summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog1684
-rw-r--r--README2
-rw-r--r--bitmap.c2
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/changelog16
-rw-r--r--debian/patches/auth-log-verbosity.patch2
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch2
-rw-r--r--debian/patches/backport-fix-first-kex-follows.patch36
-rw-r--r--debian/patches/debian-banner.patch4
-rw-r--r--debian/patches/debian-config.patch4
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/doc-upstart.patch2
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch16
-rw-r--r--debian/patches/helpful-wait-terminate.patch2
-rw-r--r--debian/patches/keepalive-extensions.patch4
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch2
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch2
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch2
-rw-r--r--debian/patches/package-versioning.patch8
-rw-r--r--debian/patches/quieter-signals.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch6
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch6
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch4
-rw-r--r--debian/patches/syslog-level-silent.patch4
-rw-r--r--debian/patches/systemd-readiness.patch6
-rw-r--r--debian/patches/user-group-modes.patch4
-rw-r--r--kex.c4
-rw-r--r--packet.c1
-rw-r--r--readconf.c5
-rw-r--r--ssh.c3
-rw-r--r--sshbuf-getput-crypto.c12
-rw-r--r--sshbuf-misc.c10
-rw-r--r--sshbuf.c12
-rw-r--r--sshd.c6
-rw-r--r--version.h2
46 files changed, 191 insertions, 1727 deletions
diff --git a/ChangeLog b/ChangeLog
index 0e0dd8787..35a1a76b1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,86 @@
1commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443
2Author: Damien Miller <djm@mindrot.org>
3Date: Thu Jan 14 11:08:19 2016 +1100
4
5 bump version numbers
6
7commit 302bc21e6fadacb04b665868cd69b625ef69df90
8Author: Damien Miller <djm@mindrot.org>
9Date: Thu Jan 14 11:04:04 2016 +1100
10
11 openssh-7.1p2
12
13commit 6b33763242c063e4e0593877e835eeb1fd1b60aa
14Author: Damien Miller <djm@mindrot.org>
15Date: Thu Jan 14 11:02:58 2016 +1100
16
17 forcibly disable roaming support in the client
18
19commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13
20Author: djm@openbsd.org <djm@openbsd.org>
21Date: Mon Oct 5 17:11:21 2015 +0000
22
23 upstream commit
24
25 some more bzero->explicit_bzero, from Michael McConville
26
27 Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
28
29commit 8f5b93026797b9f7fba90d0c717570421ccebbd3
30Author: guenther@openbsd.org <guenther@openbsd.org>
31Date: Fri Sep 11 08:50:04 2015 +0000
32
33 upstream commit
34
35 Use explicit_bzero() when zeroing before free()
36
37 from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu)
38 ok millert@ djm@
39
40 Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
41
42commit d77148e3a3ef6c29b26ec74331455394581aa257
43Author: djm@openbsd.org <djm@openbsd.org>
44Date: Sun Nov 8 21:59:11 2015 +0000
45
46 upstream commit
47
48 fix OOB read in packet code caused by missing return
49 statement found by Ben Hawkes; ok markus@ deraadt@
50
51 Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
52
53commit 076d849e17ab12603627f87b301e2dca71bae518
54Author: Damien Miller <djm@mindrot.org>
55Date: Sat Nov 14 18:44:49 2015 +1100
56
57 read back from libcrypto RAND when privdropping
58
59 makes certain libcrypto implementations cache a /dev/urandom fd
60 in preparation of sandboxing. Based on patch by Greg Hartman.
61
62commit f72adc0150011a28f177617a8456e1f83733099d
63Author: djm@openbsd.org <djm@openbsd.org>
64Date: Sun Dec 13 22:42:23 2015 +0000
65
66 upstream commit
67
68 unbreak connections with peers that set
69 first_kex_follows; fix from Matt Johnston va bz#2515
70
71 Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
72
73commit 04bd8d019ccd906cac1a2b362517b8505f3759e6
74Author: djm@openbsd.org <djm@openbsd.org>
75Date: Tue Jan 12 23:42:54 2016 +0000
76
77 upstream commit
78
79 use explicit_bzero() more liberally in the buffer code; ok
80 deraadt
81
82 Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
83
1commit e91346dc2bbf460246df2ab591b7613908c1b0ad 84commit e91346dc2bbf460246df2ab591b7613908c1b0ad
2Author: Damien Miller <djm@mindrot.org> 85Author: Damien Miller <djm@mindrot.org>
3Date: Fri Aug 21 14:49:03 2015 +1000 86Date: Fri Aug 21 14:49:03 2015 +1000
@@ -7530,1604 +7613,3 @@ Date: Thu Jan 16 18:42:10 2014 +1100
7530 [sftp-client.c] 7613 [sftp-client.c]
7531 needless and incorrect cast to size_t can break resumption of 7614 needless and incorrect cast to size_t can break resumption of
7532 large download; patch from tobias@ 7615 large download; patch from tobias@
7533
7534commit 91b580e4bec55118bf96ab3cdbe5a50839e75d0a
7535Author: Damien Miller <djm@mindrot.org>
7536Date: Sun Jan 12 19:21:22 2014 +1100
7537
7538 - djm@cvs.openbsd.org 2014/01/12 08:13:13
7539 [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
7540 [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
7541 avoid use of OpenSSL BIGNUM type and functions for KEX with
7542 Curve25519 by adding a buffer_put_bignum2_from_string() that stores
7543 a string using the bignum encoding rules. Will make it easier to
7544 build a reduced-feature OpenSSH without OpenSSL in the future;
7545 ok markus@
7546
7547commit af5d4481f4c7c8c3c746e68b961bb85ef907800e
7548Author: Damien Miller <djm@mindrot.org>
7549Date: Sun Jan 12 19:20:47 2014 +1100
7550
7551 - djm@cvs.openbsd.org 2014/01/10 05:59:19
7552 [sshd_config]
7553 the /etc/ssh/ssh_host_ed25519_key is loaded by default too
7554
7555commit 58cd63bc63038acddfb4051ed14e11179d8f4941
7556Author: Damien Miller <djm@mindrot.org>
7557Date: Fri Jan 10 10:59:24 2014 +1100
7558
7559 - djm@cvs.openbsd.org 2014/01/09 23:26:48
7560 [sshconnect.c sshd.c]
7561 ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
7562 deranged and might make some attacks on KEX easier; ok markus@
7563
7564commit b3051d01e505c9c2dc00faab472a0d06fa6b0e65
7565Author: Damien Miller <djm@mindrot.org>
7566Date: Fri Jan 10 10:58:53 2014 +1100
7567
7568 - djm@cvs.openbsd.org 2014/01/09 23:20:00
7569 [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
7570 [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
7571 [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
7572 [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
7573 Introduce digest API and use it to perform all hashing operations
7574 rather than calling OpenSSL EVP_Digest* directly. Will make it easier
7575 to build a reduced-feature OpenSSH without OpenSSL in future;
7576 feedback, ok markus@
7577
7578commit e00e413dd16eb747fb2c15a099971d91c13cf70f
7579Author: Damien Miller <djm@mindrot.org>
7580Date: Fri Jan 10 10:40:45 2014 +1100
7581
7582 - guenther@cvs.openbsd.org 2014/01/09 03:26:00
7583 [sftp-common.c]
7584 When formating the time for "ls -l"-style output, show dates in the future
7585 with the year, and rearrange a comparison to avoid a potentional signed
7586 arithmetic overflow that would give the wrong result.
7587
7588 ok djm@
7589
7590commit 3e49853650448883685cfa32fa382d0ba6d51d48
7591Author: Damien Miller <djm@mindrot.org>
7592Date: Fri Jan 10 10:37:05 2014 +1100
7593
7594 - tedu@cvs.openbsd.org 2014/01/04 17:50:55
7595 [mac.c monitor_mm.c monitor_mm.h xmalloc.c]
7596 use standard types and formats for size_t like variables. ok dtucker
7597
7598commit a9c1e500ef609795cbc662848edb1a1dca279c81
7599Author: Damien Miller <djm@mindrot.org>
7600Date: Wed Jan 8 16:13:12 2014 +1100
7601
7602 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
7603
7604commit 324541e5264e1489ca0babfaf2b39612eb80dfb3
7605Author: Damien Miller <djm@mindrot.org>
7606Date: Tue Dec 31 12:25:40 2013 +1100
7607
7608 - djm@cvs.openbsd.org 2013/12/30 23:52:28
7609 [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
7610 [sshconnect.c sshconnect2.c sshd.c]
7611 refuse RSA keys from old proprietary clients/servers that use the
7612 obsolete RSA+MD5 signature scheme. it will still be possible to connect
7613 with these clients/servers but only DSA keys will be accepted, and we'll
7614 deprecate them entirely in a future release. ok markus@
7615
7616commit 9f4c8e797ea002a883307ca906f1f1f815010e78
7617Author: Damien Miller <djm@mindrot.org>
7618Date: Sun Dec 29 17:57:46 2013 +1100
7619
7620 - (djm) [regress/Makefile] Add some generated files for cleaning
7621
7622commit 106bf1ca3c7a5fdc34f9fd7a1fe651ca53085bc5
7623Author: Damien Miller <djm@mindrot.org>
7624Date: Sun Dec 29 17:54:03 2013 +1100
7625
7626 - djm@cvs.openbsd.org 2013/12/29 05:57:02
7627 [sshconnect.c]
7628 when showing other hostkeys, don't forget Ed25519 keys
7629
7630commit 0fa47cfb32c239117632cab41e4db7d3e6de5e91
7631Author: Damien Miller <djm@mindrot.org>
7632Date: Sun Dec 29 17:53:39 2013 +1100
7633
7634 - djm@cvs.openbsd.org 2013/12/29 05:42:16
7635 [ssh.c]
7636 don't forget to load Ed25519 certs too
7637
7638commit b9a95490daa04cc307589897f95bfaff324ad2c9
7639Author: Damien Miller <djm@mindrot.org>
7640Date: Sun Dec 29 17:50:15 2013 +1100
7641
7642 - djm@cvs.openbsd.org 2013/12/29 04:35:50
7643 [authfile.c]
7644 don't refuse to load Ed25519 certificates
7645
7646commit f72cdde6e6fabc51d2a62f4e75b8b926d9d7ee89
7647Author: Damien Miller <djm@mindrot.org>
7648Date: Sun Dec 29 17:49:55 2013 +1100
7649
7650 - djm@cvs.openbsd.org 2013/12/29 04:29:25
7651 [authfd.c]
7652 allow deletion of ed25519 keys from the agent
7653
7654commit 29ace1cb68cc378a464c72c0fd67aa5f9acd6b5b
7655Author: Damien Miller <djm@mindrot.org>
7656Date: Sun Dec 29 17:49:31 2013 +1100
7657
7658 - djm@cvs.openbsd.org 2013/12/29 04:20:04
7659 [key.c]
7660 to make sure we don't omit any key types as valid CA keys again,
7661 factor the valid key type check into a key_type_is_valid_ca()
7662 function
7663
7664commit 9de4fcdc5a9cff48d49a3e2f6194d3fb2d7ae34d
7665Author: Damien Miller <djm@mindrot.org>
7666Date: Sun Dec 29 17:49:13 2013 +1100
7667
7668 - djm@cvs.openbsd.org 2013/12/29 02:49:52
7669 [key.c]
7670 correct comment for key_drop_cert()
7671
7672commit 5baeacf8a80f054af40731c6f92435f9164b8e02
7673Author: Damien Miller <djm@mindrot.org>
7674Date: Sun Dec 29 17:48:55 2013 +1100
7675
7676 - djm@cvs.openbsd.org 2013/12/29 02:37:04
7677 [key.c]
7678 correct comment for key_to_certified()
7679
7680commit 83f2fe26cb19330712c952eddbd3c0b621674adc
7681Author: Damien Miller <djm@mindrot.org>
7682Date: Sun Dec 29 17:48:38 2013 +1100
7683
7684 - djm@cvs.openbsd.org 2013/12/29 02:28:10
7685 [key.c]
7686 allow ed25519 keys to appear as certificate authorities
7687
7688commit 06122e9a74bb488b0fe0a8f64e1135de870f9cc0
7689Author: Damien Miller <djm@mindrot.org>
7690Date: Sun Dec 29 17:48:15 2013 +1100
7691
7692 - djm@cvs.openbsd.org 2013/12/27 22:37:18
7693 [ssh-rsa.c]
7694 correct comment
7695
7696commit 3e19295c3a253c8dc8660cf45baad7f45fccb969
7697Author: Damien Miller <djm@mindrot.org>
7698Date: Sun Dec 29 17:47:50 2013 +1100
7699
7700 - djm@cvs.openbsd.org 2013/12/27 22:30:17
7701 [ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
7702 make the original RSA and DSA signing/verification code look more like
7703 the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
7704 rather than tediously listing all variants, use __func__ for debug/
7705 error messages
7706
7707commit 137977180be6254639e2c90245763e6965f8d815
7708Author: Damien Miller <djm@mindrot.org>
7709Date: Sun Dec 29 17:47:14 2013 +1100
7710
7711 - tedu@cvs.openbsd.org 2013/12/21 07:10:47
7712 [ssh-keygen.1]
7713 small typo
7714
7715commit 339a48fe7ffb3186d22bbaa9efbbc3a053e602fd
7716Author: Damien Miller <djm@mindrot.org>
7717Date: Sun Dec 29 17:46:49 2013 +1100
7718
7719 - djm@cvs.openbsd.org 2013/12/19 22:57:13
7720 [poly1305.c poly1305.h]
7721 use full name for author, with his permission
7722
7723commit 0b36c83148976c7c8268f4f41497359e2fb26251
7724Author: Damien Miller <djm@mindrot.org>
7725Date: Sun Dec 29 17:45:51 2013 +1100
7726
7727 - djm@cvs.openbsd.org 2013/12/19 01:19:41
7728 [ssh-agent.c]
7729 bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
7730 that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
7731 ok dtucker
7732
7733commit 4def184e9b6c36be6d965a9705632fc4c0c2a8af
7734Author: Damien Miller <djm@mindrot.org>
7735Date: Sun Dec 29 17:45:26 2013 +1100
7736
7737 - djm@cvs.openbsd.org 2013/12/19 01:04:36
7738 [channels.c]
7739 bz#2147: fix multiple remote forwardings with dynamically assigned
7740 listen ports. In the s->c message to open the channel we were sending
7741 zero (the magic number to request a dynamic port) instead of the actual
7742 listen port. The client therefore had no way of discriminating between
7743 them.
