+index d917ca1..5c22d90 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_7.0"
+ #define SSH_VERSION    "OpenSSH_7.1"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index b457610f4..cc10ef7b8 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 5ddd42354edfbe0d5cc607d007f8c655ec351e2f Mon Sep 17 00:00:00 2001
+From f7d2bb35f07cfcab63fc8cf3cd9bef646065482c Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 21c30a0ef..5778440b9 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 206272ccede7e6fac5d7fda30ea305349b8ad781 Mon Sep 17 00:00:00 2001
+From 2cd06c4a70dfb22fd1d54779173b5e086c52e08f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -128,7 +128,7 @@ index 213b5fc..2105979 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 32adb1f..4d8a5e8 100644
+index 839c2e0..0e30e6e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -130,6 +130,13 @@
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index ec9c62e6b..c45aad58f 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 39649ea621545db3692a0ecdb2e3e9bf1bec21d5 Mon Sep 17 00:00:00 2001
+From a4fade6aaf7df4c6a01fc353a5cd689e0073e367 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index a8b214fb4..aee443d87 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 10dec1266aa5cf1ad906b1bef6f67edc322c00cb Mon Sep 17 00:00:00 2001
+From d55bc528ac450324522f02d90a2bdc4832d1eef8 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -458,7 +458,7 @@ index 6a2f35e..ef6593c 100644
                        const char *value);
  
 diff --git a/sshd.c b/sshd.c
-index 4d8a5e8..f60c9e0 100644
+index 0e30e6e..0537bc9 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -782,7 +782,7 @@ privsep_postauth(Authctxt *authctxt)
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index d75268651..56f85c14e 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From e6ac786efa1922c3a4846023b85b4425c3b27624 Mon Sep 17 00:00:00 2001
+From e4ba682033c1e53b52cf4b03924b69f54945f1b5 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index f41960c..8adc943 100644
+index 17fbe39..cd467fd 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 07cc502ea..4873a0527 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 28b42c7cc08dd3dbdc149281912a41ae65594301 Mon Sep 17 00:00:00 2001
+From 7ce7aa96b03196d9d799f4caf6e4c7c6c2bed7da Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,7 +13,7 @@ Patch-Name: sigstop.patch
  1 file changed, 10 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
-index d9f5199..b345c9f 100644
+index 6024e0e..7e72b9b 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -2042,6 +2042,16 @@ main(int ac, char **av)
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 5cabd8ead..8d40231f8 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From ffd0bdfb5e16b792de4f98ca19f94d9e2fb8b281 Mon Sep 17 00:00:00 2001
+From 76ec1a4c34296f1485ce98e301a3d35c9779c2ea Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index e2c977c72..8e77dadb4 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From c243ac551b1f62aae59ee8ae29166fd410d4e9d4 Mon Sep 17 00:00:00 2001
+From 80872a9a228eee6b7f189e9770fcf89fb8bca7fa Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 8fb05d4c4..f9736f7d6 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 89dd60ab74e7ebfe4f234c4068fa941479535d8e Mon Sep 17 00:00:00 2001
+From 250d744e08a4f88cd547023cb2f036b2cdfd569b Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index cf414d4d5..e58de3d56 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
-From f1b6288dd90b72d4cad7e65f35d05148a5ba1874 Mon Sep 17 00:00:00 2001
+From 5e3b425ba1e334c987c5e15abf3d90e9eb776ab3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:51 +0000
 Subject: Partial server keep-alive implementation for SSH1
@@ -57,7 +57,7 @@ index fba1b54..9e45d24 100644
                 server_alive_time = now + options.server_alive_interval;
         }
 diff --git a/ssh_config.5 b/ssh_config.5
-index b2dc49b..82dcf0c 100644
+index cac8cda..673d0b7 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -1468,7 +1468,10 @@ If, for example,
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index aca618985..18efd6804 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 19ab567e88d730a6862aab3fb33e399a9c3f67b2 Mon Sep 17 00:00:00 2001
+From 063fd3991309c88df5ea2625d663c3958e79b841 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index b147b45eb..d70822b79 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From d0e69ff6f823231b121af1fe8bbe9442bfed4fe8 Mon Sep 17 00:00:00 2001
+From 68538f6919550b36ae9d812a1c2c52dbe9354608 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -52,7 +52,7 @@ index ee9e827..2ff2cff 100644
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index fc32f6c..8255d22 100644
+index 214c2c7..25be632 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -424,8 +424,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
@@ -252,7 +252,7 @@ index 2ea0a20..ff80022 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index f517159..b07e866 100644
+index 4e34115..37f3ab8 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -1760,6 +1760,8 @@ The format of this file is described above.
diff --git a/dns.c b/dns.c
index a406f5864..fce2e308f 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -154,7 +154,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
                 *digest_len = rdata_len - 2;
 
                 if (*digest_len > 0) {
-                        *digest = (u_char *) xmalloc(*digest_len);
+                        *digest = xmalloc(*digest_len);
                         memcpy(*digest, rdata + 2, *digest_len);
                 } else {
                         *digest = (u_char *)xstrdup("");
diff --git a/mux.c b/mux.c
index cdc01bd4f..e6136fd28 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.53 2015/05/01 04:03:20 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -665,6 +665,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         u_int lport, cport;
         int i, ret = 0, freefwd = 1;
 
