5 files changed, 49 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6e9785902..a5ea18e89 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9351b179c72f18dc1b1d5bb84b2a7dab5e0af3fc
+ed5dcc5819cd53636938bd5c30b8c5acdd1615e1
-9351b179c72f18dc1b1d5bb84b2a7dab5e0af3fc
+ed5dcc5819cd53636938bd5c30b8c5acdd1615e1
 651211fd4a199b299540c00c54a46e27fadb04be
 651211fd4a199b299540c00c54a46e27fadb04be
 openssh_7.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 831f025ce..98b5b42d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:7.1p1-4) UNRELEASED; urgency=medium
+  * Backport upstream patch to unbreak connections with peers that set
+    first_kex_follows (LP: #1526357).
+ -- Colin Watson <cjwatson@debian.org>  Tue, 15 Dec 2015 15:27:17 +0000
 openssh (1:7.1p1-3) unstable; urgency=medium
  * Drop priority of openssh-client-ssh1 to extra (closes: #807518).
diff --git a/debian/patches/backport-fix-first-kex-follows.patch b/debian/patches/backport-fix-first-kex-follows.patch
new file mode 100644
index 000000000..0333adad1
--- /dev/null
+++ b/debian/patches/backport-fix-first-kex-follows.patch
@@ -0,0 +1,36 @@
+From ed5dcc5819cd53636938bd5c30b8c5acdd1615e1 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 15 Dec 2015 15:25:04 +0000
+Subject: upstream commit
+unbreak connections with peers that set first_kex_follows;
+fix from Matt Johnston va bz#2515
+Origin: backport, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.114&r2=1.115
+Forwarded: not-needed
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526357
+Patch-Name: backport-fix-first-kex-follows.patch
+---
+ kex.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/kex.c b/kex.c
+index 39a6f98..12f3e41 100644
+--- a/kex.c
+++ b/kex.c
+@@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
+                debug2("kex_parse_kexinit: %s", proposal[i]);
+        }
+        /* first kex follows / reserved */
+-       if ((r = sshbuf_get_u8(b, &v)) != 0 ||
+-           (r = sshbuf_get_u32(b, &i)) != 0)
+       if ((r = sshbuf_get_u8(b, &v)) != 0 ||  /* first_kex_follows */
+           (r = sshbuf_get_u32(b, &i)) != 0)   /* reserved */
+                goto out;
+        if (first_kex_follows != NULL)
+-               *first_kex_follows = i;
+               *first_kex_follows = v;
+        debug2("kex_parse_kexinit: first_kex_follows %d ", v);
+        debug2("kex_parse_kexinit: reserved %u ", i);
+        r = 0;
diff --git a/debian/patches/series b/debian/patches/series
index 816f65cc3..340077745 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ no-openssl-version-status.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
+backport-fix-first-kex-follows.patch
diff --git a/kex.c b/kex.c
index 39a6f98c4..12f3e41c0 100644
--- a/kex.c
+++ b/kex.c
@@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
                debug2("kex_parse_kexinit: %s", proposal[i]);
        }
        /* first kex follows / reserved */
-        if ((r = sshbuf_get_u8(b, &v)) != 0 ||
+        if ((r = sshbuf_get_u8(b, &v)) != 0 ||  /* first_kex_follows */
-            (r = sshbuf_get_u32(b, &i)) != 0)
+            (r = sshbuf_get_u32(b, &i)) != 0)   /* reserved */
                goto out;
        if (first_kex_follows != NULL)
-                *first_kex_follows = i;
+                *first_kex_follows = v;
        debug2("kex_parse_kexinit: first_kex_follows %d ", v);
        debug2("kex_parse_kexinit: reserved %u ", i);
        r = 0;

diff --git a/debian/.git-dpm b/debian/.git-dpm index 6e9785902..a5ea18e89 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	9351b179c72f18dc1b1d5bb84b2a7dab5e0af3fc	2	ed5dcc5819cd53636938bd5c30b8c5acdd1615e1
3	9351b179c72f18dc1b1d5bb84b2a7dab5e0af3fc	3	ed5dcc5819cd53636938bd5c30b8c5acdd1615e1
4	651211fd4a199b299540c00c54a46e27fadb04be	4	651211fd4a199b299540c00c54a46e27fadb04be
5	651211fd4a199b299540c00c54a46e27fadb04be	5	651211fd4a199b299540c00c54a46e27fadb04be
6	openssh_7.1p1.orig.tar.gz	6	openssh_7.1p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 831f025ce..98b5b42d9 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,10 @@
		1	openssh (1:7.1p1-4) UNRELEASED; urgency=medium
		2
		3	* Backport upstream patch to unbreak connections with peers that set
		4	first_kex_follows (LP: #1526357).
		5
		6	-- Colin Watson <cjwatson@debian.org> Tue, 15 Dec 2015 15:27:17 +0000
		7
1	openssh (1:7.1p1-3) unstable; urgency=medium	8	openssh (1:7.1p1-3) unstable; urgency=medium
2		9
3	* Drop priority of openssh-client-ssh1 to extra (closes: #807518).	10	* Drop priority of openssh-client-ssh1 to extra (closes: #807518).


diff --git a/debian/patches/backport-fix-first-kex-follows.patch b/debian/patches/backport-fix-first-kex-follows.patch new file mode 100644 index 000000000..0333adad1 --- /dev/null +++ b/debian/patches/backport-fix-first-kex-follows.patch
@@ -0,0 +1,36 @@
		1	From ed5dcc5819cd53636938bd5c30b8c5acdd1615e1 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Tue, 15 Dec 2015 15:25:04 +0000
		4	Subject: upstream commit
		5
		6	unbreak connections with peers that set first_kex_follows;
		7	fix from Matt Johnston va bz#2515
		8
		9	Origin: backport, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.114&r2=1.115
		10	Forwarded: not-needed
		11	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526357
		12
		13	Patch-Name: backport-fix-first-kex-follows.patch
		14	---
		15	kex.c \| 6 +++---
		16	1 file changed, 3 insertions(+), 3 deletions(-)
		17
		18	diff --git a/kex.c b/kex.c
		19	index 39a6f98..12f3e41 100644
		20	--- a/kex.c
		21	+++ b/kex.c
		22	@@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf raw, int first_kex_follows, char ***propp)
		23	debug2("kex_parse_kexinit: %s", proposal[i]);
		24	}
		25	/* first kex follows / reserved */
		26	- if ((r = sshbuf_get_u8(b, &v)) != 0 \|\|
		27	- (r = sshbuf_get_u32(b, &i)) != 0)
		28	+ if ((r = sshbuf_get_u8(b, &v)) != 0 \|\| /* first_kex_follows */
		29	+ (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */
		30	goto out;
		31	if (first_kex_follows != NULL)
		32	- *first_kex_follows = i;
		33	+ *first_kex_follows = v;
		34	debug2("kex_parse_kexinit: first_kex_follows %d ", v);
		35	debug2("kex_parse_kexinit: reserved %u ", i);
		36	r = 0;


diff --git a/debian/patches/series b/debian/patches/series index 816f65cc3..340077745 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -25,3 +25,4 @@ no-openssl-version-status.patch
25	gnome-ssh-askpass2-icon.patch	25	gnome-ssh-askpass2-icon.patch
26	sigstop.patch	26	sigstop.patch
27	debian-config.patch	27	debian-config.patch
		28	backport-fix-first-kex-follows.patch


diff --git a/kex.c b/kex.c index 39a6f98c4..12f3e41c0 100644 --- a/kex.c +++ b/kex.c
@@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf raw, int first_kex_follows, char ***propp)
286	debug2("kex_parse_kexinit: %s", proposal[i]);	286	debug2("kex_parse_kexinit: %s", proposal[i]);
287	}	287	}
288	/* first kex follows / reserved */	288	/* first kex follows / reserved */
289	if ((r = sshbuf_get_u8(b, &v)) != 0 \|\|	289	if ((r = sshbuf_get_u8(b, &v)) != 0 \|\| /* first_kex_follows */
290	(r = sshbuf_get_u32(b, &i)) != 0)	290	(r = sshbuf_get_u32(b, &i)) != 0) /* reserved */
291	goto out;	291	goto out;
292	if (first_kex_follows != NULL)	292	if (first_kex_follows != NULL)
293	*first_kex_follows = i;	293	*first_kex_follows = v;
294	debug2("kex_parse_kexinit: first_kex_follows %d ", v);	294	debug2("kex_parse_kexinit: first_kex_follows %d ", v);
295	debug2("kex_parse_kexinit: reserved %u ", i);	295	debug2("kex_parse_kexinit: reserved %u ", i);
296	r = 0;	296	r = 0;