2 files changed, 6 insertions, 4 deletions

diff --git a/debian/changelog b/debian/changelog
index c42a3c50d..db627a97a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ openssh (1:4.7p1-12) UNRELEASED; urgency=low
   * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.
   * Refactor rejection of blacklisted user keys into a single
     reject_blacklisted_key function in auth.c (thanks, Dmitry V. Levin).
+  * Fix memory leak of blacklisted host keys (thanks, Dmitry V. Levin).
   * debconf template translations:
     - Update Dutch (thanks, Bart Cornelis; closes: #483004).
 
diff --git a/sshd.c b/sshd.c
index 80cfd56d8..ac539d6bb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1496,10 +1496,6 @@ main(int ac, char **av)
 
         for (i = 0; i < options.num_host_key_files; i++) {
                 key = key_load_private(options.host_key_files[i], "", NULL);
-                if (key && reject_blacklisted_key(key, 1) == 1) {
-                        sensitive_data.host_keys[i] = NULL;
-                        continue;
-                }
                 sensitive_data.host_keys[i] = key;
                 if (key == NULL) {
                         error("Could not load host key: %s",
@@ -1507,6 +1503,11 @@ main(int ac, char **av)
                         sensitive_data.host_keys[i] = NULL;
                         continue;
                 }
+                if (reject_blacklisted_key(key, 1) == 1) {
+                        key_free(key);
+                        sensitive_data.host_keys[i] = NULL;
+                        continue;
+                }
                 switch (key->type) {
                 case KEY_RSA1:
                         sensitive_data.ssh1_host_key = key;