+        memset(&fwd, 0, sizeof(fwd));
+
         /* XXX - lport/cport check redundant */
         if (buffer_get_int_ret(&ftype, m) != 0 ||
             (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
@@ -832,6 +834,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         int i, ret = 0;
         u_int lport, cport;
 
+        memset(&fwd, 0, sizeof(fwd));
+
         if (buffer_get_int_ret(&ftype, m) != 0 ||
             (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
             buffer_get_int_ret(&lport, m) != 0 ||
diff --git a/packet.c b/packet.c
index 6008c2d94..01d3e2970 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1272,7 +1272,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 
         DBG(debug("packet_read()"));
 
-        setp = (fd_set *)calloc(howmany(state->connection_in + 1,
+        setp = calloc(howmany(state->connection_in + 1,
             NFDBITS), sizeof(fd_mask));
         if (setp == NULL)
                 return SSH_ERR_ALLOC_FAIL;
@@ -2036,7 +2036,7 @@ ssh_packet_write_wait(struct ssh *ssh)
         struct timeval start, timeout, *timeoutp = NULL;
         struct session_state *state = ssh->state;
 
-        setp = (fd_set *)calloc(howmany(state->connection_out + 1,
+        setp = calloc(howmany(state->connection_out + 1,
             NFDBITS), sizeof(fd_mask));
         if (setp == NULL)
                 return SSH_ERR_ALLOC_FAIL;
diff --git a/sftp-server.c b/sftp-server.c
index d1831bf8d..eac11d7e6 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.106 2015/04/24 01:36:01 deraadt Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
  *
@@ -1632,8 +1632,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
                 fatal("%s: sshbuf_new failed", __func__);
 
         set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
-        rset = (fd_set *)xmalloc(set_size);
-        wset = (fd_set *)xmalloc(set_size);
+        rset = xmalloc(set_size);
+        wset = xmalloc(set_size);
 
         if (homedir != NULL) {
                 if (chdir(homedir) != 0) {
diff --git a/sftp.c b/sftp.c
index cb9b967ed..788601a8d 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.170 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -1958,7 +1958,7 @@ complete(EditLine *el, int ch)
 
         /* Figure out which argument the cursor points to */
         cursor = lf->cursor - lf->buffer;
-        line = (char *)xmalloc(cursor + 1);
+        line = xmalloc(cursor + 1);
         memcpy(line, lf->buffer, cursor);
         line[cursor] = '\0';
         argv = makeargv(line, &carg, 1, &quote, &terminated);
@@ -1966,7 +1966,7 @@ complete(EditLine *el, int ch)
 
         /* Get all the arguments on the line */
         len = lf->lastchar - lf->buffer;
-        line = (char *)xmalloc(len + 1);
+        line = xmalloc(len + 1);
         memcpy(line, lf->buffer, len);
         line[len] = '\0';
         argv = makeargv(line, &argc, 1, NULL, NULL);
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index a471a4055..07a45b36b 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -426,7 +426,7 @@ CERTIFICATES
      providing the token library using -D and identifying the CA key by
      providing its public half as an argument to -s:
 
-           $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
+           $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
 
      In all cases, key_id is a "key identifier" that is logged by the server
      when the certificate is used for authentication.
@@ -437,7 +437,7 @@ CERTIFICATES
      principals:
 
            $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-           $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+           $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
 
      Additional limitations on the validity and use of user certificates may
      be specified through certificate options.  A certificate option may
@@ -563,4 +563,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.8                      July 3, 2015                      OpenBSD 5.8
+OpenBSD 5.8                     August 20, 2015                    OpenBSD 5.8
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 1a8644e21..c560179c8 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 3 2015 $
+.Dd $Mdocdate: August 20 2015 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -676,7 +676,7 @@ and identifying the CA key by providing its public half as an argument
 to
 .Fl s :
 .Pp
-.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
+.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
 .Pp
 In all cases,
 .Ar key_id
@@ -689,7 +689,7 @@ By default, generated certificates are valid for all users or hosts.
 To generate a certificate for a specified set of principals:
 .Pp
 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
 be specified through certificate options.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index ea5f1e49e..4e0a85554 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1201,7 +1201,8 @@ do_known_hosts(struct passwd *pw, const char *name)
                 exit(1);
         } else if (delete_host && !ctx.found_key) {
                 logit("Host %s not found in %s", name, identity_file);
-                unlink(tmp);
+                if (inplace)
+                        unlink(tmp);
         } else if (inplace) {
                 /* Backup existing file */
                 if (unlink(old) == -1 && errno != ENOENT)
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index ceabc8ba7..f2d586395 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.10 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -301,8 +301,8 @@ main(int argc, char **argv)
         buffer_init(&oqueue);
 
         set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
-        rset = (fd_set *)xmalloc(set_size);
-        wset = (fd_set *)xmalloc(set_size);
+        rset = xmalloc(set_size);
+        wset = xmalloc(set_size);
 
         for (;;) {
                 memset(rset, 0, set_size);
diff --git a/ssh_config.0 b/ssh_config.0
index 654807779..67133cd4d 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -205,9 +205,9 @@ DESCRIPTION
 
              The default is:
 
+                   chacha20-poly1305@openssh.com,
                    aes128-ctr,aes192-ctr,aes256-ctr,
                    aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-                   chacha20-poly1305@openssh.com,
                    arcfour256,arcfour128,
                    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
                    aes192-cbc,aes256-cbc,arcfour
@@ -1023,4 +1023,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.8                      July 30, 2015                     OpenBSD 5.8
+OpenBSD 5.8                     August 14, 2015                    OpenBSD 5.8
diff --git a/ssh_config.5 b/ssh_config.5
index aaa435a9d..981197ddf 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
-.Dd $Mdocdate: July 30 2015 $
+.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
+.Dd $Mdocdate: August 14 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -435,9 +435,9 @@ chacha20-poly1305@openssh.com
 .Pp
 The default is:
 .Bd -literal -offset indent
+chacha20-poly1305@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
 arcfour256,arcfour128,
 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
 aes192-cbc,aes256-cbc,arcfour
diff --git a/sshconnect.c b/sshconnect.c
index 2999061b3..0ec1e54e9 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.262 2015/05/28 05:41:29 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -356,7 +356,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
                 goto done;
         }
 
-        fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS),
+        fdset = xcalloc(howmany(sockfd + 1, NFDBITS),
             sizeof(fd_mask));
         FD_SET(sockfd, fdset);
         ms_to_timeval(&tv, *timeoutp);
diff --git a/sshd.c b/sshd.c
index b345c9f9a..7e72b9b84 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1265,7 +1265,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                         sighup_restart();
                 if (fdset != NULL)
                         free(fdset);
-                fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
+                fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
                     sizeof(fd_mask));
 
                 for (i = 0; i < num_listen_socks; i++)
diff --git a/sshd_config.0 b/sshd_config.0
index 1cc7459f8..aae7fb6af 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -286,9 +286,9 @@ DESCRIPTION
 
              The default is:
 
+                   chacha20-poly1305@openssh.com,
                    aes128-ctr,aes192-ctr,aes256-ctr,
-                   aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-                   chacha20-poly1305@openssh.com
+                   aes128-gcm@openssh.com,aes256-gcm@openssh.com
 
              The list of available ciphers may also be obtained using the -Q
              option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^].
@@ -927,7 +927,7 @@ DESCRIPTION
 
              If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
              and not host names may be used in ~/.ssh/known_hosts from and
-             sshd_config(5) Match Host directives.
+             sshd_config Match Host directives.
 
      UseLogin
              Specifies whether login(1) is used for interactive login
@@ -1049,4 +1049,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 5.8                     August 6, 2015                     OpenBSD 5.8
+OpenBSD 5.8                     August 14, 2015                    OpenBSD 5.8
diff --git a/sshd_config.5 b/sshd_config.5
index 92c23bc46..0be7250b0 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $
-.Dd $Mdocdate: August 6 2015 $
+.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
+.Dd $Mdocdate: August 14 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -500,9 +500,9 @@ chacha20-poly1305@openssh.com
 .Pp
 The default is:
 .Bd -literal -offset indent
+chacha20-poly1305@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com
+aes128-gcm@openssh.com,aes256-gcm@openssh.com
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -1571,7 +1571,7 @@ If this option is set to
 .Pa ~/.ssh/known_hosts
 .Cm from
 and
-.Xr sshd_config 5
+.Nm
 .Cm Match
 .Cm Host
 directives.
diff --git a/sshkey.c b/sshkey.c
index 14b6dc383..5368e7cd3 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -1557,7 +1557,6 @@ dsa_generate_private_key(u_int bits, DSA **dsap)
         *dsap = NULL;
         if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
             NULL, NULL) || !DSA_generate_key(private)) {
-                DSA_free(private);
                 ret = SSH_ERR_LIBCRYPTO_ERROR;
                 goto out;
         }
diff --git a/version.h b/version.h
index f6653569c..5c22d9067 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.74 2015/08/02 09:56:42 djm Exp $ */
+/* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_7.0"
+#define SSH_VERSION     "OpenSSH_7.1"
 
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE