8 files changed, 70 insertions, 8 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index f64723622..8d8bd30fa 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
+5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
-ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
+5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d8745c0e5..d98a173ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -154,6 +154,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
      mechanism itself were still applied.  Found by Kingcope.
  * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
    GSSAPI key exchange patch.
+  * Document the Debian-specific change to the default value of
+    ForwardX11Trusted in ssh(1) (closes: #781469).
 -- Colin Watson <cjwatson@debian.org>  Wed, 19 Aug 2015 15:19:54 +0100
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch
index 00ace37f1..24b7ce271 100644
--- a/debian/patches/backport-do-not-resend-username-to-pam.patch
+++ b/debian/patches/backport-do-not-resend-username-to-pam.patch
@@ -1,4 +1,4 @@
-From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001
+From f84305e9391e13c01a78df0d93e2edd40c14f601 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Tue, 11 Aug 2015 13:33:24 +1000
 Subject: Don't resend username to PAM; it already has it.
diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch
index 2cff74911..cbd5a12c4 100644
--- a/debian/patches/backport-fix-pty-permissions.patch
+++ b/debian/patches/backport-fix-pty-permissions.patch
@@ -1,4 +1,4 @@
-From 12577aa167c76d517bfe78f603fe805f190d8d05 Mon Sep 17 00:00:00 2001
+From bf3247821b4335eddd22664b0e1b30393ba31415 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Thu, 30 Jul 2015 23:09:15 +0000
 Subject: Fix pty permissions
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch
index 0973503c9..c7e395d86 100644
--- a/debian/patches/backport-kbdint-duplicates.patch
+++ b/debian/patches/backport-kbdint-duplicates.patch
@@ -1,4 +1,4 @@
-From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001
+From 5c0c1192be30b7c0e60d96b5e6739c4ad49f087b Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sat, 18 Jul 2015 07:57:14 +0000
 Subject: only query each keyboard-interactive device once per authentication
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch
index 460654953..52690882c 100644
--- a/debian/patches/backport-pam-use-after-free.patch
+++ b/debian/patches/backport-pam-use-after-free.patch
@@ -1,4 +1,4 @@
-From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001
+From a97f75bc484762111ae4e994791f4a5af6294c26 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Tue, 11 Aug 2015 13:34:12 +1000
 Subject: set sshpam_ctxt to NULL after free
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 4f5db8a91..c990a01c3 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 Mon Sep 17 00:00:00 2001
+From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -27,11 +27,12 @@ Last-Update: 2015-08-19
 Patch-Name: debian-config.patch
 ---
 readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
 ssh_config    |  7 ++++++-
 ssh_config.5  | 19 ++++++++++++++++++-
 sshd_config   |  3 ++-
 sshd_config.5 | 25 +++++++++++++++++++++++++
- 5 files changed, 52 insertions(+), 4 deletions(-)
+ 6 files changed, 73 insertions(+), 4 deletions(-)
 diff --git a/readconf.c b/readconf.c
 index 5f6c37f..f0769b5 100644
@@ -46,6 +47,44 @@ index 5f6c37f..f0769b5 100644
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
+diff --git a/ssh.1 b/ssh.1
+index 2178863..e2cce49 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -670,12 +670,33 @@ option and the
+ directive in
+ .Xr ssh_config 5
+ for more information.
+.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+ .It Fl x
+ Disables X11 forwarding.
+ .It Fl Y
+ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+.Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
 diff --git a/ssh_config b/ssh_config
 index 228e5ab..c9386aa 100644
 --- a/ssh_config
diff --git a/ssh.1 b/ssh.1
index 217886319..e2cce49d3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
 directive in
 .Xr ssh_config 5
 for more information.
+.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
+.Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl y
 Send log information using the
 .Xr syslog 3

diff --git a/debian/.git-dpm b/debian/.git-dpm index f64723622..8d8bd30fa 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	ba9e0b1d4edf5876b289affd9d31bab493f0d0a4	2	5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
3	ba9e0b1d4edf5876b289affd9d31bab493f0d0a4	3	5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6	openssh_6.9p1.orig.tar.gz	6	openssh_6.9p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index d8745c0e5..d98a173ea 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -154,6 +154,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
154	mechanism itself were still applied. Found by Kingcope.	154	mechanism itself were still applied. Found by Kingcope.
155	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the	155	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
156	GSSAPI key exchange patch.	156	GSSAPI key exchange patch.
		157	* Document the Debian-specific change to the default value of
		158	ForwardX11Trusted in ssh(1) (closes: #781469).
157		159
158	-- Colin Watson <cjwatson@debian.org> Wed, 19 Aug 2015 15:19:54 +0100	160	-- Colin Watson <cjwatson@debian.org> Wed, 19 Aug 2015 15:19:54 +0100
159		161


diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch index 00ace37f1..24b7ce271 100644 --- a/debian/patches/backport-do-not-resend-username-to-pam.patch +++ b/debian/patches/backport-do-not-resend-username-to-pam.patch
@@ -1,4 +1,4 @@
1	From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001	1	From f84305e9391e13c01a78df0d93e2edd40c14f601 Mon Sep 17 00:00:00 2001
2	From: Damien Miller <djm@mindrot.org>	2	From: Damien Miller <djm@mindrot.org>
3	Date: Tue, 11 Aug 2015 13:33:24 +1000	3	Date: Tue, 11 Aug 2015 13:33:24 +1000
4	Subject: Don't resend username to PAM; it already has it.	4	Subject: Don't resend username to PAM; it already has it.


diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch index 2cff74911..cbd5a12c4 100644 --- a/debian/patches/backport-fix-pty-permissions.patch +++ b/debian/patches/backport-fix-pty-permissions.patch
@@ -1,4 +1,4 @@
1	From 12577aa167c76d517bfe78f603fe805f190d8d05 Mon Sep 17 00:00:00 2001	1	From bf3247821b4335eddd22664b0e1b30393ba31415 Mon Sep 17 00:00:00 2001
2	From: "djm@openbsd.org" <djm@openbsd.org>	2	From: "djm@openbsd.org" <djm@openbsd.org>
3	Date: Thu, 30 Jul 2015 23:09:15 +0000	3	Date: Thu, 30 Jul 2015 23:09:15 +0000
4	Subject: Fix pty permissions	4	Subject: Fix pty permissions


diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch index 0973503c9..c7e395d86 100644 --- a/debian/patches/backport-kbdint-duplicates.patch +++ b/debian/patches/backport-kbdint-duplicates.patch
@@ -1,4 +1,4 @@
1	From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001	1	From 5c0c1192be30b7c0e60d96b5e6739c4ad49f087b Mon Sep 17 00:00:00 2001
2	From: "djm@openbsd.org" <djm@openbsd.org>	2	From: "djm@openbsd.org" <djm@openbsd.org>
3	Date: Sat, 18 Jul 2015 07:57:14 +0000	3	Date: Sat, 18 Jul 2015 07:57:14 +0000
4	Subject: only query each keyboard-interactive device once per authentication	4	Subject: only query each keyboard-interactive device once per authentication


diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch index 460654953..52690882c 100644 --- a/debian/patches/backport-pam-use-after-free.patch +++ b/debian/patches/backport-pam-use-after-free.patch
@@ -1,4 +1,4 @@
1	From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001	1	From a97f75bc484762111ae4e994791f4a5af6294c26 Mon Sep 17 00:00:00 2001
2	From: Damien Miller <djm@mindrot.org>	2	From: Damien Miller <djm@mindrot.org>
3	Date: Tue, 11 Aug 2015 13:34:12 +1000	3	Date: Tue, 11 Aug 2015 13:34:12 +1000
4	Subject: set sshpam_ctxt to NULL after free	4	Subject: set sshpam_ctxt to NULL after free


diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 4f5db8a91..c990a01c3 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1	From 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 Mon Sep 17 00:00:00 2001	1	From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001
2	From: Colin Watson <cjwatson@debian.org>	2	From: Colin Watson <cjwatson@debian.org>
3	Date: Sun, 9 Feb 2014 16:10:18 +0000	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
4	Subject: Various Debian-specific configuration changes	4	Subject: Various Debian-specific configuration changes
@@ -27,11 +27,12 @@ Last-Update: 2015-08-19
27	Patch-Name: debian-config.patch	27	Patch-Name: debian-config.patch
28	---	28	---
29	readconf.c \| 2 +-	29	readconf.c \| 2 +-
		30	ssh.1 \| 21 +++++++++++++++++++++
30	ssh_config \| 7 ++++++-	31	ssh_config \| 7 ++++++-
31	ssh_config.5 \| 19 ++++++++++++++++++-	32	ssh_config.5 \| 19 ++++++++++++++++++-
32	sshd_config \| 3 ++-	33	sshd_config \| 3 ++-
33	sshd_config.5 \| 25 +++++++++++++++++++++++++	34	sshd_config.5 \| 25 +++++++++++++++++++++++++
34	5 files changed, 52 insertions(+), 4 deletions(-)	35	6 files changed, 73 insertions(+), 4 deletions(-)
35		36
36	diff --git a/readconf.c b/readconf.c	37	diff --git a/readconf.c b/readconf.c
37	index 5f6c37f..f0769b5 100644	38	index 5f6c37f..f0769b5 100644
@@ -46,6 +47,44 @@ index 5f6c37f..f0769b5 100644
46	if (options->forward_x11_timeout == -1)	47	if (options->forward_x11_timeout == -1)
47	options->forward_x11_timeout = 1200;	48	options->forward_x11_timeout = 1200;
48	if (options->exit_on_forward_failure == -1)	49	if (options->exit_on_forward_failure == -1)
		50	diff --git a/ssh.1 b/ssh.1
		51	index 2178863..e2cce49 100644
		52	--- a/ssh.1
		53	+++ b/ssh.1
		54	@@ -670,12 +670,33 @@ option and the
		55	directive in
		56	.Xr ssh_config 5
		57	for more information.
		58	+.Pp
		59	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		60	+restrictions by default, because too many programs currently crash in this
		61	+mode.
		62	+Set the
		63	+.Cm ForwardX11Trusted
		64	+option to
		65	+.Dq no
		66	+to restore the upstream behaviour.
		67	+This may change in future depending on client-side improvements.)
		68	.It Fl x
		69	Disables X11 forwarding.
		70	.It Fl Y
		71	Enables trusted X11 forwarding.
		72	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
		73	controls.
		74	+.Pp
		75	+(Debian-specific: This option does nothing in the default configuration: it
		76	+is equivalent to
		77	+.Dq Cm ForwardX11Trusted No yes ,
		78	+which is the default as described above.
		79	+Set the
		80	+.Cm ForwardX11Trusted
		81	+option to
		82	+.Dq no
		83	+to restore the upstream behaviour.
		84	+This may change in future depending on client-side improvements.)
		85	.It Fl y
		86	Send log information using the
		87	.Xr syslog 3
49	diff --git a/ssh_config b/ssh_config	88	diff --git a/ssh_config b/ssh_config
50	index 228e5ab..c9386aa 100644	89	index 228e5ab..c9386aa 100644
51	--- a/ssh_config	90	--- a/ssh_config


diff --git a/ssh.1 b/ssh.1 index 217886319..e2cce49d3 100644 --- a/ssh.1 +++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
670	directive in	670	directive in
671	.Xr ssh_config 5	671	.Xr ssh_config 5
672	for more information.	672	for more information.
		673	.Pp
		674	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		675	restrictions by default, because too many programs currently crash in this
		676	mode.
		677	Set the
		678	.Cm ForwardX11Trusted
		679	option to
		680	.Dq no
		681	to restore the upstream behaviour.
		682	This may change in future depending on client-side improvements.)
673	.It Fl x	683	.It Fl x
674	Disables X11 forwarding.	684	Disables X11 forwarding.
675	.It Fl Y	685	.It Fl Y
676	Enables trusted X11 forwarding.	686	Enables trusted X11 forwarding.
677	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	687	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
678	controls.	688	controls.
		689	.Pp
		690	(Debian-specific: This option does nothing in the default configuration: it
		691	is equivalent to
		692	.Dq Cm ForwardX11Trusted No yes ,
		693	which is the default as described above.
		694	Set the
		695	.Cm ForwardX11Trusted
		696	option to
		697	.Dq no
		698	to restore the upstream behaviour.
		699	This may change in future depending on client-side improvements.)
679	.It Fl y	700	.It Fl y
680	Send log information using the	701	Send log information using the
681	.Xr syslog 3	702	.Xr syslog 3