7744
7745 Diagnosis and fix by ronf AT timeheart.net
7746
7747commit bf25d114e23a803f8feca8926281b1aaedb6191b
7748Author: Damien Miller <djm@mindrot.org>
7749Date: Sun Dec 29 17:44:56 2013 +1100
7750
7751 - djm@cvs.openbsd.org 2013/12/19 00:27:57
7752 [auth-options.c]
7753 simplify freeing of source-address certificate restriction
7754
7755commit bb3dafe7024a5b4e851252e65ee35d45b965e4a8
7756Author: Damien Miller <djm@mindrot.org>
7757Date: Sun Dec 29 17:44:29 2013 +1100
7758
7759 - dtucker@cvs.openbsd.org 2013/12/19 00:19:12
7760 [serverloop.c]
7761 Cast client_alive_interval to u_int64_t before assinging to
7762 max_time_milliseconds to avoid potential integer overflow in the timeout.
7763 bz#2170, patch from Loganaden Velvindron, ok djm@
7764
7765commit ef275ead3dcadde4db1efe7a0aa02b5e618ed40c
7766Author: Damien Miller <djm@mindrot.org>
7767Date: Sun Dec 29 17:44:07 2013 +1100
7768
7769 - djm@cvs.openbsd.org 2013/12/19 00:10:30
7770 [ssh-add.c]
7771 skip requesting smartcard PIN when removing keys from agent; bz#2187
7772 patch from jay AT slushpupie.com; ok dtucker
7773
7774commit 7d97fd9a1cae778c3eacf16e09f5da3689d616c6
7775Author: Damien Miller <djm@mindrot.org>
7776Date: Sun Dec 29 17:40:18 2013 +1100
7777
7778 - (djm) [loginrec.c] Check for username truncation when looking up lastlog
7779 entries
7780
7781commit 77244afe3b6d013b485e0952eaab89b9db83380f
7782Author: Darren Tucker <dtucker@zip.com.au>
7783Date: Sat Dec 21 17:02:39 2013 +1100
7784
7785 20131221
7786 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
7787
7788commit 53f8e784dc431a82d31c9b0e95b144507f9330e9
7789Author: Darren Tucker <dtucker@zip.com.au>
7790Date: Thu Dec 19 11:31:44 2013 +1100
7791
7792 - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
7793 Patch from Loganaden Velvindron.
7794
7795commit 1fcec9d4f265e38af248c4c845986ca8c174bd68
7796Author: Darren Tucker <dtucker@zip.com.au>
7797Date: Thu Dec 19 11:00:12 2013 +1100
7798
7799 - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
7800 greater than 11 either rather than just 11. Patch from Tomas Kuthan.
7801
7802commit 6674eb9683afd1ea4eb35670b5e66815543a759e
7803Author: Damien Miller <djm@mindrot.org>
7804Date: Wed Dec 18 17:50:39 2013 +1100
7805
7806 - markus@cvs.openbsd.org 2013/12/17 10:36:38
7807 [crypto_api.h]
7808 I've assempled the header file by cut&pasting from generated headers
7809 and the source files.
7810
7811commit d58a5964426ee014384d67d775d16712e93057f3
7812Author: Damien Miller <djm@mindrot.org>
7813Date: Wed Dec 18 17:50:13 2013 +1100
7814
7815 - djm@cvs.openbsd.org 2013/12/15 21:42:35
7816 [cipher-chachapoly.c]
7817 add some comments and constify a constant
7818
7819commit 059321d19af24d87420de3193f79dfab23556078
7820Author: Damien Miller <djm@mindrot.org>
7821Date: Wed Dec 18 17:49:48 2013 +1100
7822
7823 - pascal@cvs.openbsd.org 2013/12/15 18:17:26
7824 [ssh-add.c]
7825 Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
7826 ok markus@
7827
7828commit 155b5a5bf158767f989215479ded2a57f331e1c6
7829Author: Damien Miller <djm@mindrot.org>
7830Date: Wed Dec 18 17:48:32 2013 +1100
7831
7832 - markus@cvs.openbsd.org 2013/12/09 11:08:17
7833 [crypto_api.h]
7834 remove unused defines
7835
7836commit 8a56dc2b6b48b05590810e7f4c3567508410000c
7837Author: Damien Miller <djm@mindrot.org>
7838Date: Wed Dec 18 17:48:11 2013 +1100
7839
7840 - markus@cvs.openbsd.org 2013/12/09 11:03:45
7841 [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
7842 [ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
7843 Add Authors for the public domain ed25519/nacl code.
7844 see also http://nacl.cr.yp.to/features.html
7845 All of the NaCl software is in the public domain.
7846 and http://ed25519.cr.yp.to/software.html
7847 The Ed25519 software is in the public domain.
7848
7849commit 6575c3acf31fca117352f31f37b16ae46e664837
7850Author: Damien Miller <djm@mindrot.org>
7851Date: Wed Dec 18 17:47:02 2013 +1100
7852
7853 - dtucker@cvs.openbsd.org 2013/12/08 09:53:27
7854 [sshd_config.5]
7855 Use a literal for the default value of KEXAlgorithms. ok deraadt jmc
7856
7857commit 8ba0ead6985ea14999265136b14ffd5aeec516f9
7858Author: Damien Miller <djm@mindrot.org>
7859Date: Wed Dec 18 17:46:27 2013 +1100
7860
7861 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
7862 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
7863 [ssh_config.5 sshd.8 sshd_config.5]
7864 add missing mentions of ed25519; ok djm@
7865
7866commit 4f752cf71cf44bf4bc777541156c2bf56daf9ce9
7867Author: Damien Miller <djm@mindrot.org>
7868Date: Wed Dec 18 17:45:35 2013 +1100
7869
7870 - djm@cvs.openbsd.org 2013/12/07 08:08:26
7871 [ssh-keygen.1]
7872 document -a and -o wrt new key format
7873
7874commit 6d6fcd14e23a9053198342bb379815b15e504084
7875Author: Damien Miller <djm@mindrot.org>
7876Date: Sun Dec 8 15:53:28 2013 +1100
7877
7878 - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
7879 [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
7880 filesystem before running agent-ptrace.sh; ok dtucker
7881
7882commit 7e6e42fb532c7dafd7078ef5e9e2d3e47fcf6752
7883Author: Damien Miller <djm@mindrot.org>
7884Date: Sun Dec 8 08:23:08 2013 +1100
7885
7886 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
7887 Vinschen
7888
7889commit da3ca351b49d52ae85db2e3998265dc3c6617068
7890Author: Damien Miller <djm@mindrot.org>
7891Date: Sat Dec 7 21:43:46 2013 +1100
7892
7893 - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
7894 Loganaden Velvindron @ AfriNIC in bz#2179
7895
7896commit eb401585bb8336cbf81fe4fc58eb9f7cac3ab874
7897Author: Damien Miller <djm@mindrot.org>
7898Date: Sat Dec 7 17:07:15 2013 +1100
7899
7900 - (djm) [regress/cert-hostkey.sh] Fix merge botch
7901
7902commit f54542af3ad07532188b10136ae302314ec69ed6
7903Author: Damien Miller <djm@mindrot.org>
7904Date: Sat Dec 7 16:32:44 2013 +1100
7905
7906 - markus@cvs.openbsd.org 2013/12/06 13:52:46
7907 [regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
7908 [regress/cert-userkey.sh regress/keytype.sh]
7909 test ed25519 support; from djm@
7910
7911commit f104da263de995f66b6861b4f3368264ee483d7f
7912Author: Damien Miller <djm@mindrot.org>
7913Date: Sat Dec 7 12:37:53 2013 +1100
7914
7915 - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
7916 [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
7917 Linux
7918
7919commit 1ff130dac9b7aea0628f4ad30683431fe35e0020
7920Author: Damien Miller <djm@mindrot.org>
7921Date: Sat Dec 7 11:51:51 2013 +1100
7922
7923 - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
7924 [openbsd-compat/blf.h openbsd-compat/blowfish.c]
7925 [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
7926 portable.
7927
7928commit 4260828a2958ebe8c96f66d8301dac53f4cde556
7929Author: Damien Miller <djm@mindrot.org>
7930Date: Sat Dec 7 11:38:03 2013 +1100
7931
7932 - [authfile.c] Conditionalise inclusion of util.h
7933
7934commit a913442bac8a26fd296a3add51293f8f6f9b3b4c
7935Author: Damien Miller <djm@mindrot.org>
7936Date: Sat Dec 7 11:35:36 2013 +1100
7937
7938 - [Makefile.in] Add ed25519 sources
7939
7940commit ca570a519cb846da61d002c7f46fa92e39c83e45
7941Author: Damien Miller <djm@mindrot.org>
7942Date: Sat Dec 7 11:29:09 2013 +1100
7943
7944 - djm@cvs.openbsd.org 2013/12/07 00:19:15
7945 [key.c]
7946 set k->cert = NULL after freeing it
7947
7948commit 3cccc0e155229a2f2d86b6df40bd4559b4f960ff
7949Author: Damien Miller <djm@mindrot.org>
7950Date: Sat Dec 7 11:27:47 2013 +1100
7951
7952 - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
7953 [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
7954
7955commit a7827c11b3f0380b7e593664bd62013ff9c131db
7956Author: Damien Miller <djm@mindrot.org>
7957Date: Sat Dec 7 11:24:30 2013 +1100
7958
7959 - jmc@cvs.openbsd.org 2013/12/06 15:29:07
7960 [sshd.8]
7961 missing comma;
7962
7963commit 5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0
7964Author: Damien Miller <djm@mindrot.org>
7965Date: Sat Dec 7 11:24:01 2013 +1100
7966
7967 - markus@cvs.openbsd.org 2013/12/06 13:39:49
7968 [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
7969 [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
7970 [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
7971 [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
7972 [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
7973 support ed25519 keys (hostkeys and user identities) using the public
7974 domain ed25519 reference code from SUPERCOP, see
7975 http://ed25519.cr.yp.to/software.html
7976 feedback, help & ok djm@
7977
7978commit bcd00abd8451f36142ae2ee10cc657202149201e
7979Author: Damien Miller <djm@mindrot.org>
7980Date: Sat Dec 7 10:41:55 2013 +1100
7981
7982 - markus@cvs.openbsd.org 2013/12/06 13:34:54
7983 [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
7984 [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
7985 default; details in PROTOCOL.key; feedback and lots help from djm;
7986 ok djm@
7987
7988commit f0e9060d236c0e38bec2fa1c6579fb0a2ea6458d
7989Author: Damien Miller <djm@mindrot.org>
7990Date: Sat Dec 7 10:40:26 2013 +1100
7991
7992 - markus@cvs.openbsd.org 2013/12/06 13:30:08
7993 [authfd.c key.c key.h ssh-agent.c]
7994 move private key (de)serialization to key.c; ok djm
7995
7996commit 0f8536da23a6ef26e6495177c0d8a4242b710289
7997Author: Damien Miller <djm@mindrot.org>
7998Date: Sat Dec 7 10:31:37 2013 +1100
7999
8000 - djm@cvs.openbsd.org 2013/12/06 03:40:51
8001 [ssh-keygen.c]
8002 remove duplicated character ('g') in getopt() string;
8003 document the (few) remaining option characters so we don't have to
8004 rummage next time.
8005
8006commit 393920745fd328d3fe07f739a3cf7e1e6db45b60
8007Author: Damien Miller <djm@mindrot.org>
8008Date: Sat Dec 7 10:31:08 2013 +1100
8009
8010 - djm@cvs.openbsd.org 2013/12/05 22:59:45
8011 [sftp-client.c]
8012 fix memory leak in error path in do_readdir(); pointed out by
8013 Loganaden Velvindron @ AfriNIC in bz#2163
8014
8015commit 534b2ccadea5e5e9a8b27226e6faac3ed5552e97
8016Author: Damien Miller <djm@mindrot.org>
8017Date: Thu Dec 5 14:07:27 2013 +1100
8018
8019 - djm@cvs.openbsd.org 2013/12/05 01:16:41
8020 [servconf.c servconf.h]
8021 bz#2161 - fix AuthorizedKeysCommand inside a Match block and
8022 rearrange things so the same error is harder to make next time;
8023 with and ok dtucker@
8024
8025commit 8369c8e61a3408ec6bb75755fad4ffce29b5fdbe
8026Author: Darren Tucker <dtucker@zip.com.au>
8027Date: Thu Dec 5 11:00:16 2013 +1100
8028
8029 - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
8030 -L location for libedit. Patch from Serge van den Boom.
8031
8032commit 9275df3e0a2a3bc3897f7d664ea86a425c8a092d
8033Author: Damien Miller <djm@mindrot.org>
8034Date: Thu Dec 5 10:26:32 2013 +1100
8035
8036 - djm@cvs.openbsd.org 2013/12/04 04:20:01
8037 [sftp-client.c]
8038 bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
8039 AfriNIC
8040
8041commit 960f6a2b5254e4da082d8aa3700302ed12dc769a
8042Author: Damien Miller <djm@mindrot.org>
8043Date: Thu Dec 5 10:26:14 2013 +1100
8044
8045 - djm@cvs.openbsd.org 2013/12/02 03:13:14
8046 [cipher.c]
8047 correct bzero of chacha20+poly1305 key context. bz#2177 from
8048 Loganaden Velvindron @ AfriNIC
8049
8050 Also make it a memset for consistency with the rest of cipher.c
8051
8052commit f7e8a8796d661c9d6692ab837e1effd4f5ada1c2
8053Author: Damien Miller <djm@mindrot.org>
8054Date: Thu Dec 5 10:25:51 2013 +1100
8055
8056 - djm@cvs.openbsd.org 2013/12/02 03:09:22
8057 [key.c]
8058 make key_to_blob() return a NULL blob on failure; part of
8059 bz#2175 from Loganaden Velvindron @ AfriNIC
8060
8061commit f1e44ea9d9a6d4c1a95a0024132e603bd1778c9c
8062Author: Damien Miller <djm@mindrot.org>
8063Date: Thu Dec 5 10:23:21 2013 +1100
8064
8065 - djm@cvs.openbsd.org 2013/12/02 02:56:17
8066 [ssh-pkcs11-helper.c]
8067 use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
8068
8069commit 114e540b15d57618f9ebf624264298f80bbd8c77
8070Author: Damien Miller <djm@mindrot.org>
8071Date: Thu Dec 5 10:22:57 2013 +1100
8072
8073 - djm@cvs.openbsd.org 2013/12/02 02:50:27
8074 [PROTOCOL.chacha20poly1305]
8075 typo; from Jon Cave
8076
8077commit e4870c090629e32f2cb649dc16d575eeb693f4a8
8078Author: Damien Miller <djm@mindrot.org>
8079Date: Thu Dec 5 10:22:39 2013 +1100
8080
8081 - djm@cvs.openbsd.org 2013/12/01 23:19:05
8082 [PROTOCOL]
8083 mention curve25519-sha256@libssh.org key exchange algorithm
8084
8085commit 1d2f8804a6d33a4e908b876b2e1266b8260ec76b
8086Author: Damien Miller <djm@mindrot.org>
8087Date: Thu Dec 5 10:22:03 2013 +1100
8088
8089 - deraadt@cvs.openbsd.org 2013/11/26 19:15:09
8090 [pkcs11.h]
8091 cleanup 1 << 31 idioms. Resurrection of this issue pointed out by
8092 Eitan Adler ok markus for ssh, implies same change in kerberosV
8093
8094commit bdb352a54f82df94a548e3874b22f2d6ae90328d
8095Author: Damien Miller <djm@mindrot.org>
8096Date: Thu Dec 5 10:20:52 2013 +1100
8097
8098 - jmc@cvs.openbsd.org 2013/11/26 12:14:54
8099 [ssh.1 ssh.c]
8100 - put -Q in the right place
8101 - Ar was a poor choice for the arguments to -Q. i've chosen an
8102 admittedly equally poor Cm, at least consistent with the rest
8103 of the docs. also no need for multiple instances
8104 - zap a now redundant Nm
8105 - usage() sync
8106
8107commit d937dc084a087090f1cf5395822c3ac958d33759
8108Author: Damien Miller <djm@mindrot.org>
8109Date: Thu Dec 5 10:19:54 2013 +1100
8110
8111 - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
8112 [ssh.1 ssh.c]
8113 improve -Q usage and such. One usage change is that the option is now
8114 case-sensitive
8115 ok dtucker markus djm
8116
8117commit dec0393f7ee8aabc7d9d0fc2c5fddb4bc649112e
8118Author: Damien Miller <djm@mindrot.org>
8119Date: Thu Dec 5 10:18:43 2013 +1100
8120
8121 - jmc@cvs.openbsd.org 2013/11/21 08:05:09
8122 [ssh_config.5 sshd_config.5]
8123 no need for .Pp before displays;
8124
8125commit 8a073cf57940aabf85e49799f89f5d5e9b072c1b
8126Author: Damien Miller <djm@mindrot.org>
8127Date: Thu Nov 21 14:26:18 2013 +1100
8128
8129 - djm@cvs.openbsd.org 2013/11/21 03:18:51
8130 [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
8131 [regress/try-ciphers.sh]
8132 use new "ssh -Q cipher-auth" query to obtain lists of authenticated
8133 encryption ciphers instead of specifying them manually; ensures that
8134 the new chacha20poly1305@openssh.com mode is tested;
8135
8136 ok markus@ and naddy@ as part of the diff to add
8137 chacha20poly1305@openssh.com
8138
8139commit ea61b2179f63d48968dd2c9617621002bb658bfe
8140Author: Damien Miller <djm@mindrot.org>
8141Date: Thu Nov 21 14:25:15 2013 +1100
8142
8143 - djm@cvs.openbsd.org 2013/11/21 03:16:47
8144 [regress/modpipe.c]
8145 use unsigned long long instead of u_int64_t here to avoid warnings
8146 on some systems portable OpenSSH is built on.
8147
8148commit 36aba25b0409d2db6afc84d54bc47a2532d38424
8149Author: Damien Miller <djm@mindrot.org>
8150Date: Thu Nov 21 14:24:42 2013 +1100
8151
8152 - djm@cvs.openbsd.org 2013/11/21 03:15:46
8153 [regress/krl.sh]
8154 add some reminders for additional tests that I'd like to implement
8155
8156commit fa7a20bc289f09b334808d988746bc260a2f60c9
8157Author: Damien Miller <djm@mindrot.org>
8158Date: Thu Nov 21 14:24:08 2013 +1100
8159
8160 - naddy@cvs.openbsd.org 2013/11/18 05:09:32
8161 [regress/forward-control.sh]
8162 bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
8163 to successfully run this; ok djm@
8164 (ID sync only; our timeouts are already longer)
8165
8166commit 0fde8acdad78a4d20cadae974376cc0165f645ee
8167Author: Damien Miller <djm@mindrot.org>
8168Date: Thu Nov 21 14:12:23 2013 +1100
8169
8170 - djm@cvs.openbsd.org 2013/11/21 00:45:44
8171 [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
8172 [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
8173 [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
8174 [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
8175 cipher "chacha20-poly1305@openssh.com" that combines Daniel
8176 Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
8177 authenticated encryption mode.
8178
8179 Inspired by and similar to Adam Langley's proposal for TLS:
8180 http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
8181 but differs in layout used for the MAC calculation and the use of a
8182 second ChaCha20 instance to separately encrypt packet lengths.
8183 Details are in the PROTOCOL.chacha20poly1305 file.
8184
8185 Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
8186 ok markus@ naddy@
8187
8188commit fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a
8189Author: Damien Miller <djm@mindrot.org>
8190Date: Thu Nov 21 13:57:15 2013 +1100
8191
8192 - deraadt@cvs.openbsd.org 2013/11/20 20:54:10
8193 [canohost.c clientloop.c match.c readconf.c sftp.c]
8194 unsigned casts for ctype macros where neccessary
8195 ok guenther millert markus
8196
8197commit e00167307e4d3692695441e9bd712f25950cb894
8198Author: Damien Miller <djm@mindrot.org>
8199Date: Thu Nov 21 13:56:49 2013 +1100
8200
8201 - deraadt@cvs.openbsd.org 2013/11/20 20:53:10
8202 [scp.c]
8203 unsigned casts for ctype macros where neccessary
8204 ok guenther millert markus
8205
8206commit 23e00aa6ba9eee0e0c218f2026bf405ad4625832
8207Author: Damien Miller <djm@mindrot.org>
8208Date: Thu Nov 21 13:56:28 2013 +1100
8209
8210 - djm@cvs.openbsd.org 2013/11/20 02:19:01
8211 [sshd.c]
8212 delay closure of in/out fds until after "Bad protocol version
8213 identification..." message, as get_remote_ipaddr/get_remote_port
8214 require them open.
8215
8216commit 867e6934be6521f87f04a5ab86702e2d1b314245
8217Author: Damien Miller <djm@mindrot.org>
8218Date: Thu Nov 21 13:56:06 2013 +1100
8219
8220 - markus@cvs.openbsd.org 2013/11/13 13:48:20
8221 [ssh-pkcs11.c]
8222 add missing braces found by pedro
8223
8224commit 0600c7020f4fe68a780bd7cf21ff541a8d4b568a
8225Author: Damien Miller <djm@mindrot.org>
8226Date: Thu Nov 21 13:55:43 2013 +1100
8227
8228 - dtucker@cvs.openbsd.org 2013/11/08 11:15:19
8229 [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
8230 [uidswap.c] Include stdlib.h for free() as per the man page.
8231
8232commit b6a75b0b93b8faa6f79c3a395ab6c71f3f880b80
8233Author: Darren Tucker <dtucker@zip.com.au>
8234Date: Sun Nov 10 20:25:22 2013 +1100
8235
8236 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
8237 querying the ones that are compiled in.
8238
8239commit 2c89430119367eb1bc96ea5ee55de83357e4c926
8240Author: Darren Tucker <dtucker@zip.com.au>
8241Date: Sun Nov 10 12:38:42 2013 +1100
8242
8243 - (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
8244
8245commit dd5264db5f641dbd03186f9e5e83e4b14b3d0003
8246Author: Darren Tucker <dtucker@zip.com.au>
8247Date: Sat Nov 9 22:32:51 2013 +1100
8248
8249 - (dtucker) [configure.ac] Add missing "test".
8250
8251commit 95cb2d4eb08117be061f3ff076adef3e9a5372c3
8252Author: Darren Tucker <dtucker@zip.com.au>
8253Date: Sat Nov 9 22:02:31 2013 +1100
8254
8255 - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
8256
8257commit 37bcef51b3d9d496caecea6394814d2f49a1357f
8258Author: Darren Tucker <dtucker@zip.com.au>
8259Date: Sat Nov 9 18:39:25 2013 +1100
8260
8261 - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
8262 NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
8263 latter actually works before using it. Fedora (at least) has NID_secp521r1
8264 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
8265
8266commit 6e2fe81f926d995bae4be4a6b5b3c88c1c525187
8267Author: Darren Tucker <dtucker@zip.com.au>
8268Date: Sat Nov 9 16:55:03 2013 +1100
8269
8270 - dtucker@cvs.openbsd.org 2013/11/09 05:41:34
8271 [regress/test-exec.sh regress/rekey.sh]
8272 Use smaller test data files to speed up tests. Grow test datafiles
8273 where necessary for a specific test.
8274
8275commit aff7ef1bb8b7c1eeb1f4812129091c5adbf51848
8276Author: Darren Tucker <dtucker@zip.com.au>
8277Date: Sat Nov 9 00:19:22 2013 +1100
8278
8279 - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
8280 rather than testing and generating each key, call ssh-keygen -A.
8281 Patch from vinschen at redhat.com.
8282
8283commit 882abfd3fb3c98cfe70b4fc79224770468b570a5
8284Author: Darren Tucker <dtucker@zip.com.au>
8285Date: Sat Nov 9 00:17:41 2013 +1100
8286
8287 - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
8288 and pass in TEST_ENV. Unknown options cause stderr to get polluted
8289 and the stderr-data test to fail.
8290
8291commit 8c333ec23bdf7da917aa20ac6803a2cdd79182c5
8292Author: Darren Tucker <dtucker@zip.com.au>
8293Date: Fri Nov 8 21:12:58 2013 +1100
8294
8295 - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
8296 warnings.
8297
8298commit d94240b2f6b376b6e9de187e4a0cd4b89dfc48cb
8299Author: Darren Tucker <dtucker@zip.com.au>
8300Date: Fri Nov 8 21:10:04 2013 +1100
8301
8302 - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
8303
8304commit 1c8ce34909886288a3932dce770deec5449f7bb5
8305Author: Darren Tucker <dtucker@zip.com.au>
8306Date: Fri Nov 8 19:50:32 2013 +1100
8307
8308 - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
8309 EVP_sha256.
8310
8311commit ccdb9bec46bcc88549b26a94aa0bae2b9f51031c
8312Author: Darren Tucker <dtucker@zip.com.au>
8313Date: Fri Nov 8 18:54:38 2013 +1100
8314
8315 - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
8316 arc4random_stir for platforms that have arc4random but don't have
8317 arc4random_stir (right now this is only OpenBSD -current).
8318
8319commit 3420a50169b52cc8d2775d51316f9f866c73398f
8320Author: Damien Miller <djm@mindrot.org>
8321Date: Fri Nov 8 16:48:13 2013 +1100
8322
8323 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
8324 [contrib/suse/openssh.spec] Update version numbers following release.
8325
8326commit 3ac4a234df842fd8c94d9cb0ad198e1fe84b895b
8327Author: Damien Miller <djm@mindrot.org>
8328Date: Fri Nov 8 12:39:49 2013 +1100
8329
8330 - djm@cvs.openbsd.org 2013/11/08 01:38:11
8331 [version.h]
8332 openssh-6.4
8333
8334commit 6c81fee693038de7d4a5559043350391db2a2761
8335Author: Damien Miller <djm@mindrot.org>
8336Date: Fri Nov 8 12:19:55 2013 +1100
8337
8338 - djm@cvs.openbsd.org 2013/11/08 00:39:15
8339 [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
8340 [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
8341 [sftp-client.c sftp-glob.c]
8342 use calloc for all structure allocations; from markus@
8343
8344commit 690d989008e18af3603a5e03f1276c9bad090370
8345Author: Damien Miller <djm@mindrot.org>
8346Date: Fri Nov 8 12:16:49 2013 +1100
8347
8348 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27
8349 [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
8350 Output the effective values of Ciphers, MACs and KexAlgorithms when
8351 the default has not been overridden. ok markus@
8352
8353commit 08998c5fb9c7c1d248caa73b76e02ca0482e6d85
8354Author: Darren Tucker <dtucker@zip.com.au>
8355Date: Fri Nov 8 12:11:46 2013 +1100
8356
8357 - dtucker@cvs.openbsd.org 2013/11/08 01:06:14
8358 [regress/rekey.sh]
8359 Rekey less frequently during tests to speed them up
8360
8361commit 4bf7e50e533aa956366df7402c132f202e841a48
8362Author: Darren Tucker <dtucker@zip.com.au>
8363Date: Thu Nov 7 22:33:48 2013 +1100
8364
8365 - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
8366 variable. It's no longer used now that we get the supported MACs from
8367 ssh -Q.
8368
8369commit 6e9d6f411288374d1dee4b7debbfa90bc7e73035
8370Author: Darren Tucker <dtucker@zip.com.au>
8371Date: Thu Nov 7 15:32:37 2013 +1100
8372
8373 - dtucker@cvs.openbsd.org 2013/11/07 04:26:56
8374 [regress/kextype.sh]
8375 trailing space
8376
8377commit 74cbc22529f3e5de756e1b7677b7624efb28f62c
8378Author: Darren Tucker <dtucker@zip.com.au>
8379Date: Thu Nov 7 15:26:12 2013 +1100
8380
8381 - dtucker@cvs.openbsd.org 2013/11/07 03:55:41
8382 [regress/kextype.sh]
8383 Use ssh -Q to get kex types instead of a static list.
8384
8385commit a955041c930e63405159ff7d25ef14272f36eab3
8386Author: Darren Tucker <dtucker@zip.com.au>
8387Date: Thu Nov 7 15:21:19 2013 +1100
8388
8389 - dtucker@cvs.openbsd.org 2013/11/07 02:48:38
8390 [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
8391 Use ssh -Q instead of hardcoding lists of ciphers or MACs.
8392
8393commit 06595d639577577bc15d359e037a31eb83563269
8394Author: Darren Tucker <dtucker@zip.com.au>
8395Date: Thu Nov 7 15:08:02 2013 +1100
8396
8397 - dtucker@cvs.openbsd.org 2013/11/07 01:12:51
8398 [regress/rekey.sh]
8399 Factor out the data transfer rekey tests
8400
8401commit 651dc8b2592202dac6b16ee3b82ce5b331be7da3
8402Author: Darren Tucker <dtucker@zip.com.au>
8403Date: Thu Nov 7 15:04:44 2013 +1100
8404
8405 - dtucker@cvs.openbsd.org 2013/11/07 00:12:05
8406 [regress/rekey.sh]
8407 Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
8408 the GCM ciphers.
8409
8410commit 234557762ba1096a867ca6ebdec07efebddb5153
8411Author: Darren Tucker <dtucker@zip.com.au>
8412Date: Thu Nov 7 15:00:51 2013 +1100
8413
8414 - dtucker@cvs.openbsd.org 2013/11/04 12:27:42
8415 [regress/rekey.sh]
8416 Test rekeying with all KexAlgorithms.
8417
8418commit bbfb9b0f386aab0c3e19d11f136199ef1b9ad0ef
8419Author: Darren Tucker <dtucker@zip.com.au>
8420Date: Thu Nov 7 14:56:43 2013 +1100
8421
8422 - markus@cvs.openbsd.org 2013/11/02 22:39:53
8423 [regress/kextype.sh]
8424 add curve25519-sha256@libssh.org
8425
8426commit aa19548a98c0f89283ebd7354abd746ca6bc4fdf
8427Author: Darren Tucker <dtucker@zip.com.au>
8428Date: Thu Nov 7 14:50:09 2013 +1100
8429
8430 - djm@cvs.openbsd.org 2013/10/09 23:44:14
8431 [regress/Makefile] (ID sync only)
8432 regression test for sftp request white/blacklisting and readonly mode.
8433
8434commit c8908aabff252f5da772d4e679479c2b7d18cac1
8435Author: Damien Miller <djm@mindrot.org>
8436Date: Thu Nov 7 13:38:35 2013 +1100
8437
8438 - djm@cvs.openbsd.org 2013/11/06 23:05:59
8439 [ssh-pkcs11.c]
8440 from portable: s/true/true_val/ to avoid name collisions on dump platforms
8441 RCSID sync only
8442
8443commit 49c145c5e89b9d7d48e84328d6347d5ad640b567
8444Author: Damien Miller <djm@mindrot.org>
8445Date: Thu Nov 7 13:35:39 2013 +1100
8446
8447 - markus@cvs.openbsd.org 2013/11/06 16:52:11
8448 [monitor_wrap.c]
8449 fix rekeying for AES-GCM modes; ok deraadt
8450
8451commit 67a8800f290b39fd60e379988c700656ae3f2539
8452Author: Damien Miller <djm@mindrot.org>
8453Date: Thu Nov 7 13:32:51 2013 +1100
8454
8455 - markus@cvs.openbsd.org 2013/11/04 11:51:16
8456 [monitor.c]
8457 fix rekeying for KEX_C25519_SHA256; noted by dtucker@
8458 RCSID sync only; I thought this was a merge botch and fixed it already
8459
8460commit df8b030b15fcec7baf38ec7944f309f9ca8cc9a7
8461Author: Damien Miller <djm@mindrot.org>
8462Date: Thu Nov 7 13:28:16 2013 +1100
8463
8464 - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
8465 that lack it but have arc4random_uniform()
8466
8467commit a6fd1d3c38a562709374a70fa76423859160aa90
8468Author: Damien Miller <djm@mindrot.org>
8469Date: Thu Nov 7 12:03:26 2013 +1100
8470
8471 - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
8472
8473commit c98319750b0bbdd0d1794420ec97d65dd9244613
8474Author: Damien Miller <djm@mindrot.org>
8475Date: Thu Nov 7 12:00:23 2013 +1100
8476
8477 - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
8478
8479commit 61c5c2319e84a58210810d39b062c8b8e3321160
8480Author: Damien Miller <djm@mindrot.org>
8481Date: Thu Nov 7 11:34:14 2013 +1100
8482
8483 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
8484 that got lost in recent merge.
8485
8486commit 094003f5454a9f5a607674b2739824a7e91835f4
8487Author: Damien Miller <djm@mindrot.org>
8488Date: Mon Nov 4 22:59:27 2013 +1100
8489
8490 - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
8491 KEX/curve25519 change
8492
8493commit ca67a7eaf8766499ba67801d0be8cdaa550b9a50
8494Author: Damien Miller <djm@mindrot.org>
8495Date: Mon Nov 4 09:05:17 2013 +1100
8496
8497 - djm@cvs.openbsd.org 2013/11/03 10:37:19
8498 [roaming_common.c]
8499 fix a couple of function definitions foo() -> foo(void)
8500 (-Wold-style-definition)
8501
8502commit 0bd8f1519d51af8d4229be81e8f2f4903a1d440b
8503Author: Damien Miller <djm@mindrot.org>
8504Date: Mon Nov 4 08:55:43 2013 +1100
8505
8506 - markus@cvs.openbsd.org 2013/11/02 22:39:19
8507 [ssh_config.5 sshd_config.5]
8508 the default kex is now curve25519-sha256@libssh.org
8509
8510commit 4c3ba0767fbe4a8a2a748df4035aaf86651f6b30
8511Author: Damien Miller <djm@mindrot.org>
8512Date: Mon Nov 4 08:40:13 2013 +1100
8513
8514 - markus@cvs.openbsd.org 2013/11/02 22:34:01
8515 [auth-options.c]
8516 no need to include monitor_wrap.h and ssh-gss.h
8517
8518commit 660621b2106b987b874c2f120218bec249d0f6ba
8519Author: Damien Miller <djm@mindrot.org>
8520Date: Mon Nov 4 08:37:51 2013 +1100
8521
8522 - markus@cvs.openbsd.org 2013/11/02 22:24:24
8523 [kexdhs.c kexecdhs.c]
8524 no need to include ssh-gss.h
8525
8526commit abdca986decfbbc008c895195b85e879ed460ada
8527Author: Damien Miller <djm@mindrot.org>
8528Date: Mon Nov 4 08:30:05 2013 +1100
8529
8530 - markus@cvs.openbsd.org 2013/11/02 22:10:15
8531 [kexdhs.c kexecdhs.c]
8532 no need to include monitor_wrap.h
8533
8534commit 1e1242604eb0fd510fe93f81245c529237ffc513
8535Author: Damien Miller <djm@mindrot.org>
8536Date: Mon Nov 4 08:26:52 2013 +1100
8537
8538 - markus@cvs.openbsd.org 2013/11/02 21:59:15
8539 [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
8540 use curve25519 for default key exchange (curve25519-sha256@libssh.org);
8541 initial patch from Aris Adamantiadis; ok djm@
8542
8543commit d2252c79191d069372ed6effce7c7a2de93448cd
8544Author: Damien Miller <djm@mindrot.org>
8545Date: Mon Nov 4 07:41:48 2013 +1100
8546
8547 - markus@cvs.openbsd.org 2013/11/02 20:03:54
8548 [ssh-pkcs11.c]
8549 support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
8550 fixes bz#1908; based on patch from Laurent Barbe; ok djm
8551
8552commit 007e3b357e880caa974d5adf9669298ba0751c78
8553Author: Darren Tucker <dtucker@zip.com.au>
8554Date: Sun Nov 3 18:43:55 2013 +1100
8555
8556 - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
8557 for platforms that don't have them.
8558
8559commit 710f3747352fb93a63e5b69b12379da37f5b3fa9
8560Author: Darren Tucker <dtucker@zip.com.au>
8561Date: Sun Nov 3 17:20:34 2013 +1100
8562
8563 - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
8564 vsnprintf. From eric at openbsd via chl@.
8565
8566commit d52770452308e5c2e99f4da6edaaa77ef078b610
8567Author: Darren Tucker <dtucker@zip.com.au>
8568Date: Sun Nov 3 16:30:46 2013 +1100
8569
8570 - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
8571 From OpenSMTPD where it prevents "implicit declaration" warnings (it's
8572 a no-op in OpenSSH). From chl at openbsd.
8573
8574commit 63857c9340d3482746a5622ffdacc756751f6448
8575Author: Damien Miller <djm@mindrot.org>
8576Date: Wed Oct 30 22:31:06 2013 +1100
8577
8578 - jmc@cvs.openbsd.org 2013/10/29 18:49:32
8579 [sshd_config.5]
8580 pty(4), not pty(7);
8581
8582commit 5ff30c6b68adeee767dd29bf2369763c6a13c0b3
8583Author: Damien Miller <djm@mindrot.org>
8584Date: Wed Oct 30 22:21:50 2013 +1100
8585
8586 - djm@cvs.openbsd.org 2013/10/29 09:48:02
8587 [servconf.c servconf.h session.c sshd_config sshd_config.5]
8588 shd_config PermitTTY to disallow TTY allocation, mirroring the
8589 longstanding no-pty authorized_keys option;
8590 bz#2070, patch from Teran McKinney; ok markus@
8591
8592commit 4a3a9d4bbf8048473f5cc202cd8db7164d5e6b8d
8593Author: Damien Miller <djm@mindrot.org>
8594Date: Wed Oct 30 22:19:47 2013 +1100
8595
8596 - djm@cvs.openbsd.org 2013/10/29 09:42:11
8597 [key.c key.h]
8598 fix potential stack exhaustion caused by nested certificates;
8599 report by Mateusz Kocielski; ok dtucker@ markus@
8600
8601commit 28631ceaa7acd9bc500f924614431542893c6a21
8602Author: Damien Miller <djm@mindrot.org>
8603Date: Sat Oct 26 10:07:56 2013 +1100
8604
8605 - djm@cvs.openbsd.org 2013/10/25 23:04:51
8606 [ssh.c]
8607 fix crash when using ProxyCommand caused by previous commit - was calling
8608 freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
8609
8610commit 26506ad29350c5681815745cc90b3952a84cf118
8611Author: Damien Miller <djm@mindrot.org>
8612Date: Sat Oct 26 10:05:46 2013 +1100
8613
8614 - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
8615 unnecessary arc4random_stir() calls. The only ones left are to ensure
8616 that the PRNG gets a different state after fork() for platforms that
8617 have broken the API.
8618
8619commit bd43e8872325e9bbb3319c89da593614709f317c
8620Author: Tim Rice <tim@multitalents.net>
8621Date: Thu Oct 24 12:22:49 2013 -0700
8622
8623 - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
8624
8625commit a90c0338083ee0e4064c4bdf61f497293a699be0
8626Author: Damien Miller <djm@mindrot.org>
8627Date: Thu Oct 24 21:03:17 2013 +1100
8628
8629 - djm@cvs.openbsd.org 2013/10/24 08:19:36
8630 [ssh.c]
8631 fix bug introduced in hostname canonicalisation commit: don't try to
8632 resolve hostnames when a ProxyCommand is set unless the user has forced
8633 canonicalisation; spotted by Iain Morgan
8634
8635commit cf31f3863425453ffcda540fbefa9df80088c8d1
8636Author: Damien Miller <djm@mindrot.org>
8637Date: Thu Oct 24 21:02:56 2013 +1100
8638
8639 - dtucker@cvs.openbsd.org 2013/10/24 00:51:48
8640 [readconf.c servconf.c ssh_config.5 sshd_config.5]
8641 Disallow empty Match statements and add "Match all" which matches
8642 everything. ok djm, man page help jmc@
8643
8644commit 4bedd4032a09ce87322ae5ea80f193f109e5c607
8645Author: Damien Miller <djm@mindrot.org>
8646Date: Thu Oct 24 21:02:26 2013 +1100
8647
8648 - dtucker@cvs.openbsd.org 2013/10/24 00:49:49
8649 [moduli.c]
8650 Periodically print progress and, if possible, expected time to completion
8651 when screening moduli for DH groups. ok deraadt djm
8652
8653commit 5ecb41629860687b145be63b8877fabb6bae5eda
8654Author: Damien Miller <djm@mindrot.org>
8655Date: Thu Oct 24 21:02:02 2013 +1100
8656
8657 - djm@cvs.openbsd.org 2013/10/23 23:35:32
8658 [sshd.c]
8659 include local address and port in "Connection from ..." message (only
8660 shown at loglevel>=verbose)
8661
8662commit 03bf2e61ad6ac59a362a1f11b105586cb755c147
8663Author: Damien Miller <djm@mindrot.org>
8664Date: Thu Oct 24 21:01:26 2013 +1100
8665
8666 - dtucker@cvs.openbsd.org 2013/10/23 05:40:58
8667 [servconf.c]
8668 fix comment
8669
8670commit 8f1873191478847773906af961c8984d02a49dd6
8671Author: Damien Miller <djm@mindrot.org>
8672Date: Thu Oct 24 10:53:02 2013 +1100
8673
8674 - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
8675 rather than full client name which may be of form user@REALM;
8676 patch from Miguel Sanders; ok dtucker@
8677
8678commit 5b01b0dcb417eb615df77e7ce1b59319bf04342c
8679Author: Damien Miller <djm@mindrot.org>
8680Date: Wed Oct 23 16:31:31 2013 +1100
8681
8682 - djm@cvs.openbsd.org 2013/10/23 04:16:22
8683 [ssh-keygen.c]
8684 Make code match documentation: relative-specified certificate expiry time
8685 should be relative to current time and not the validity start time.
8686 Reported by Petr Lautrbach; ok deraadt@
8687
8688commit eff5cada589f25793dbe63a76aba9da39837a148
8689Author: Damien Miller <djm@mindrot.org>
8690Date: Wed Oct 23 16:31:10 2013 +1100
8691
8692 - djm@cvs.openbsd.org 2013/10/23 03:05:19
8693 [readconf.c ssh.c]
8694 comment
8695
8696commit 084bcd24e9fe874020e4df4e073e7408e1b17fb7
8697Author: Damien Miller <djm@mindrot.org>
8698Date: Wed Oct 23 16:30:51 2013 +1100
8699
8700 - djm@cvs.openbsd.org 2013/10/23 03:03:07
8701 [readconf.c]
8702 Hostname may have %h sequences that should be expanded prior to Match
8703 evaluation; spotted by Iain Morgan
8704
8705commit 8e5a67f46916def40b2758bb7755350dd2eee843
8706Author: Damien Miller <djm@mindrot.org>
8707Date: Wed Oct 23 16:30:25 2013 +1100
8708
8709 - jmc@cvs.openbsd.org 2013/10/20 18:00:13
8710 [ssh_config.5]
8711 tweak the "exec" description, as worded by djm;
8712
8713commit c0049bd0bca02890cd792babc594771c563f91f2
8714Author: Damien Miller <djm@mindrot.org>
8715Date: Wed Oct 23 16:29:59 2013 +1100
8716
8717 - djm@cvs.openbsd.org 2013/10/20 09:51:26
8718 [scp.1 sftp.1]
8719 add canonicalisation options to -o lists
8720
8721commit 8a04be795fc28514a09e55a54b2e67968f2e1b3a
8722Author: Damien Miller <djm@mindrot.org>
8723Date: Wed Oct 23 16:29:40 2013 +1100
8724
8725 - djm@cvs.openbsd.org 2013/10/20 06:19:28
8726 [readconf.c ssh_config.5]
8727 rename "command" subclause of the recently-added "Match" keyword to
8728 "exec"; it's shorter, clearer in intent and we might want to add the
8729 ability to match against the command being executed at the remote end in
8730 the future.
8731
8732commit 5c86ebdf83b636b6741db4b03569ef4a53b89a58
8733Author: Damien Miller <djm@mindrot.org>
8734Date: Wed Oct 23 16:29:12 2013 +1100
8735
8736 - djm@cvs.openbsd.org 2013/10/20 04:39:28
8737 [ssh_config.5]
8738 document % expansions performed by "Match command ..."
8739
8740commit 4502f88774edc56194707167443f94026d3c7cfa
8741Author: Damien Miller <djm@mindrot.org>
8742Date: Fri Oct 18 10:17:36 2013 +1100
8743
8744 - djm@cvs.openbsd.org 2013/10/17 22:08:04
8745 [sshd.c]
8746 include remote port in bad banner message; bz#2162
8747
8748commit 1edcbf65ebd2febeaf10a836468f35e519eed7ca
8749Author: Damien Miller <djm@mindrot.org>
8750Date: Fri Oct 18 10:17:17 2013 +1100
8751
8752 - jmc@cvs.openbsd.org 2013/10/17 07:35:48
8753 [sftp.1 sftp.c]
8754 tweak previous;
8755
8756commit a176e1823013dd8533a20235b3a5131f0626f46b
8757Author: Damien Miller <djm@mindrot.org>
8758Date: Fri Oct 18 09:05:41 2013 +1100
8759
8760 - djm@cvs.openbsd.org 2013/10/09 23:44:14
8761 [regress/Makefile regress/sftp-perm.sh]
8762 regression test for sftp request white/blacklisting and readonly mode.
8763
8764commit e3ea09494dcfe7ba76536e95765c8328ecfc18fb
8765Author: Damien Miller <djm@mindrot.org>
8766Date: Thu Oct 17 11:57:23 2013 +1100
8767
8768 - djm@cvs.openbsd.org 2013/10/17 00:46:49
8769 [ssh.c]
8770 rearrange check to reduce diff against -portable
8771 (Id sync only)
8772
8773commit f29238e67471a7f1088a99c3c3dbafce76b790cf
8774Author: Damien Miller <djm@mindrot.org>
8775Date: Thu Oct 17 11:48:52 2013 +1100
8776
8777 - djm@cvs.openbsd.org 2013/10/17 00:30:13
8778 [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
8779 fsync@openssh.com protocol extension for sftp-server
8780 client support to allow calling fsync() faster successful transfer
8781 patch mostly by imorgan AT nas.nasa.gov; bz#1798
8782 "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
8783
8784commit 51682faa599550a69d8120e5e2bdbdc0625ef4be
8785Author: Damien Miller <djm@mindrot.org>
8786Date: Thu Oct 17 11:48:31 2013 +1100
8787
8788 - djm@cvs.openbsd.org 2013/10/16 22:58:01
8789 [ssh.c ssh_config.5]
8790 one I missed in previous: s/isation/ization/
8791
8792commit 3850559be93f1a442ae9ed370e8c389889dd5f72
8793Author: Damien Miller <djm@mindrot.org>
8794Date: Thu Oct 17 11:48:13 2013 +1100
8795
8796 - djm@cvs.openbsd.org 2013/10/16 22:49:39
8797 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
8798 s/canonicalise/canonicalize/ for consistency with existing spelling,
8799 e.g. authorized_keys; pointed out by naddy@
8800
8801commit 607af3434b75acc7199a5d99d5a9c11068c01f27
8802Author: Damien Miller <djm@mindrot.org>
8803Date: Thu Oct 17 11:47:51 2013 +1100
8804
8805 - jmc@cvs.openbsd.org 2013/10/16 06:42:25
8806 [ssh_config.5]
8807 tweak previous;
8808
8809commit 0faf747e2f77f0f7083bcd59cbed30c4b5448444
8810Author: Damien Miller <djm@mindrot.org>
8811Date: Thu Oct 17 11:47:23 2013 +1100
8812
8813 - djm@cvs.openbsd.org 2013/10/16 02:31:47
8814 [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
8815 [sshconnect.c sshconnect.h]
8816 Implement client-side hostname canonicalisation to allow an explicit
8817 search path of domain suffixes to use to convert unqualified host names
8818 to fully-qualified ones for host key matching.
8819 This is particularly useful for host certificates, which would otherwise
8820 need to list unqualified names alongside fully-qualified ones (and this
8821 causes a number of problems).
8822 "looks fine" markus@
8823
8824commit d77b81f856e078714ec6b0f86f61c20249b7ead4
8825Author: Damien Miller <djm@mindrot.org>
8826Date: Thu Oct 17 11:39:00 2013 +1100
8827
8828 - jmc@cvs.openbsd.org 2013/10/15 14:10:25
8829 [ssh.1 ssh_config.5]
8830 tweak previous;
8831
8832commit dcd39f29ce3308dc74a0ff27a9056205a932ce05
8833Author: Damien Miller <djm@mindrot.org>
8834Date: Thu Oct 17 11:31:40 2013 +1100
8835
8836 - [ssh.c] g/c unused variable.
8837
8838commit 5359a628ce3763408da25d83271a8eddec597a0c
8839Author: Damien Miller <djm@mindrot.org>
8840Date: Tue Oct 15 12:20:37 2013 +1100
8841
8842 - [ssh.c] g/c unused variable.
8843
8844commit 386feab0c4736b054585ee8ee372865d5cde8d69
8845Author: Damien Miller <djm@mindrot.org>
8846Date: Tue Oct 15 12:14:49 2013 +1100
8847
8848 - djm@cvs.openbsd.org 2013/10/14 23:31:01
8849 [ssh.c]
8850 whitespace at EOL; pointed out by markus@
8851
8852commit e9fc72edd6c313b670558cd5219601c38a949b67
8853Author: Damien Miller <djm@mindrot.org>
8854Date: Tue Oct 15 12:14:12 2013 +1100
8855
8856 - djm@cvs.openbsd.org 2013/10/14 23:28:23
8857 [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
8858 refactor client config code a little:
8859 add multistate option partsing to readconf.c, similar to servconf.c's
8860 existing code.
8861 move checking of options that accept "none" as an argument to readconf.c
8862 add a lowercase() function and use it instead of explicit tolower() in
8863 loops
8864 part of a larger diff that was ok markus@
8865
8866commit 194fd904d8597a274b93e075b2047afdf5a175d4
8867Author: Damien Miller <djm@mindrot.org>
8868Date: Tue Oct 15 12:13:05 2013 +1100
8869
8870 - djm@cvs.openbsd.org 2013/10/14 22:22:05
8871 [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
8872 add a "Match" keyword to ssh_config that allows matching on hostname,
8873 user and result of arbitrary commands. "nice work" markus@
8874
8875commit 71df752de2a04f423b1cd18d961a79f4fbccbcee
8876Author: Damien Miller <djm@mindrot.org>
8877Date: Tue Oct 15 12:12:02 2013 +1100
8878
8879 - djm@cvs.openbsd.org 2013/10/14 21:20:52
8880 [session.c session.h]
8881 Add logging of session starts in a useful format; ok markus@ feedback and
8882 ok dtucker@
8883
8884commit 6efab27109b82820e8d32a5d811adb7bfc354f65
8885Author: Damien Miller <djm@mindrot.org>
8886Date: Tue Oct 15 12:07:05 2013 +1100
8887
8888 - jmc@cvs.openbsd.org 2013/10/14 14:18:56
8889 [sftp-server.8 sftp-server.c]
8890 tweak previous;
8891 ok djm
8892
8893commit 61c7de8a94156f6d7e9718ded9be8c65bb902b66
8894Author: Damien Miller <djm@mindrot.org>
8895Date: Tue Oct 15 12:06:45 2013 +1100
8896
8897 - djm@cvs.openbsd.org 2013/10/11 02:53:45
8898 [sftp-client.h]
8899 obsolete comment
8900
8901commit 2f93d0556e4892208c9b072624caa8cc5ddd839d
8902Author: Damien Miller <djm@mindrot.org>
8903Date: Tue Oct 15 12:06:27 2013 +1100
8904
8905 - djm@cvs.openbsd.org 2013/10/11 02:52:23
8906 [sftp-client.c]
8907 missed one arg reorder
8908
8909commit bda5c8445713ae592d969a5105ed1a65da22bc96
8910Author: Damien Miller <djm@mindrot.org>
8911Date: Tue Oct 15 12:05:58 2013 +1100
8912
8913 - djm@cvs.openbsd.org 2013/10/11 02:45:36
8914 [sftp-client.c]
8915 rename flag arguments to be more clear and consistent.
8916 reorder some internal function arguments to make adding additional flags
8917 easier.
8918 no functional change
8919
8920commit 61ee4d68ca0fcc793a826fc7ec70f3b8ffd12ab6
8921Author: Damien Miller <djm@mindrot.org>
8922Date: Tue Oct 15 11:56:47 2013 +1100
8923
8924 - djm@cvs.openbsd.org 2013/10/10 01:43:03
8925 [sshd.c]
8926 bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly
8927 updated; ok dtucker@
8928
8929commit 73600e51af9ee734a19767e0c084bbbc5eb5b8da
8930Author: Damien Miller <djm@mindrot.org>
8931Date: Tue Oct 15 11:56:25 2013 +1100
8932
8933 - djm@cvs.openbsd.org 2013/10/10 00:53:25
8934 [sftp-server.c]
8935 add -Q, -P and -p to usage() before jmc@ catches me
8936
8937commit 6eaeebf27d92f39a38c772aa3f20c2250af2dd29
8938Author: Damien Miller <djm@mindrot.org>
8939Date: Tue Oct 15 11:55:57 2013 +1100
8940
8941 - djm@cvs.openbsd.org 2013/10/09 23:42:17
8942 [sftp-server.8 sftp-server.c]
8943 Add ability to whitelist and/or blacklist sftp protocol requests by name.
8944 Refactor dispatch loop and consolidate read-only mode checks.
8945 Make global variables static, since sftp-server is linked into sshd(8).
8946 ok dtucker@
8947
8948commit df62d71e64d29d1054e7a53d1a801075ef70335f
8949Author: Darren Tucker <dtucker@zip.com.au>
8950Date: Thu Oct 10 10:32:39 2013 +1100
8951
8952 - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
8953 [dh.c dh.h]
8954 Increase the size of the Diffie-Hellman groups requested for a each
8955 symmetric key size. New values from NIST Special Publication 800-57 with
8956 the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
8957 djm@.
8958
8959commit e6e52f8c5dc89a6767702e65bb595aaf7bc8991c
8960Author: Darren Tucker <dtucker@zip.com.au>
8961Date: Thu Oct 10 10:28:07 2013 +1100
8962
8963 - djm@cvs.openbsd.org 2013/09/19 01:26:29
8964 [sshconnect.c]
8965 bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from
8966 swp AT swp.pp.ru; ok dtucker@
8967
8968commit 71152bc9911bc34a98810b2398dac20df3fe8de3
8969Author: Darren Tucker <dtucker@zip.com.au>
8970Date: Thu Oct 10 10:27:21 2013 +1100
8971
8972 - djm@cvs.openbsd.org 2013/09/19 01:24:46
8973 [channels.c]
8974 bz#1297 - tell the client (via packet_send_debug) when their preferred
8975 listen address has been overridden by the server's GatewayPorts;
8976 ok dtucker@
8977
8978commit b59aaf3c4f3f449a4b86d8528668bd979be9aa5f
8979Author: Darren Tucker <dtucker@zip.com.au>
8980Date: Thu Oct 10 10:26:21 2013 +1100
8981
8982 - djm@cvs.openbsd.org 2013/09/19 00:49:12
8983 [sftp-client.c]
8984 fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan
8985
8986commit 5d80e4522d6238bdefe9d0c634f0e6d35a241e41
8987Author: Darren Tucker <dtucker@zip.com.au>
8988Date: Thu Oct 10 10:25:09 2013 +1100
8989
8990 - djm@cvs.openbsd.org 2013/09/19 00:24:52
8991 [progressmeter.c]
8992 store the initial file offset so the progress meter doesn't freak out
8993 when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@
8994
8995commit ad92df7e5ed26fea85adfb3f95352d6cd8e86344
8996Author: Darren Tucker <dtucker@zip.com.au>
8997Date: Thu Oct 10 10:24:11 2013 +1100
8998
8999 - sthen@cvs.openbsd.org 2013/09/16 11:35:43
9000 [ssh_config]
9001 Remove gssapi config parts from ssh_config, as was already done for
9002 sshd_config. Req by/ok ajacoutot@
9003 ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
9004
9005commit 720711960b130d36dfdd3d50eb25ef482bdd000e
9006Author: Damien Miller <djm@mindrot.org>
9007Date: Wed Oct 9 10:44:47 2013 +1100
9008
9009 - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
9010 [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
9011 implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
9012 tested tim@
9013
9014commit 9159310087a218e28940a592896808b8eb76a039
9015Author: Damien Miller <djm@mindrot.org>
9016Date: Wed Oct 9 10:42:32 2013 +1100
9017
9018 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
9019 in OpenBSD implementation of arc4random, shortly to replace the existing
9020 bsd-arc4random.c
9021
9022commit 67f1d557a68d6fa8966a327d7b6dee3408cf0e72
9023Author: Damien Miller <djm@mindrot.org>
9024Date: Wed Oct 9 09:33:08 2013 +1100
9025
9026 correct incorrect years in datestamps; from des
9027
9028commit f2bf36c3eb4d969f85ec8aa342e9aecb61cc8bb1
9029Author: Darren Tucker <dtucker@zip.com.au>
9030Date: Sun Sep 22 19:02:40 2013 +1000
9031
9032 - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
9033 setting when handling SIGHUP to maintain behaviour over retart. Patch
9034 from Matthew Ife.
9035
9036commit e90a06ae570fd259a2f5ced873c7f17390f535a5
9037Author: Darren Tucker <dtucker@zip.com.au>
9038Date: Wed Sep 18 15:09:38 2013 +1000
9039
9040 - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.
9041
9042commit 13840e0103946982cee2a05c40697be7e57dca41
9043Author: Damien Miller <djm@mindrot.org>
9044Date: Sat Sep 14 09:49:43 2013 +1000
9045
9046 - djm@cvs.openbsd.org 2013/09/13 06:54:34
9047 [channels.c]
9048 avoid unaligned access in code that reused a buffer to send a
9049 struct in_addr in a reply; simpler just use use buffer_put_int();
9050 from portable; spotted by and ok dtucker@
9051
9052commit 70182522a47d283513a010338cd028cb80dac2ab
9053Author: Damien Miller <djm@mindrot.org>
9054Date: Sat Sep 14 09:49:19 2013 +1000
9055
9056 - djm@cvs.openbsd.org 2013/09/12 01:41:12
9057 [clientloop.c]
9058 fix connection crash when sending break (~B) on ControlPersist'd session;
9059 ok dtucker@
9060
9061commit ff9d6c2a4171ee32e8fe28fc3b86eb33bd5c845b
9062Author: Damien Miller <djm@mindrot.org>
9063Date: Sat Sep 14 09:48:55 2013 +1000
9064
9065 - sthen@cvs.openbsd.org 2013/09/07 13:53:11
9066 [sshd_config]
9067 Remove commented-out kerberos/gssapi config options from sample config,
9068 kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
9069 various people; ok deraadt@
9070 ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
9071
9072commit 8bab5e7b5ff6721d926b5ebf05a3a24489889c58
9073Author: Damien Miller <djm@mindrot.org>
9074Date: Sat Sep 14 09:47:00 2013 +1000
9075
9076 - deraadt@cvs.openbsd.org 2013/09/02 22:00:34
9077 [ssh-keygen.c sshconnect1.c sshd.c]
9078 All the instances of arc4random_stir() are bogus, since arc4random()
9079 does this itself, inside itself, and has for a very long time.. Actually,
9080 this was probably reducing the entropy available.
9081 ok djm
9082 ID SYNC ONLY for portable; we don't trust other arc4random implementations
9083 to do this right.
9084
9085commit 61353b3208d548fab863e0e0ac5d2400ee5bb340
9086Author: Damien Miller <djm@mindrot.org>
9087Date: Sat Sep 14 09:45:32 2013 +1000
9088
9089 - djm@cvs.openbsd.org 2013/08/31 00:13:54
9090 [sftp.c]
9091 make ^w match ksh behaviour (delete previous word instead of entire line)
9092
9093commit 660854859cad31d234edb9353fb7ca2780df8128
9094Author: Damien Miller <djm@mindrot.org>
9095Date: Sat Sep 14 09:45:03 2013 +1000
9096
9097 - mikeb@cvs.openbsd.org 2013/08/28 12:34:27
9098 [ssh-keygen.c]
9099 improve batch processing a bit by making use of the quite flag a bit
9100 more often and exit with a non zero code if asked to find a hostname
9101 in a known_hosts file and it wasn't there;
9102 originally from reyk@, ok djm
9103
9104commit 045bda5cb8acf0eb9d71c275ee1247e3154fc9e5
9105Author: Damien Miller <djm@mindrot.org>
9106Date: Sat Sep 14 09:44:37 2013 +1000
9107
9108 - djm@cvs.openbsd.org 2013/08/22 19:02:21
9109 [sshd.c]
9110 Stir PRNG after post-accept fork. The child gets a different PRNG state
9111 anyway via rexec and explicit privsep reseeds, but it's good to be sure.
9112 ok markus@
9113
9114commit ed4af412da60a084891b20412433a27966613fb8
9115Author: Damien Miller <djm@mindrot.org>
9116Date: Sat Sep 14 09:40:51 2013 +1000
9117
9118 add marker for 6.3p1 release at the point of the last included change
9119
9120commit 43968a8e66a0aa1afefb11665bf96f86b113f5d9
9121Author: Damien Miller <djm@mindrot.org>
9122Date: Wed Aug 28 14:00:54 2013 +1000
9123
9124 - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits
9125 until we have configure support.
9126
9127commit 04be8b9e53f8388c94b531ebc5d1bd6e10e930d1
9128Author: Damien Miller <djm@mindrot.org>
9129Date: Wed Aug 28 12:49:43 2013 +1000
9130
9131 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
9132 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
9133 start to use them in the future.
diff --git a/README b/README
index 9bbd3bac2..ea6e228dd 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-7.1 for the release notes. 1See http://www.openssh.com/txt/release-7.1p2 for the release notes.
2 2
3Please read http://www.openssh.com/report.html for bug reporting 3Please read http://www.openssh.com/report.html for bug reporting
4instructions and note that we do not use Github for bug reporting or 4instructions and note that we do not use Github for bug reporting or
diff --git a/bitmap.c b/bitmap.c
index 19cd2e8e3..f95032250 100644
--- a/bitmap.c
+++ b/bitmap.c
@@ -53,7 +53,7 @@ void
53bitmap_free(struct bitmap *b) 53bitmap_free(struct bitmap *b)
54{ 54{
55 if (b != NULL && b->d != NULL) { 55 if (b != NULL && b->d != NULL) {
56 memset(b->d, 0, b->len); 56 explicit_bzero(b->d, b->len);
57 free(b->d); 57 free(b->d);
58 } 58 }
59 free(b); 59 free(b);
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 5b27106fb..4c55227e5 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 7.1p1 1%define ver 7.1p2
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 596895882..3ee526805 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 7.1p1 16Version: 7.1p2
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
diff --git a/debian/.git-dpm b/debian/.git-dpm
index b6e38a18d..e7130afa6 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
231cc76b587fe2305eab8f7788c5dc6c876aff60e 2003a875a474100d250b6643270ef3874da6591d8
331cc76b587fe2305eab8f7788c5dc6c876aff60e 3003a875a474100d250b6643270ef3874da6591d8
4651211fd4a199b299540c00c54a46e27fadb04be 4eeff4de96f5d7365750dc56912c2c62b5c28db6b
5651211fd4a199b299540c00c54a46e27fadb04be 5eeff4de96f5d7365750dc56912c2c62b5c28db6b
6openssh_7.1p1.orig.tar.gz 6openssh_7.1p2.orig.tar.gz
7ed22af19f962262c493fcc6ed8c8826b2761d9b6 79202f5a2a50c8a55ecfb830609df1e1fde97f758
81493170 81475829
diff --git a/debian/changelog b/debian/changelog
index 51d296c5e..86ea183ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
1openssh (1:7.1p2-1) UNRELEASED; urgency=high
2
3 * New upstream release (http://www.openssh.com/txt/release-7.1p2):
4 - CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support
5 for roaming, which could be tricked by a malicious server into leaking
6 client memory to the server, including private client user keys; this
7 information leak is restricted to connections to malicious or
8 compromised servers (closes: #810984).
9 - SECURITY: Fix an out of-bound read access in the packet handling code.
10 Reported by Ben Hawkes.
11 - Further use of explicit_bzero has been added in various buffer
12 handling code paths to guard against compilers aggressively doing
13 dead-store removal.
14
15 -- Colin Watson <cjwatson@debian.org> Thu, 14 Jan 2016 15:08:21 +0000
16
1openssh (1:7.1p1-6) unstable; urgency=medium 17openssh (1:7.1p1-6) unstable; urgency=medium
2 18
3 [ Colin Watson ] 19 [ Colin Watson ]
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index dc82a6085..3635e50ad 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001 1From a791d607756f04e41153c2297e5f9a608daa7335 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 694b8e584..2b1bd05f7 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From efc61f37910b46ad2ac920aca7eefce909ef2555 Mon Sep 17 00:00:00 2001 1From 9769daa27369920a909debed3ee297c32f0c3ef7 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/backport-fix-first-kex-follows.patch b/debian/patches/backport-fix-first-kex-follows.patch
deleted file mode 100644
index 0039a55a6..000000000
--- a/debian/patches/backport-fix-first-kex-follows.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1From 31cc76b587fe2305eab8f7788c5dc6c876aff60e Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Tue, 15 Dec 2015 15:25:04 +0000
4Subject: upstream commit
5
6unbreak connections with peers that set first_kex_follows;
7fix from Matt Johnston va bz#2515
8
9Origin: backport, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.114&r2=1.115
10Forwarded: not-needed
11Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526357
12
13Patch-Name: backport-fix-first-kex-follows.patch
14---
15 kex.c | 6 +++---
16 1 file changed, 3 insertions(+), 3 deletions(-)
17
18diff --git a/kex.c b/kex.c
19index 39a6f98..12f3e41 100644
20--- a/kex.c
21+++ b/kex.c
22@@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
23 debug2("kex_parse_kexinit: %s", proposal[i]);
24 }
25 /* first kex follows / reserved */
26- if ((r = sshbuf_get_u8(b, &v)) != 0 ||
27- (r = sshbuf_get_u32(b, &i)) != 0)
28+ if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */
29+ (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */
30 goto out;
31 if (first_kex_follows != NULL)
32- *first_kex_follows = i;
33+ *first_kex_follows = v;
34 debug2("kex_parse_kexinit: first_kex_follows %d ", v);
35 debug2("kex_parse_kexinit: reserved %u ", i);
36 r = 0;
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 0ca73053b..eceac3ccf 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From e35768a64e1ca5a6ad2a5df3ebbe6806ffb8afa2 Mon Sep 17 00:00:00 2001 1From 1cbbbb90ae1a4f88f8090e1fdecee007b8d360f8 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -80,7 +80,7 @@ index 778ba17..161fa37 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 0d4fb7f..6024e0e 100644 83index 189d34a..8d17521 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 0a2b1c58d..0a5e2cd39 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001 1From 003a875a474100d250b6643270ef3874da6591d8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -32,7 +32,7 @@ Patch-Name: debian-config.patch
32 6 files changed, 72 insertions(+), 4 deletions(-) 32 6 files changed, 72 insertions(+), 4 deletions(-)
33 33
34diff --git a/readconf.c b/readconf.c 34diff --git a/readconf.c b/readconf.c
35index c0ba5a7..e4e1cba 100644 35index b9442fd..ee46ad6 100644
36--- a/readconf.c 36--- a/readconf.c
37+++ b/readconf.c 37+++ b/readconf.c
38@@ -1749,7 +1749,7 @@ fill_default_options(Options * options) 38@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 16c4d61b9..725d26e81 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From c35c5d9e775ad138661f3c4ef797060be53a4bd8 Mon Sep 17 00:00:00 2001 1From 54d62ce82775d6a6f556cef7b1ff61412d2d0581 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index ec2878845..646716fe5 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From a6edf4df120a78aefe39b44d07c89e13340c9ac8 Mon Sep 17 00:00:00 2001 1From 6f8b6ab94f4c4351e49598f08abc6da16fe29740 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 1f3d7bf08..b7a072414 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 5e6ecf32f56fa0c7d102239b74ae09bd4186c5a3 Mon Sep 17 00:00:00 2001 1From 17063f049ca0f00cb455eed0852405bc9abe6213 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 4fce0733d..c3b601c76 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From a9bfb2fba2b1ec9ebeca20550cbccf2499d42461 Mon Sep 17 00:00:00 2001 1From a1913369b4abfcebec320706e561591c1ed8640c Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8c96afbb0..8bc83cace 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 48424483cbf2232ba849038e02675b2db1ea3a88 Mon Sep 17 00:00:00 2001 1From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -1212,7 +1212,7 @@ index 53993d6..2f6baf7 100644
1212 1212
1213 #endif 1213 #endif
1214diff --git a/kex.c b/kex.c 1214diff --git a/kex.c b/kex.c
1215index 5100c66..39a6f98 100644 1215index b777b7d..390bb69 100644
1216--- a/kex.c 1216--- a/kex.c
1217+++ b/kex.c 1217+++ b/kex.c
1218@@ -55,6 +55,10 @@ 1218@@ -55,6 +55,10 @@
@@ -2222,7 +2222,7 @@ index de4a08f..9758290 100644
2222 2222
2223 #ifdef USE_PAM 2223 #ifdef USE_PAM
2224diff --git a/readconf.c b/readconf.c 2224diff --git a/readconf.c b/readconf.c
2225index 1d03bdf..43b7570 100644 2225index cd01482..56e0f44 100644
2226--- a/readconf.c 2226--- a/readconf.c
2227+++ b/readconf.c 2227+++ b/readconf.c
2228@@ -147,6 +147,8 @@ typedef enum { 2228@@ -147,6 +147,8 @@ typedef enum {
@@ -2801,7 +2801,7 @@ index 7751031..32e9b0d 100644
2801 2801
2802 int 2802 int
2803diff --git a/sshd.c b/sshd.c 2803diff --git a/sshd.c b/sshd.c
2804index 65ef7e8..839c2e0 100644 2804index 43d4650..d659a68 100644
2805--- a/sshd.c 2805--- a/sshd.c
2806+++ b/sshd.c 2806+++ b/sshd.c
2807@@ -126,6 +126,10 @@ 2807@@ -126,6 +126,10 @@
@@ -2815,7 +2815,7 @@ index 65ef7e8..839c2e0 100644
2815 #ifndef O_NOCTTY 2815 #ifndef O_NOCTTY
2816 #define O_NOCTTY 0 2816 #define O_NOCTTY 0
2817 #endif 2817 #endif
2818@@ -1827,10 +1831,13 @@ main(int ac, char **av) 2818@@ -1833,10 +1837,13 @@ main(int ac, char **av)
2819 logit("Disabling protocol version 1. Could not load host key"); 2819 logit("Disabling protocol version 1. Could not load host key");
2820 options.protocol &= ~SSH_PROTO_1; 2820 options.protocol &= ~SSH_PROTO_1;
2821 } 2821 }
@@ -2829,7 +2829,7 @@ index 65ef7e8..839c2e0 100644
2829 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2829 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2830 logit("sshd: no hostkeys available -- exiting."); 2830 logit("sshd: no hostkeys available -- exiting.");
2831 exit(1); 2831 exit(1);
2832@@ -2145,6 +2152,60 @@ main(int ac, char **av) 2832@@ -2151,6 +2158,60 @@ main(int ac, char **av)
2833 remote_ip, remote_port, laddr, get_local_port()); 2833 remote_ip, remote_port, laddr, get_local_port());
2834 free(laddr); 2834 free(laddr);
2835 2835
@@ -2890,7 +2890,7 @@ index 65ef7e8..839c2e0 100644
2890 /* 2890 /*
2891 * We don't want to listen forever unless the other side 2891 * We don't want to listen forever unless the other side
2892 * successfully authenticates itself. So we set up an alarm which is 2892 * successfully authenticates itself. So we set up an alarm which is
2893@@ -2563,6 +2624,48 @@ do_ssh2_kex(void) 2893@@ -2569,6 +2630,48 @@ do_ssh2_kex(void)
2894 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2894 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2895 list_hostkey_types()); 2895 list_hostkey_types());
2896 2896
@@ -2939,7 +2939,7 @@ index 65ef7e8..839c2e0 100644
2939 /* start key exchange */ 2939 /* start key exchange */
2940 if ((r = kex_setup(active_state, myproposal)) != 0) 2940 if ((r = kex_setup(active_state, myproposal)) != 0)
2941 fatal("kex_setup: %s", ssh_err(r)); 2941 fatal("kex_setup: %s", ssh_err(r));
2942@@ -2577,6 +2680,13 @@ do_ssh2_kex(void) 2942@@ -2583,6 +2686,13 @@ do_ssh2_kex(void)
2943 # endif 2943 # endif
2944 #endif 2944 #endif
2945 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2945 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 0dc5bafbf..a19fe6c6d 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From 86d7bcd53809aacc75344386bd8b88bf5fcb2fce Mon Sep 17 00:00:00 2001 1From 0a3d1df1344642161b1ee001a3885a1ee8ebc03b Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index bbb3ef86f..9b5d38271 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 8f53616f872acf853b52e94f5b0668c78bf0cb76 Mon Sep 17 00:00:00 2001 1From ea47a6eba9fce31a1b4cd909b7ba19541c9d9c9b Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 522ad37..46c343f 100644 29index 831072f..83582e3 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -160,6 +160,7 @@ typedef enum { 32@@ -160,6 +160,7 @@ typedef enum {
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 252cd99b8..a2a440fae 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
1From ca06409500b9f4f3a43fa61526a4c0654761e009 Mon Sep 17 00:00:00 2001 1From c685ea67334abf73c014aa6ab9f833e9d28fdab8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:08 +0000 3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Subject: Fix picky lintian errors about slogin symlinks 4Subject: Fix picky lintian errors about slogin symlinks
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 79c984179..a9c4cb7fc 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 9f59e8a3ddd28351126a5b26d2dd3d9f24442c09 Mon Sep 17 00:00:00 2001 1From 89f2729da6734f2d5e3a31d2a75e817750f6cd95 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 14ec01dbf..194100f56 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From e5908e70f9a105f725d9884fba1a68bfb3ba664f Mon Sep 17 00:00:00 2001 1From dcc3ce03144d1560d878db8290c9f19dc0511f6f Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 4ce6c79e0..9b1c38bfc 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 70ef4add88e4f6adc7f9f0e9521567dcd80a12e6 Mon Sep 17 00:00:00 2001 1From eb8141e6ac12c0714e0951598fe44634327bfde7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 51e14b07a..fb7724f58 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 3b79d6bcaf9405b878496c9107855ebe8906a60a Mon Sep 17 00:00:00 2001 1From 3e38e90de2e2ead094624f4f140568574c40cae6 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -36,7 +36,7 @@ index bbde8af..0ec1e54 100644
36 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (roaming_atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 0537bc9..0d4fb7f 100644 39index 1b49b26..189d34a 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,13 +49,13 @@ index 0537bc9..0d4fb7f 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index d917ca1..5c22d90 100644 52index 41e1ea9..2969570 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.1" 56 #define SSH_VERSION "OpenSSH_7.1"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p2"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
61+#ifdef SSH_EXTRAVERSION 61+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 4d9267c19..0dc3f1c32 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From de340b1ef1920a34e8c640a571a88a3f58121c6a Mon Sep 17 00:00:00 2001 1From 72aec10a082f61d9a601b03ec57e0053e03397dd Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 0bda03255..13090ff06 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From c538473bc1958b99bb26283752f287df5934045a Mon Sep 17 00:00:00 2001 1From f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -128,7 +128,7 @@ index 213b5fc..2105979 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 839c2e0..0e30e6e 100644 131index d659a68..9275e0b 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -130,6 +130,13 @@ 134@@ -130,6 +130,13 @@
@@ -145,7 +145,7 @@ index 839c2e0..0e30e6e 100644
145 #ifndef O_NOCTTY 145 #ifndef O_NOCTTY
146 #define O_NOCTTY 0 146 #define O_NOCTTY 0
147 #endif 147 #endif
148@@ -2145,6 +2152,24 @@ main(int ac, char **av) 148@@ -2151,6 +2158,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index c6568cf1e..e8049d902 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From bad235ddc7e9cb8fa83ccefac7640fe456bcf993 Mon Sep 17 00:00:00 2001 1From efd79b5b880f473ef06d4659cf279b07a65de208 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index f479c4635..5fec9eae0 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 5f583693723b0f56608a9a91e58b248219a668c9 Mon Sep 17 00:00:00 2001 1From 701eb985309b1c9fce617949298659843fce723d Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index 0e30e6e..0537bc9 100644 461index 9275e0b..1b49b26 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -782,7 +782,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -786,7 +786,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index f7eb1cc8b..e612e0554 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,4 +26,3 @@ gnome-ssh-askpass2-icon.patch
26sigstop.patch 26sigstop.patch
27systemd-readiness.patch 27systemd-readiness.patch
28debian-config.patch 28debian-config.patch
29backport-fix-first-kex-follows.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 3a98343cc..e60dfc4d3 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From bf28735236933b0a1f011d73d7cbb948e197c4cc Mon Sep 17 00:00:00 2001 1From ccc03dd81a15fa91155bbdfa6b84a0d6e37c43e4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 7db2557a0..0cf814455 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From bf533d857451efe2f9abc6fb96e1c9c93ff1a7ee Mon Sep 17 00:00:00 2001 1From 5af03fab96e1d53019d1c50282eb21ce3e581895 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 6024e0e..7e72b9b 100644 16index 8d17521..5ccf175 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -2042,6 +2042,16 @@ main(int ac, char **av) 19@@ -2048,6 +2048,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 11ecc5c42..ffab898c7 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 0f29b62fb2529bd6341dae7bea1271f5b967ece0 Mon Sep 17 00:00:00 2001 1From 7566d3563c174cc339da8b72833e66614cfc1458 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3c22db5cf..d3097fe10 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 11e3509a4baa45a988598b937ea16e6ed3949d44 Mon Sep 17 00:00:00 2001 1From 078b7a5e7b89d20ce867e2c9839096be673b6ae0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 59b0983f9..be725e357 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 6b1e8291597ff151b913c470f4af4b04ddec5c7d Mon Sep 17 00:00:00 2001 1From 7f0a4ecb6694298414e6d84c0aa49c35b19cad1b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 43b7570..522ad37 100644 20index 56e0f44..831072f 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -181,6 +181,7 @@ static struct { 23@@ -181,6 +181,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index d591c1a70..255395666 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 2b9216f2931cfe880a7ea85750730579f8da4465 Mon Sep 17 00:00:00 2001 1From 25ead9080a3f98eafc64a9a9c4b6650d922a19fa Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,7 +33,7 @@ index ad12930..e68b84a 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 59c1f93..712ea0e 100644 36index 67c1ebf..eb73903 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1106,7 +1106,7 @@ main(int ac, char **av) 39@@ -1106,7 +1106,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 4914cd6f5..62ca0f284 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 0aff7ca980bc54be68f7479a016d7779f99cf06e Mon Sep 17 00:00:00 2001 1From 9d88bc29443745ebf30004136ac18ced47292833 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -56,7 +56,7 @@ index 128889a..eec2b72 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 7e72b9b..19ee92b 100644 59index 5ccf175..366ae92 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 7e72b9b..19ee92b 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh1.h" 72 #include "ssh1.h"
73@@ -2052,6 +2056,11 @@ main(int ac, char **av) 73@@ -2058,6 +2062,11 @@ main(int ac, char **av)
74 unsetenv("SSH_SIGSTOP"); 74 unsetenv("SSH_SIGSTOP");
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 70d5275aa..c2dbdcd7a 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From c60b1066b877429b723b351f44efb9e84bc64252 Mon Sep 17 00:00:00 2001 1From a1010980d6906a140307825466934a21c3d4d228 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index 46c343f..c0ba5a7 100644 219index 83582e3..b9442fd 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -39,6 +39,8 @@ 222@@ -39,6 +39,8 @@
diff --git a/kex.c b/kex.c
index 12f3e41c0..390bb694d 100644
--- a/kex.c
+++ b/kex.c
@@ -291,8 +291,8 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
291 goto out; 291 goto out;
292 if (first_kex_follows != NULL) 292 if (first_kex_follows != NULL)
293 *first_kex_follows = v; 293 *first_kex_follows = v;
294 debug2("kex_parse_kexinit: first_kex_follows %d ", v); 294 debug2("first_kex_follows %d ", v);
295 debug2("kex_parse_kexinit: reserved %u ", i); 295 debug2("reserved %u ", i);
296 r = 0; 296 r = 0;
297 *propp = proposal; 297 *propp = proposal;
298 out: 298 out:
diff --git a/packet.c b/packet.c
index 01d3e2970..7b5c419eb 100644
--- a/packet.c
+++ b/packet.c
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1581 logit("Bad packet length %u.", state->packlen); 1581 logit("Bad packet length %u.", state->packlen);
1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) 1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1583 return r; 1583 return r;
1584 return SSH_ERR_CONN_CORRUPT;
1584 } 1585 }
1585 sshbuf_reset(state->incoming_packet); 1586 sshbuf_reset(state->incoming_packet);
1586 } else if (state->packlen == 0) { 1587 } else if (state->packlen == 0) {
diff --git a/readconf.c b/readconf.c
index e4e1cbae3..ee46ad623 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1703,7 +1703,7 @@ initialize_options(Options * options)
1703 options->tun_remote = -1; 1703 options->tun_remote = -1;
1704 options->local_command = NULL; 1704 options->local_command = NULL;
1705 options->permit_local_command = -1; 1705 options->permit_local_command = -1;
1706 options->use_roaming = -1; 1706 options->use_roaming = 0;
1707 options->visual_host_key = -1; 1707 options->visual_host_key = -1;
1708 options->ip_qos_interactive = -1; 1708 options->ip_qos_interactive = -1;
1709 options->ip_qos_bulk = -1; 1709 options->ip_qos_bulk = -1;
@@ -1887,8 +1887,7 @@ fill_default_options(Options * options)
1887 options->tun_remote = SSH_TUNID_ANY; 1887 options->tun_remote = SSH_TUNID_ANY;
1888 if (options->permit_local_command == -1) 1888 if (options->permit_local_command == -1)
1889 options->permit_local_command = 0; 1889 options->permit_local_command = 0;
1890 if (options->use_roaming == -1) 1890 options->use_roaming = 0;
1891 options->use_roaming = 1;
1892 if (options->visual_host_key == -1) 1891 if (options->visual_host_key == -1)
1893 options->visual_host_key = 0; 1892 options->visual_host_key = 0;
1894 if (options->ip_qos_interactive == -1) 1893 if (options->ip_qos_interactive == -1)
diff --git a/ssh.c b/ssh.c
index 712ea0ec2..eb739035e 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1932,9 +1932,6 @@ ssh_session2(void)
1932 fork_postauth(); 1932 fork_postauth();
1933 } 1933 }
1934 1934
1935 if (options.use_roaming)
1936 request_roaming();
1937
1938 return client_loop(tty_flag, tty_flag ? 1935 return client_loop(tty_flag, tty_flag ?
1939 options.escape_char : SSH_ESCAPECHAR_NONE, id); 1936 options.escape_char : SSH_ESCAPECHAR_NONE, id);
1940} 1937}
diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
index e2e093c00..d0d791b50 100644
--- a/sshbuf-getput-crypto.c
+++ b/sshbuf-getput-crypto.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshbuf-getput-crypto.c,v 1.4 2015/01/14 15:02:39 djm Exp $ */ 1/* $OpenBSD: sshbuf-getput-crypto.c,v 1.5 2016/01/12 23:42:54 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller 3 * Copyright (c) 2011 Damien Miller
4 * 4 *
@@ -158,10 +158,10 @@ sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v)
158 if (len > 0 && (d[1] & 0x80) != 0) 158 if (len > 0 && (d[1] & 0x80) != 0)
159 prepend = 1; 159 prepend = 1;
160 if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) { 160 if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) {
161 bzero(d, sizeof(d)); 161 explicit_bzero(d, sizeof(d));
162 return r; 162 return r;
163 } 163 }
164 bzero(d, sizeof(d)); 164 explicit_bzero(d, sizeof(d));
165 return 0; 165 return 0;
166} 166}
167 167
@@ -177,13 +177,13 @@ sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v)
177 if (BN_bn2bin(v, d) != (int)len_bytes) 177 if (BN_bn2bin(v, d) != (int)len_bytes)
178 return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */ 178 return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
179 if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) { 179 if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) {
180 bzero(d, sizeof(d)); 180 explicit_bzero(d, sizeof(d));
181 return r; 181 return r;
182 } 182 }
183 POKE_U16(dp, len_bits); 183 POKE_U16(dp, len_bits);
184 if (len_bytes != 0) 184 if (len_bytes != 0)
185 memcpy(dp + 2, d, len_bytes); 185 memcpy(dp + 2, d, len_bytes);
186 bzero(d, sizeof(d)); 186 explicit_bzero(d, sizeof(d));
187 return 0; 187 return 0;
188} 188}
189 189
@@ -210,7 +210,7 @@ sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g)
210 } 210 }
211 BN_CTX_free(bn_ctx); 211 BN_CTX_free(bn_ctx);
212 ret = sshbuf_put_string(buf, d, len); 212 ret = sshbuf_put_string(buf, d, len);
213 bzero(d, len); 213 explicit_bzero(d, len);
214 return ret; 214 return ret;
215} 215}
216 216
diff --git a/sshbuf-misc.c b/sshbuf-misc.c
index d022065f9..3da4b80e7 100644
--- a/sshbuf-misc.c
+++ b/sshbuf-misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshbuf-misc.c,v 1.4 2015/03/24 20:03:44 markus Exp $ */ 1/* $OpenBSD: sshbuf-misc.c,v 1.5 2015/10/05 17:11:21 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller 3 * Copyright (c) 2011 Damien Miller
4 * 4 *
@@ -103,7 +103,7 @@ sshbuf_dtob64(struct sshbuf *buf)
103 if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL) 103 if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL)
104 return NULL; 104 return NULL;
105 if ((r = b64_ntop(p, len, ret, plen)) == -1) { 105 if ((r = b64_ntop(p, len, ret, plen)) == -1) {
106 bzero(ret, plen); 106 explicit_bzero(ret, plen);
107 free(ret); 107 free(ret);
108 return NULL; 108 return NULL;
109 } 109 }
@@ -122,16 +122,16 @@ sshbuf_b64tod(struct sshbuf *buf, const char *b64)
122 if ((p = malloc(plen)) == NULL) 122 if ((p = malloc(plen)) == NULL)
123 return SSH_ERR_ALLOC_FAIL; 123 return SSH_ERR_ALLOC_FAIL;
124 if ((nlen = b64_pton(b64, p, plen)) < 0) { 124 if ((nlen = b64_pton(b64, p, plen)) < 0) {
125 bzero(p, plen); 125 explicit_bzero(p, plen);
126 free(p); 126 free(p);
127 return SSH_ERR_INVALID_FORMAT; 127 return SSH_ERR_INVALID_FORMAT;
128 } 128 }
129 if ((r = sshbuf_put(buf, p, nlen)) < 0) { 129 if ((r = sshbuf_put(buf, p, nlen)) < 0) {
130 bzero(p, plen); 130 explicit_bzero(p, plen);
131 free(p); 131 free(p);
132 return r; 132 return r;
133 } 133 }
134 bzero(p, plen); 134 explicit_bzero(p, plen);
135 free(p); 135 free(p);
136 return 0; 136 return 0;
137} 137}
diff --git a/sshbuf.c b/sshbuf.c
index dbe0c9192..19e162c07 100644
--- a/sshbuf.c
+++ b/sshbuf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshbuf.c,v 1.3 2015/01/20 23:14:00 deraadt Exp $ */ 1/* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller 3 * Copyright (c) 2011 Damien Miller
4 * 4 *
@@ -134,7 +134,7 @@ sshbuf_fromb(struct sshbuf *buf)
134void 134void
135sshbuf_init(struct sshbuf *ret) 135sshbuf_init(struct sshbuf *ret)
136{ 136{
137 bzero(ret, sizeof(*ret)); 137 explicit_bzero(ret, sizeof(*ret));
138 ret->alloc = SSHBUF_SIZE_INIT; 138 ret->alloc = SSHBUF_SIZE_INIT;
139 ret->max_size = SSHBUF_SIZE_MAX; 139 ret->max_size = SSHBUF_SIZE_MAX;
140 ret->readonly = 0; 140 ret->readonly = 0;
@@ -177,10 +177,10 @@ sshbuf_free(struct sshbuf *buf)
177 return; 177 return;
178 dont_free = buf->dont_free; 178 dont_free = buf->dont_free;
179 if (!buf->readonly) { 179 if (!buf->readonly) {
180 bzero(buf->d, buf->alloc); 180 explicit_bzero(buf->d, buf->alloc);
181 free(buf->d); 181 free(buf->d);
182 } 182 }
183 bzero(buf, sizeof(*buf)); 183 explicit_bzero(buf, sizeof(*buf));
184 if (!dont_free) 184 if (!dont_free)
185 free(buf); 185 free(buf);
186} 186}
@@ -196,7 +196,7 @@ sshbuf_reset(struct sshbuf *buf)
196 return; 196 return;
197 } 197 }
198 if (sshbuf_check_sanity(buf) == 0) 198 if (sshbuf_check_sanity(buf) == 0)
199 bzero(buf->d, buf->alloc); 199 explicit_bzero(buf->d, buf->alloc);
200 buf->off = buf->size = 0; 200 buf->off = buf->size = 0;
201 if (buf->alloc != SSHBUF_SIZE_INIT) { 201 if (buf->alloc != SSHBUF_SIZE_INIT) {
202 if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) { 202 if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) {
@@ -255,7 +255,7 @@ sshbuf_set_max_size(struct sshbuf *buf, size_t max_size)
255 rlen = roundup(buf->size, SSHBUF_SIZE_INC); 255 rlen = roundup(buf->size, SSHBUF_SIZE_INC);
256 if (rlen > max_size) 256 if (rlen > max_size)
257 rlen = max_size; 257 rlen = max_size;
258 bzero(buf->d + buf->size, buf->alloc - buf->size); 258 explicit_bzero(buf->d + buf->size, buf->alloc - buf->size);
259 SSHBUF_DBG(("new alloc = %zu", rlen)); 259 SSHBUF_DBG(("new alloc = %zu", rlen));
260 if ((dp = realloc(buf->d, rlen)) == NULL) 260 if ((dp = realloc(buf->d, rlen)) == NULL)
261 return SSH_ERR_ALLOC_FAIL; 261 return SSH_ERR_ALLOC_FAIL;
diff --git a/sshd.c b/sshd.c
index 19ee92b27..366ae92a2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -640,6 +640,8 @@ privsep_preauth_child(void)
640 arc4random_buf(rnd, sizeof(rnd)); 640 arc4random_buf(rnd, sizeof(rnd));
641#ifdef WITH_OPENSSL 641#ifdef WITH_OPENSSL
642 RAND_seed(rnd, sizeof(rnd)); 642 RAND_seed(rnd, sizeof(rnd));
643 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
644 fatal("%s: RAND_bytes failed", __func__);
643#endif 645#endif
644 explicit_bzero(rnd, sizeof(rnd)); 646 explicit_bzero(rnd, sizeof(rnd));
645 647
@@ -783,6 +785,8 @@ privsep_postauth(Authctxt *authctxt)
783 arc4random_buf(rnd, sizeof(rnd)); 785 arc4random_buf(rnd, sizeof(rnd));
784#ifdef WITH_OPENSSL 786#ifdef WITH_OPENSSL
785 RAND_seed(rnd, sizeof(rnd)); 787 RAND_seed(rnd, sizeof(rnd));
788 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
789 fatal("%s: RAND_bytes failed", __func__);
786#endif 790#endif
787 explicit_bzero(rnd, sizeof(rnd)); 791 explicit_bzero(rnd, sizeof(rnd));
788 792
@@ -1452,6 +1456,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1452 arc4random_buf(rnd, sizeof(rnd)); 1456 arc4random_buf(rnd, sizeof(rnd));
1453#ifdef WITH_OPENSSL 1457#ifdef WITH_OPENSSL
1454 RAND_seed(rnd, sizeof(rnd)); 1458 RAND_seed(rnd, sizeof(rnd));
1459 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
1460 fatal("%s: RAND_bytes failed", __func__);
1455#endif 1461#endif
1456 explicit_bzero(rnd, sizeof(rnd)); 1462 explicit_bzero(rnd, sizeof(rnd));
1457 } 1463 }
diff --git a/version.h b/version.h
index 5c22d9067..2969570f7 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
2 2
3#define SSH_VERSION "OpenSSH_7.1" 3#define SSH_VERSION "OpenSSH_7.1"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p2"
6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
7#ifdef SSH_EXTRAVERSION 7#ifdef SSH_EXTRAVERSION
8#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION 8#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION