25 files changed, 87 insertions, 65 deletions

diff --git a/ChangeLog b/ChangeLog
index 1a0d2545e..6175764f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+20131108
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2013/11/06 16:52:11
+     [monitor_wrap.c]
+     fix rekeying for AES-GCM modes; ok deraadt
+   - djm@cvs.openbsd.org 2013/11/08 00:39:15
+     [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
+     [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
+     [sftp-client.c sftp-glob.c]
+     use calloc for all structure allocations; from markus@
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] update version numbers
+   - djm@cvs.openbsd.org 2013/11/08 01:38:11
+     [version.h]
+     openssh-6.4
+ - (djm) Release 6.4p1
+
 20130913
  - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;
    ok dtucker@
diff --git a/README b/README
index ece2dba19..0c52f1371 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-6.3 for the release notes.
+See http://www.openssh.com/txt/release-6.4 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $
+$Id: README,v 1.83.4.1 2013/11/08 01:36:17 djm Exp $
diff --git a/auth-options.c b/auth-options.c
index 73e330bf5..15c00d048 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.61 2013/11/08 00:39:14 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -250,7 +250,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                         auth_debug_add("Adding to environment: %.900s", s);
                         debug("Adding to environment: %.900s", s);
                         opts++;
-                        new_envstring = xmalloc(sizeof(struct envstring));
+                        new_envstring = xcalloc(1, sizeof(struct envstring));
                         new_envstring->s = s;
                         new_envstring->next = custom_environment;
                         custom_environment = new_envstring;
diff --git a/auth2-chall.c b/auth2-chall.c
index 98f3093ce..031c2828c 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.39 2013/11/08 00:39:14 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -111,7 +111,7 @@ kbdint_alloc(const char *devs)
                 remove_kbdint_device("pam");
 #endif
 
-        kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
+        kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
         if (strcmp(devs, "") == 0) {
                 buffer_init(&b);
                 for (i = 0; devices[i]; i++) {
diff --git a/authfd.c b/authfd.c
index 775786bee..5cce93b76 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.88 2013/11/08 00:39:14 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -206,7 +206,7 @@ ssh_get_authentication_connection(void)
         if (sock < 0)
                 return NULL;
 
-        auth = xmalloc(sizeof(*auth));
+        auth = xcalloc(1, sizeof(*auth));
         auth->fd = sock;
         buffer_init(&auth->identities);
         auth->howmany = 0;
diff --git a/channels.c b/channels.c
index ac675c742..a1c31d8a0 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.327 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -704,7 +704,7 @@ channel_register_status_confirm(int id, channel_confirm_cb *cb,
         if ((c = channel_lookup(id)) == NULL)
                 fatal("channel_register_expect: %d: bad id", id);
 
-        cc = xmalloc(sizeof(*cc));
+        cc = xcalloc(1, sizeof(*cc));
         cc->cb = cb;
         cc->abandon_cb = abandon_cb;
         cc->ctx = ctx;
diff --git a/cipher-3des1.c b/cipher-3des1.c
index c8a70244b..56fc77786 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: cipher-3des1.c,v 1.9 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
  *
@@ -67,7 +67,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
         u_char *k1, *k2, *k3;
 
         if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                c = xmalloc(sizeof(*c));
+                c = xcalloc(1, sizeof(*c));
                 EVP_CIPHER_CTX_set_app_data(ctx, c);
         }
         if (key == NULL)
diff --git a/clientloop.c b/clientloop.c
index 35550eb4d..f2f474eab 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.255 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -846,7 +846,7 @@ void
 client_expect_confirm(int id, const char *request,
     enum confirm_action action)
 {
-        struct channel_reply_ctx *cr = xmalloc(sizeof(*cr));
+        struct channel_reply_ctx *cr = xcalloc(1, sizeof(*cr));
 
         cr->request_type = request;
         cr->action = action;
@@ -869,7 +869,7 @@ client_register_global_confirm(global_confirm_cb *cb, void *ctx)
                 return;
         }
 
-        gc = xmalloc(sizeof(*gc));
+        gc = xcalloc(1, sizeof(*gc));
         gc->cb = cb;
         gc->ctx = ctx;
         gc->ref_count = 1;
@@ -1447,7 +1447,7 @@ client_new_escape_filter_ctx(int escape_char)
 {
         struct escape_filter_ctx *ret;
 
-        ret = xmalloc(sizeof(*ret));
+        ret = xcalloc(1, sizeof(*ret));
         ret->escape_pending = 0;
         ret->escape_char = escape_char;
         return (void *)ret;
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index b460bfff0..d026b72d8 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
 
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
-%define version         6.3p1
+%define version         6.4p1
 %if %{use_stable}
   %define cvs           %{nil}
   %define release       1
@@ -363,4 +363,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $
+$Id: openssh.spec,v 1.80.4.1 2013/11/08 01:36:19 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index d1191f4e1..29a38dedc 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 6.3p1
+%define ver 6.4p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 2866039d1..3a612bd23 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        6.3p1
+Version:        6.4p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/changelog b/debian/changelog
index a7359c9c5..066a762c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,16 +1,22 @@
-openssh (1:6.3p1-1) UNRELEASED; urgency=low
-
-  * New upstream release (http://www.openssh.com/txt/release-6.3).
-    - sftp(1): add support for resuming partial downloads using the "reget"
-      command and on the sftp commandline or on the "get" commandline using
-      the "-a" (append) option (closes: #158590).
-    - ssh(1): add an "IgnoreUnknown" configuration option to selectively
-      suppress errors arising from unknown configuration directives (closes:
-      #436052).
-    - sftp(1): update progressmeter when data is acknowledged, not when it's
-      sent (partially addresses #708372).
-    - ssh(1): do not fatally exit when attempting to cleanup multiplexing-
-      created channels that are incompletely opened (closes: #651357).
+openssh (1:6.4p1-1) UNRELEASED; urgency=low
+
+  * New upstream release.  Important changes:
+    - 6.3/6.3p1 (http://www.openssh.com/txt/release-6.3):
+      + sftp(1): add support for resuming partial downloads using the
+        "reget" command and on the sftp commandline or on the "get"
+        commandline using the "-a" (append) option (closes: #158590).
+      + ssh(1): add an "IgnoreUnknown" configuration option to selectively
+        suppress errors arising from unknown configuration directives
+        (closes: #436052).
+      + sftp(1): update progressmeter when data is acknowledged, not when
+        it's sent (partially addresses #708372).
+      + ssh(1): do not fatally exit when attempting to cleanup multiplexing-
+        created channels that are incompletely opened (closes: #651357).
+    - 6.4/6.4p1 (http://www.openssh.com/txt/release-6.4):
+      + sshd(8): fix a memory corruption problem triggered during rekeying
+        when an AES-GCM cipher is selected (closes: #729029).  Full details
+        of the vulnerability are available at:
+        http://www.openssh.com/txt/gcmrekey.adv
   * When running under Upstart, only consider the daemon started once it is
     ready to accept connections (by raising SIGSTOP at that point and using
     "expect stop").
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 85c6722f0..b9221f94f 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
  security history.
 Author: Simon Wilkinson <simon@sxw.org.uk>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2013-09-14
+Last-Updated: 2013-11-09
 
 Index: b/ChangeLog.gssapi
 ===================================================================
@@ -475,7 +475,7 @@ Index: b/gss-genr.c
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 2be45ebf8..392afc073 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -42,7 +42,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.3"
+ #define SSH_VERSION    "OpenSSH_6.4"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/gss-genr.c b/gss-genr.c
index 3069347c2..b7d1b7dbf 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -217,7 +217,7 @@ ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
                 free(ctx->oid->elements);
                 free(ctx->oid);
         }
-        ctx->oid = xmalloc(sizeof(gss_OID_desc));
+        ctx->oid = xcalloc(1, sizeof(gss_OID_desc));
         ctx->oid->length = len;
         ctx->oid->elements = xmalloc(len);
         memcpy(ctx->oid->elements, data, len);
diff --git a/monitor_mm.c b/monitor_mm.c
index ee7bad4b4..d3e6aeee5 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: monitor_mm.c,v 1.18 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -65,7 +65,7 @@ mm_make_entry(struct mm_master *mm, struct mmtree *head,
         struct mm_share *tmp, *tmp2;
 
         if (mm->mmalloc == NULL)
-                tmp = xmalloc(sizeof(struct mm_share));
+                tmp = xcalloc(1, sizeof(struct mm_share));
         else
                 tmp = mm_xmalloc(mm->mmalloc, sizeof(struct mm_share));
         tmp->address = address;
@@ -88,7 +88,7 @@ mm_create(struct mm_master *mmalloc, size_t size)
         struct mm_master *mm;
 
         if (mmalloc == NULL)
-                mm = xmalloc(sizeof(struct mm_master));
+                mm = xcalloc(1, sizeof(struct mm_master));
         else
                 mm = mm_xmalloc(mmalloc, sizeof(struct mm_master));
 
@@ -161,6 +161,7 @@ mm_xmalloc(struct mm_master *mm, size_t size)
         address = mm_malloc(mm, size);
         if (address == NULL)
                 fatal("%s: mm_malloc(%lu)", __func__, (u_long)size);
+        memset(address, 0, size);
         return (address);
 }
 
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 9662a4c63..670b62dfb 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.77 2013/11/06 16:52:11 markus Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -500,7 +500,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
         buffer_init(&b);
         buffer_append(&b, blob, blen);
 
-        newkey = xmalloc(sizeof(*newkey));
+        newkey = xcalloc(1, sizeof(*newkey));
         enc = &newkey->enc;
         mac = &newkey->mac;
         comp = &newkey->comp;
diff --git a/packet.c b/packet.c
index 0d27e7592..90db33bdd 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.189 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -996,7 +996,7 @@ packet_send2(void)
                     (type == SSH2_MSG_SERVICE_REQUEST) ||
                     (type == SSH2_MSG_SERVICE_ACCEPT)) {
                         debug("enqueue packet: %u", type);
-                        p = xmalloc(sizeof(*p));
+                        p = xcalloc(1, sizeof(*p));
                         p->type = type;
                         memcpy(&p->payload, &active_state->outgoing_packet,
                             sizeof(Buffer));
diff --git a/schnorr.c b/schnorr.c
index 9549dcf0e..93822fed4 100644
--- a/schnorr.c
+++ b/schnorr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: schnorr.c,v 1.8 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
  *
@@ -549,7 +549,7 @@ modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
 {
         struct modp_group *ret;
 
-        ret = xmalloc(sizeof(*ret));
+        ret = xcalloc(1, sizeof(*ret));
         ret->p = ret->q = ret->g = NULL;
         if (BN_hex2bn(&ret->p, grp_p) == 0 ||
             BN_hex2bn(&ret->g, grp_g) == 0)
diff --git a/sftp-client.c b/sftp-client.c
index f4f1970b6..2f9793778 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.108 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -471,7 +471,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
 
         if (dir) {
                 ents = 0;
-                *dir = xmalloc(sizeof(**dir));
+                *dir = xcalloc(1, sizeof(**dir));
                 (*dir)[0] = NULL;
         }
 
@@ -545,7 +545,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
 
                         if (dir) {
                                 *dir = xrealloc(*dir, ents + 2, sizeof(**dir));
-                                (*dir)[ents] = xmalloc(sizeof(***dir));
+                                (*dir)[ents] = xcalloc(1, sizeof(***dir));
                                 (*dir)[ents]->filename = xstrdup(filename);
                                 (*dir)[ents]->longname = xstrdup(longname);
                                 memcpy(&(*dir)[ents]->a, a, sizeof(*a));
@@ -564,7 +564,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
         /* Don't return partial matches on interrupt */
         if (interrupted && dir != NULL && *dir != NULL) {
                 free_sftp_dirents(*dir);
-                *dir = xmalloc(sizeof(**dir));
+                *dir = xcalloc(1, sizeof(**dir));
                 **dir = NULL;
         }
 
@@ -1105,7 +1105,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
                             (unsigned long long)offset,
                             (unsigned long long)offset + buflen - 1,
                             num_req, max_req);
-                        req = xmalloc(sizeof(*req));
+                        req = xcalloc(1, sizeof(*req));
                         req->id = conn->msg_id++;
                         req->len = buflen;
                         req->offset = offset;
@@ -1463,7 +1463,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
                             strerror(errno));
 
                 if (len != 0) {
-                        ack = xmalloc(sizeof(*ack));
+                        ack = xcalloc(1, sizeof(*ack));
                         ack->id = ++id;
                         ack->offset = offset;
                         ack->len = len;
diff --git a/sftp-glob.c b/sftp-glob.c
index 79b7bdb2f..e1f5a6109 100644
--- a/sftp-glob.c
+++ b/sftp-glob.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: sftp-glob.c,v 1.25 2013/11/08 00:39:15 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -48,7 +48,7 @@ fudge_opendir(const char *path)
 {
         struct SFTP_OPENDIR *r;
 
-        r = xmalloc(sizeof(*r));
+        r = xcalloc(1, sizeof(*r));
 
         if (do_readdir(cur.conn, (char *)path, &r->dir)) {
                 free(r);
diff --git a/sftp-server.0 b/sftp-server.0
index bca318b38..391f42736 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -61,9 +61,8 @@ DESCRIPTION
 SEE ALSO
      sftp(1), ssh(1), sshd_config(5), sshd(8)
 
-     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol,
-     draft-ietf-secsh-filexfer-02.txt, October 2001, work in progress
-     material.
+     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
+     filexfer-02.txt, October 2001, work in progress material.
 
 HISTORY
      sftp-server first appeared in OpenBSD 2.8.
diff --git a/sftp.0 b/sftp.0
index c5fa17892..8bfc8086b 100644
--- a/sftp.0
+++ b/sftp.0
@@ -342,8 +342,7 @@ SEE ALSO
      ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), glob(3),
      ssh_config(5), sftp-server(8), sshd(8)
 
-     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol,
-     draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
-     material.
+     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
+     filexfer-00.txt, January 2001, work in progress material.
 
 OpenBSD 5.4                      July 25, 2013                     OpenBSD 5.4
diff --git a/umac.c b/umac.c
index 99416a510..0c62145fa 100644
--- a/umac.c
+++ b/umac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: umac.c,v 1.7 2013/07/22 05:00:17 djm Exp $ */
+/* $OpenBSD: umac.c,v 1.8 2013/11/08 00:39:15 djm Exp $ */
 /* -----------------------------------------------------------------------
  * 
  * umac.c -- C Implementation UMAC Message Authentication
@@ -1227,7 +1227,7 @@ struct umac_ctx *umac_new(const u_char key[])
     size_t bytes_to_add;
     aes_int_key prf_key;
     
-    octx = ctx = xmalloc(sizeof(*ctx) + ALLOC_BOUNDARY);
+    octx = ctx = xcalloc(1, sizeof(*ctx) + ALLOC_BOUNDARY);
     if (ctx) {
         if (ALLOC_BOUNDARY) {
             bytes_to_add = ALLOC_BOUNDARY -
diff --git a/version.h b/version.h
index 7a30d0dd7..036277d61 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */
+/* $OpenBSD: version.h,v 1.68 2013/11/08 01:38:11 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_6.3"
+#define SSH_VERSION     "OpenSSH_6.4"
 
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE