25 files changed, 340 insertions, 358 deletions
diff --git a/debian/changelog b/debian/changelog
index 9ed26d33d..a7359c9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,16 @@
-openssh (1:6.2p2-7) UNRELEASED; urgency=low
+openssh (1:6.3p1-1) UNRELEASED; urgency=low
+  * New upstream release (http://www.openssh.com/txt/release-6.3).
+    - sftp(1): add support for resuming partial downloads using the "reget"
+      command and on the sftp commandline or on the "get" commandline using
+      the "-a" (append) option (closes: #158590).
+    - ssh(1): add an "IgnoreUnknown" configuration option to selectively
+      suppress errors arising from unknown configuration directives (closes:
+      #436052).
+    - sftp(1): update progressmeter when data is acknowledged, not when it's
+      sent (partially addresses #708372).
+    - ssh(1): do not fatally exit when attempting to cleanup multiplexing-
+      created channels that are incompletely opened (closes: #651357).
  * When running under Upstart, only consider the daemon started once it is
    ready to accept connections (by raising SIGSTOP at that point and using
    "expect stop").
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 206967bc9..a6a842ecd 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
 Author: Colin Watson <cjwatson@debian.org>
 Bug-Debian: http://bugs.debian.org/630606
 Forwarded: no
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/auth-options.c
 ===================================================================
@@ -32,7 +32,7 @@ Index: b/auth-options.c
 @@ -288,10 +299,13 @@
                                /* FALLTHROUGH */
                        case 0:
-                                xfree(patterns);
+                                free(patterns);
 -                               logit("Authentication tried for %.100s with "
 -                                   "correct key but not from a permitted "
 -                                   "host (host=%.200s, ip=%.200s).",
@@ -47,7 +47,7 @@ Index: b/auth-options.c
                                auth_debug_add("Your host '%.200s' is not "
                                    "permitted to use this key for login.",
                                    remote_host);
-@@ -512,11 +526,14 @@
+@@ -513,11 +527,14 @@
                                        break;
                                case 0:
                                        /* no match */
@@ -83,7 +83,7 @@ Index: b/auth-rsa.c
 ===================================================================
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -175,6 +175,8 @@
+@@ -174,6 +174,8 @@
        if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
                return 0;
 
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -217,6 +217,7 @@
+@@ -257,6 +257,7 @@
                restore_uid();
                return 0;
        }
@@ -104,16 +104,15 @@ Index: b/auth2-pubkey.c
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                /* Skip leading whitespace. */
                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -278,6 +279,8 @@
+@@ -318,6 +319,7 @@
        found_key = 0;
-        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
 
+        found = NULL;
 +       auth_start_parse_options();
-+
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
- 
+                if (found != NULL)
-@@ -412,6 +415,7 @@
+@@ -453,6 +455,7 @@
        if (key_cert_check_authority(key, 0, 1,
            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
                goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index c6a4b64c6..e48a3cb3e 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
 Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
 Bug-Debian: http://bugs.debian.org/441817
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -286,6 +286,7 @@
+@@ -289,6 +289,7 @@
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index 36b3805b9..fd064a848 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,7 +1,7 @@
 Description: Add support for registering ConsoleKit sessions on login
 Author: Colin Watson <cjwatson@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
-Last-Updated: 2013-05-13
+Last-Updated: 2013-09-14
 Index: b/Makefile.in
 ===================================================================
@@ -21,7 +21,7 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3801,6 +3801,30 @@
+@@ -3841,6 +3841,30 @@
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 
@@ -52,7 +52,7 @@ Index: b/configure.ac
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -4600,6 +4624,7 @@
+@@ -4641,6 +4665,7 @@
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
 ===================================================================
 --- a/configure
 +++ b/configure
-@@ -737,6 +737,7 @@
+@@ -738,6 +738,7 @@
 with_sandbox
 with_selinux
 with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
 with_privsep_path
 with_xauth
 enable_strip
-@@ -1427,6 +1428,7 @@
+@@ -1428,6 +1429,7 @@
   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
   --with-selinux          Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
@@ -80,7 +80,7 @@ Index: b/configure
   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
   --with-xauth=PATH       Specify path to xauth program
   --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -16002,6 +16004,135 @@
+@@ -16375,6 +16377,135 @@
 
 
 
@@ -216,7 +216,7 @@ Index: b/configure
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -18527,6 +18658,7 @@
+@@ -18902,6 +19033,7 @@
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
@@ -502,17 +502,17 @@ Index: b/monitor.c
 ===================================================================
 --- a/monitor.c
 +++ b/monitor.c
-@@ -97,6 +97,9 @@
+@@ -98,6 +98,9 @@
- #include "ssh2.h"
 #include "jpake.h"
 #include "roaming.h"
+ #include "authfd.h"
 +#ifdef USE_CONSOLEKIT
 +#include "consolekit.h"
 +#endif
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
-@@ -192,6 +195,10 @@
+@@ -193,6 +196,10 @@
 
 static int monitor_read_log(struct monitor *);
 
@@ -523,7 +523,7 @@ Index: b/monitor.c
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
 
-@@ -284,6 +291,9 @@
+@@ -285,6 +292,9 @@
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
 #endif
@@ -533,7 +533,7 @@ Index: b/monitor.c
     {0, 0, NULL}
 };
 
-@@ -326,6 +336,9 @@
+@@ -327,6 +337,9 @@
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
 #endif
@@ -553,7 +553,7 @@ Index: b/monitor.c
 
        for (;;)
                monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2472,3 +2488,31 @@
+@@ -2492,3 +2508,30 @@
 }
 
 #endif /* JPAKE */
@@ -577,10 +577,9 @@ Index: b/monitor.c
 +       buffer_put_cstring(m, cookie != NULL ? cookie : "");
 +       mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
 +
-+       if (cookie != NULL)
+       free(cookie);
-+               xfree(cookie);
+       free(display);
-+       xfree(display);
+       free(tty);
-+       xfree(tty);
 +
 +       return (0);
 +}
@@ -602,7 +601,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1514,3 +1514,34 @@
+@@ -1516,3 +1516,34 @@
        return success;
 }
 #endif /* JPAKE */
@@ -631,7 +630,7 @@ Index: b/monitor_wrap.c
 +
 +       /* treat empty cookie as missing cookie */
 +       if (strlen(cookie) == 0) {
-+               xfree(cookie);
+               free(cookie);
 +               cookie = NULL;
 +       }
 +       return (cookie);
@@ -654,7 +653,7 @@ Index: b/session.c
 ===================================================================
 --- a/session.c
 +++ b/session.c
-@@ -91,6 +91,7 @@
+@@ -92,6 +92,7 @@
 #include "kex.h"
 #include "monitor_wrap.h"
 #include "sftp.h"
@@ -684,7 +683,7 @@ Index: b/session.c
 #ifdef USE_PAM
        /*
         * Pull in any environment variables that may have
-@@ -2308,6 +2317,10 @@
+@@ -2320,6 +2329,10 @@
 
        debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
 
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index d96f2cc59..981cdd697 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
 Author: Kees Cook <kees@debian.org>
 Bug-Debian: http://bugs.debian.org/562048
 Forwarded: not-needed
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -150,6 +150,7 @@
+@@ -157,6 +157,7 @@
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
 }
 
 void
-@@ -299,6 +300,8 @@
+@@ -310,6 +311,8 @@
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
@@ -27,15 +27,15 @@ Index: b/servconf.c
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
-@@ -349,6 +352,7 @@
+@@ -360,6 +363,7 @@
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-        sAuthenticationMethods,
+        sAuthenticationMethods, sHostKeyAgent,
 +       sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -488,6 +492,7 @@
+@@ -501,6 +505,7 @@
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
        { NULL, sBadOption, 0 }
 };
 
-@@ -1593,6 +1598,10 @@
+@@ -1648,6 +1653,10 @@
                }
                return 0;
 
@@ -58,7 +58,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -184,6 +184,8 @@
+@@ -188,6 +188,8 @@
 
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
@@ -71,7 +71,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -434,7 +434,8 @@
+@@ -440,7 +440,8 @@
        }
 
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -397,6 +397,11 @@
+@@ -404,6 +404,11 @@
 .Dq no .
 The default is
 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 45a8364ca..d005bdc2e 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,13 +18,13 @@ Description: Various Debian-specific configuration changes
 Author: Colin Watson <cjwatson@debian.org>
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1288,7 +1288,7 @@
+@@ -1298,7 +1298,7 @@
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -49,10 +49,10 @@ Index: b/ssh_config
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
-@@ -47,3 +48,7 @@
+@@ -48,3 +49,7 @@
- #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
 +    SendEnv LANG LC_*
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -502,7 +518,8 @@
+@@ -501,7 +517,8 @@
 Remote clients will be refused access after this time.
 .Pp
 The default is
@@ -98,7 +98,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -37,6 +37,7 @@
+@@ -40,6 +40,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 25201a7d4..4c197323c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
 Bug-Debian: http://bugs.debian.org/430154
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -588,6 +588,9 @@
+@@ -587,6 +587,9 @@
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 5f35ac0c8..a471f9c4c 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,13 +1,13 @@
 Description: Refer to ssh's Upstart job as well as its init script
 Author: Colin Watson <cjwatson@ubuntu.com>
 Forwarded: not-needed
-Last-Update: 2012-11-26
+Last-Update: 2013-09-14
 Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -69,7 +69,10 @@
+@@ -70,7 +70,10 @@
 .Nm
 listens for connections from clients.
 It is normally started at boot from
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 416e2f16c..85c6722f0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
 security history.
 Author: Simon Wilkinson <simon@sxw.org.uk>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2013-05-16
+Last-Updated: 2013-09-14
 Index: b/ChangeLog.gssapi
 ===================================================================
@@ -158,7 +158,7 @@ Index: b/auth-krb5.c
 ===================================================================
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
-@@ -170,8 +170,13 @@
+@@ -181,8 +181,13 @@
 
        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +172,7 @@ Index: b/auth-krb5.c
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -226,15 +231,22 @@
+@@ -239,15 +244,22 @@
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +197,7 @@ Index: b/auth-krb5.c
        old_umask = umask(0177);
        tmpfd = mkstemp(ccname + strlen("FILE:"));
        oerrno = errno;
-@@ -251,6 +263,7 @@
+@@ -264,6 +276,7 @@
                return oerrno;
        }
        close(tmpfd);
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
 
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -251,7 +251,7 @@ Index: b/auth2-gss.c
 +                   authctxt->pw));
 +       
 +       buffer_free(&b);
-+       xfree(mic.value);
+       free(mic.value);
 +
 +       return (authenticated);
 +}
@@ -259,7 +259,7 @@ Index: b/auth2-gss.c
 /*
  * We only support those mechanisms that we know about (ie ones that we know
  * how to check local user kuserok and the like)
-@@ -244,7 +278,8 @@
+@@ -240,7 +274,8 @@
 
        packet_check_eom();
 
@@ -269,7 +269,7 @@ Index: b/auth2-gss.c
 
        authctxt->postponed = 0;
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -279,7 +314,8 @@
+@@ -275,7 +310,8 @@
        gssbuf.length = buffer_len(&b);
 
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +279,7 @@ Index: b/auth2-gss.c
        else
                logit("GSSAPI MIC check failed");
 
-@@ -294,6 +330,12 @@
+@@ -290,6 +326,12 @@
        userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
 }
 
@@ -327,7 +327,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1599,6 +1603,15 @@
+@@ -1608,6 +1612,15 @@
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1511,6 +1511,9 @@
+@@ -1546,6 +1546,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -357,7 +357,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1526,6 +1529,9 @@
+@@ -1561,6 +1564,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
@@ -371,7 +371,7 @@ Index: b/configure
 ===================================================================
 --- a/configure
 +++ b/configure
-@@ -6588,6 +6588,63 @@
+@@ -6780,6 +6780,63 @@
 
 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
 
@@ -439,7 +439,7 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -533,6 +533,30 @@
+@@ -548,6 +548,30 @@
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -475,7 +475,7 @@ Index: b/gss-genr.c
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
 
 /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -549,8 +549,8 @@ Index: b/gss-genr.c
 +
 +       if (gss_enc2oid != NULL) {
 +               for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
-+                       xfree(gss_enc2oid[i].encoded);
+                       free(gss_enc2oid[i].encoded);
-+               xfree(gss_enc2oid);
+               free(gss_enc2oid);
 +       }
 +
 +       gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -607,7 +607,7 @@ Index: b/gss-genr.c
 +       buffer_free(&buf);
 +
 +       if (strlen(mechs) == 0) {
-+               xfree(mechs);
+               free(mechs);
 +               mechs = NULL;
 +       }
 +       
@@ -826,7 +826,7 @@ Index: b/gss-serv-krb5.c
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -834,15 +834,15 @@ Index: b/gss-serv-krb5.c
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -120,6 +120,7 @@
+@@ -122,6 +122,7 @@
-        krb5_principal princ;
        OM_uint32 maj_status, min_status;
        int len;
+        const char *errmsg;
 +       const char *new_ccname;
 
        if (client->creds == NULL) {
                debug("No credentials stored");
-@@ -168,11 +169,16 @@
+@@ -174,11 +175,16 @@
                return;
        }
 
@@ -863,7 +863,7 @@ Index: b/gss-serv-krb5.c
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -184,6 +190,71 @@
+@@ -190,6 +196,71 @@
        return;
 }
 
@@ -935,7 +935,7 @@ Index: b/gss-serv-krb5.c
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
-@@ -191,7 +262,8 @@
+@@ -197,7 +268,8 @@
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
@@ -950,7 +950,7 @@ Index: b/gss-serv.c
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
 
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -958,7 +958,7 @@ Index: b/gss-serv.c
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -45,15 +45,20 @@
+@@ -45,15 +45,21 @@
 #include "channels.h"
 #include "session.h"
 #include "misc.h"
@@ -972,8 +972,9 @@ Index: b/gss-serv.c
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
-+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};
+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL,
+    {NULL, NULL, NULL, NULL, NULL}, 0, 0};
 
 ssh_gssapi_mech gssapi_null_mech =
 -    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@@ -981,7 +982,7 @@ Index: b/gss-serv.c
 
 #ifdef KRB5
 extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -81,25 +86,32 @@
+@@ -81,25 +87,32 @@
        char lname[MAXHOSTNAMELEN];
        gss_OID_set oidset;
 
@@ -1028,7 +1029,7 @@ Index: b/gss-serv.c
 }
 
 /* Privileged */
-@@ -114,6 +126,29 @@
+@@ -114,6 +127,29 @@
 }
 
 /* Unprivileged */
@@ -1058,7 +1059,7 @@ Index: b/gss-serv.c
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
-@@ -123,7 +158,9 @@
+@@ -123,7 +159,9 @@
        gss_OID_set supported;
 
        gss_create_empty_oid_set(&min_status, oidset);
@@ -1069,7 +1070,7 @@ Index: b/gss-serv.c
 
        while (supported_mechs[i]->name != NULL) {
                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -249,8 +286,48 @@
+@@ -249,8 +287,48 @@
 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 {
        int i = 0;
@@ -1119,7 +1120,7 @@ Index: b/gss-serv.c
 
        client->mech = NULL;
 
-@@ -265,6 +342,13 @@
+@@ -265,6 +343,13 @@
        if (client->mech == NULL)
                return GSS_S_FAILURE;
 
@@ -1133,7 +1134,7 @@ Index: b/gss-serv.c
        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
            &client->displayname, NULL))) {
                ssh_gssapi_error(ctx);
-@@ -282,6 +366,8 @@
+@@ -282,6 +367,8 @@
                return (ctx->major);
        }
 
@@ -1142,7 +1143,7 @@ Index: b/gss-serv.c
        /* We can't copy this structure, so we just move the pointer to it */
        client->creds = ctx->client_creds;
        ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -329,7 +415,7 @@
+@@ -329,7 +416,7 @@
 
 /* Privileged */
 int
@@ -1151,7 +1152,7 @@ Index: b/gss-serv.c
 {
        OM_uint32 lmin;
 
-@@ -339,9 +425,11 @@
+@@ -339,9 +426,11 @@
                return 0;
        }
        if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1165,7 +1166,7 @@ Index: b/gss-serv.c
                        /* Destroy delegated credentials if userok fails */
                        gss_release_buffer(&lmin, &gssapi_client.displayname);
                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +442,90 @@
+@@ -354,14 +443,90 @@
        return (0);
 }
 
@@ -1277,32 +1278,37 @@ Index: b/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -369,6 +373,20 @@
+@@ -82,6 +86,14 @@
-                k->kex_type = KEX_ECDH_SHA2;
-                k->evp_md = kex_ecdh_name_to_evpmd(k->name);
 #endif
+        { NULL, -1, -1, NULL},
+ };
+static const struct kexalg kexalg_prefixes[] = {
 +#ifdef GSSAPI
-+       } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
+       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
-+           sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
+       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
-+               k->kex_type = KEX_GSS_GEX_SHA1;
+       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
-+               k->evp_md = EVP_sha1();
-+       } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
-+           sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
-+               k->kex_type = KEX_GSS_GRP1_SHA1;
-+               k->evp_md = EVP_sha1();
-+       } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
-+           sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
-+               k->kex_type = KEX_GSS_GRP14_SHA1;
-+               k->evp_md = EVP_sha1();
 +#endif
-        } else
+       { NULL, -1, -1, NULL },
-                fatal("bad kex alg %s", k->name);
+};
+ 
+ char *
+ kex_alg_list(void)
+@@ -110,6 +122,10 @@
+                if (strcmp(k->name, name) == 0)
+                        return k;
+        }
+       for (k = kexalg_prefixes; k->name != NULL; k++) {
+               if (strncmp(k->name, name, strlen(k->name)) == 0)
+                       return k;
+       }
+        return NULL;
 }
+ 
 Index: b/kex.h
 ===================================================================
 --- a/kex.h
 +++ b/kex.h
-@@ -73,6 +73,9 @@
+@@ -74,6 +74,9 @@
        KEX_DH_GEX_SHA1,
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
@@ -1312,10 +1318,10 @@ Index: b/kex.h
        KEX_MAX
 };
 
-@@ -131,6 +134,12 @@
+@@ -133,6 +136,12 @@
-        sig_atomic_t done;
        int     flags;
        const EVP_MD *evp_md;
+        int     ec_nid;
 +#ifdef GSSAPI
 +       int     gss_deleg_creds;
 +       int     gss_trust_dns;
@@ -1325,7 +1331,7 @@ Index: b/kex.h
        char    *client_version_string;
        char    *server_version_string;
        int     (*verify_host_key)(Key *);
-@@ -158,6 +167,11 @@
+@@ -162,6 +171,11 @@
 void    kexecdh_client(Kex *);
 void    kexecdh_server(Kex *);
 
@@ -1341,7 +1347,7 @@ Index: b/kexgssc.c
 ===================================================================
 --- /dev/null
 +++ b/kexgssc.c
-@@ -0,0 +1,334 @@
+@@ -0,0 +1,333 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -1488,7 +1494,7 @@ Index: b/kexgssc.c
 +
 +               /* If we've got an old receive buffer get rid of it */
 +               if (token_ptr != GSS_C_NO_BUFFER)
-+                       xfree(recv_tok.value);
+                       free(recv_tok.value);
 +
 +               if (maj_status == GSS_S_COMPLETE) {
 +                       /* If mutual state flag is not true, kex fails */
@@ -1605,7 +1611,7 @@ Index: b/kexgssc.c
 +               fatal("kexdh_client: BN_bin2bn failed");
 +
 +       memset(kbuf, 0, klen);
-+       xfree(kbuf);
+       free(kbuf);
 +
 +       switch (kex->kex_type) {
 +       case KEX_GSS_GRP1_SHA1:
@@ -1648,11 +1654,10 @@ Index: b/kexgssc.c
 +       if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
 +               packet_disconnect("Hash's MIC didn't verify");
 +
-+       xfree(msg_tok.value);
+       free(msg_tok.value);
 +
 +       DH_free(dh);
-+       if (serverhostkey)
+       free(serverhostkey);
-+               xfree(serverhostkey);
 +       BN_clear_free(dh_server_pub);
 +
 +       /* save session id */
@@ -1680,7 +1685,7 @@ Index: b/kexgsss.c
 ===================================================================
 --- /dev/null
 +++ b/kexgsss.c
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -1761,9 +1766,10 @@ Index: b/kexgsss.c
 +        * in the GSSAPI code are no longer available. This kludges them back
 +        * into life
 +        */
-+       if (!ssh_gssapi_oid_table_ok()) 
+       if (!ssh_gssapi_oid_table_ok()) {
-+               if ((mechs = ssh_gssapi_server_mechanisms()))
+               mechs = ssh_gssapi_server_mechanisms();
-+                       xfree(mechs);
+               free(mechs);
+       }
 +
 +       debug2("%s: Identifying %s", __func__, kex->name);
 +       oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -1841,7 +1847,7 @@ Index: b/kexgsss.c
 +               maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 
 +                   &send_tok, &ret_flags));
 +
-+               xfree(recv_tok.value);
+               free(recv_tok.value);
 +
 +               if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
 +                       fatal("Zero length token output when incomplete");
@@ -1890,7 +1896,7 @@ Index: b/kexgsss.c
 +               fatal("kexgss_server: BN_bin2bn failed");
 +
 +       memset(kbuf, 0, klen);
-+       xfree(kbuf);
+       free(kbuf);
 +
 +       switch (kex->kex_type) {
 +       case KEX_GSS_GRP1_SHA1:
@@ -1973,24 +1979,14 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -976,6 +976,8 @@
+@@ -933,6 +933,7 @@
-                }
+            KEY_RSA_CERT_V00, 0, 1 },
-                break;
+        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
- #endif /* OPENSSL_HAS_ECC */
+            KEY_DSA_CERT_V00, 0, 1 },
-+       case KEY_NULL:
+       { "null", "null", KEY_NULL, 0, 0 },
-+               return "null";
+        { NULL, NULL, -1, -1, 0 }
-        }
+ };
-        return "ssh-unknown";
- }
-@@ -1281,6 +1283,8 @@
-            strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
-                return KEY_ECDSA_CERT;
- #endif
-+       } else if (strcmp(name, "null") == 0) {
-+               return KEY_NULL;
-        }
 
-        debug2("key_type_from_name: unknown key type '%s'", name);
 Index: b/key.h
 ===================================================================
 --- a/key.h
@@ -2007,7 +2003,7 @@ Index: b/monitor.c
 ===================================================================
 --- a/monitor.c
 +++ b/monitor.c
-@@ -180,6 +180,8 @@
+@@ -181,6 +181,8 @@
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2016,7 +2012,7 @@ Index: b/monitor.c
 #endif
 
 #ifdef SSH_AUDIT_EVENTS
-@@ -252,6 +254,7 @@
+@@ -253,6 +255,7 @@
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2020,7 @@ Index: b/monitor.c
 #endif
 #ifdef JPAKE
     {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -264,6 +267,12 @@
+@@ -265,6 +268,12 @@
 };
 
 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2033,7 @@ Index: b/monitor.c
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
     {MONITOR_REQ_SIGN, 0, mm_answer_sign},
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -372,6 +381,10 @@
+@@ -373,6 +382,10 @@
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2059,7 +2055,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1836,6 +1853,13 @@
+@@ -1855,6 +1872,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2069,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -2042,6 +2066,9 @@
+@@ -2062,6 +2086,9 @@
        OM_uint32 major;
        u_int len;
 
@@ -2083,7 +2079,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -2069,6 +2096,9 @@
+@@ -2089,6 +2116,9 @@
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2093,7 +2089,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2086,6 +2116,7 @@
+@@ -2106,6 +2136,7 @@
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2097,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -2097,6 +2128,9 @@
+@@ -2117,6 +2148,9 @@
        OM_uint32 ret;
        u_int len;
 
@@ -2111,7 +2107,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2123,7 +2157,11 @@
+@@ -2143,7 +2177,11 @@
 {
        int authenticated;
 
@@ -2124,7 +2120,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2136,6 +2174,74 @@
+@@ -2156,6 +2194,74 @@
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2154,7 +2150,7 @@ Index: b/monitor.c
 +       }
 +       major = ssh_gssapi_sign(gsscontext, &data, &hash);
 +
-+       xfree(data.value);
+       free(data.value);
 +
 +       buffer_clear(m);
 +       buffer_put_int(m, major);
@@ -2184,9 +2180,9 @@ Index: b/monitor.c
 +
 +       ok = ssh_gssapi_update_creds(&store);
 +
-+       xfree(store.filename);
+       free(store.filename);
-+       xfree(store.envvar);
+       free(store.envvar);
-+       xfree(store.envval);
+       free(store.envval);
 +
 +       buffer_clear(m);
 +       buffer_put_int(m, ok);
@@ -2217,7 +2213,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1271,7 +1271,7 @@
+@@ -1273,7 +1273,7 @@
 }
 
 int
@@ -2226,7 +2222,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
        int authenticated = 0;
-@@ -1288,6 +1288,51 @@
+@@ -1290,6 +1290,51 @@
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
@@ -2298,7 +2294,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -129,6 +129,8 @@
+@@ -132,6 +132,8 @@
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2307,7 +2303,7 @@ Index: b/readconf.c
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -169,10 +171,19 @@
+@@ -172,10 +174,19 @@
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2327,7 +2323,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -503,10 +514,30 @@
+@@ -516,10 +527,30 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2358,7 +2354,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1158,7 +1189,12 @@
+@@ -1168,7 +1199,12 @@
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2371,7 +2367,7 @@ Index: b/readconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1258,8 +1294,14 @@
+@@ -1268,8 +1304,14 @@
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2407,7 +2403,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -102,7 +102,10 @@
+@@ -107,7 +107,10 @@
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2418,7 +2414,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -233,8 +236,14 @@
+@@ -240,8 +243,14 @@
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2433,7 +2429,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -327,7 +336,9 @@
+@@ -338,7 +347,9 @@
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2444,7 +2440,7 @@ Index: b/servconf.c
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -393,10 +404,20 @@
+@@ -405,10 +416,20 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2465,7 +2461,7 @@ Index: b/servconf.c
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1049,10 +1070,22 @@
+@@ -1073,10 +1094,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2488,7 +2484,7 @@ Index: b/servconf.c
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -1927,7 +1960,10 @@
+@@ -1983,7 +2016,10 @@
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2503,7 +2499,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -110,7 +110,10 @@
+@@ -111,7 +111,10 @@
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2632,7 +2628,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -530,11 +530,43 @@
+@@ -529,11 +529,43 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -2727,14 +2723,14 @@ Index: b/sshconnect2.c
 +               orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
 +               xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
 +                   "%s,null", orig);
-+               xfree(gss);
+               free(gss);
 +       }
 +#endif
 +
-        if (options.rekey_limit)
+        if (options.rekey_limit || options.rekey_interval)
-                packet_set_rekey_limit((u_int32_t)options.rekey_limit);
+                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- 
+                    (time_t)options.rekey_interval);
-@@ -207,10 +243,30 @@
+@@ -208,10 +244,30 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2765,7 +2761,7 @@ Index: b/sshconnect2.c
        xxx_kex = kex;
 
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -306,6 +362,7 @@
+@@ -307,6 +363,7 @@
 void   input_gssapi_hash(int type, u_int32_t, void *);
 void   input_gssapi_error(int, u_int32_t, void *);
 void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2773,7 +2769,7 @@ Index: b/sshconnect2.c
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -321,6 +378,11 @@
+@@ -322,6 +379,11 @@
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2785,7 +2781,7 @@ Index: b/sshconnect2.c
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -627,19 +689,31 @@
+@@ -625,19 +687,31 @@
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2819,7 +2815,7 @@ Index: b/sshconnect2.c
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -736,8 +810,8 @@
+@@ -734,8 +808,8 @@
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2830,9 +2826,9 @@ Index: b/sshconnect2.c
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -847,6 +921,48 @@
+@@ -844,6 +918,48 @@
-        xfree(msg);
+        free(msg);
-        xfree(lang);
+        free(lang);
 }
 +
 +int
@@ -2883,7 +2879,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -121,6 +121,10 @@
+@@ -122,6 +122,10 @@
 #include "ssh-sandbox.h"
 #include "version.h"
 
@@ -2894,7 +2890,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1645,10 +1649,13 @@
+@@ -1703,10 +1707,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2908,7 +2904,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1976,6 +1983,60 @@
+@@ -2035,6 +2042,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2969,7 +2965,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2357,6 +2418,48 @@
+@@ -2439,6 +2500,48 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -3018,7 +3014,7 @@ Index: b/sshd.c
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2364,6 +2467,13 @@
+@@ -2446,6 +2549,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3036,7 +3032,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -80,6 +80,8 @@
+@@ -83,6 +83,8 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
@@ -3049,7 +3045,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -481,12 +481,40 @@
+@@ -484,12 +484,40 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 98e9f8bdd..a851a91bf 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,30 +12,30 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
 Author: Ian Jackson <ian@chiark.greenend.org.uk>
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -138,6 +138,7 @@
+@@ -141,6 +141,7 @@
        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
-        oKexAlgorithms, oIPQoS, oRequestTTY,
+        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
 +       oProtocolKeepAlives, oSetupTimeOut,
-        oDeprecated, oUnsupported
+        oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -259,6 +260,8 @@
+@@ -263,6 +264,8 @@
-        { "kexalgorithms", oKexAlgorithms },
        { "ipqos", oIPQoS },
        { "requesttty", oRequestTTY },
+        { "ignoreunknown", oIgnoreUnknown },
 +       { "protocolkeepalives", oProtocolKeepAlives },
 +       { "setuptimeout", oSetupTimeOut },
 
        { NULL, oBadOption }
 };
-@@ -933,6 +936,8 @@
+@@ -939,6 +942,8 @@
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -44,8 +44,8 @@ Index: b/readconf.c
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1392,8 +1397,13 @@
+@@ -1404,8 +1409,13 @@
-                options->rekey_limit = 0;
+                options->rekey_interval = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
 -       if (options->server_alive_interval == -1)
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
 The argument must be
 .Dq yes
 or
-@@ -1113,8 +1117,15 @@
+@@ -1141,8 +1145,15 @@
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-@@ -1153,6 +1164,12 @@
+@@ -1181,6 +1192,12 @@
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1122,6 +1122,9 @@
+@@ -1161,6 +1161,9 @@
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 8afabfaba..19ae33b22 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
 either way and opted to keep the status quo.  We need this patch anyway.
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -293,9 +293,9 @@
+@@ -296,9 +296,9 @@
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
        -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index fd1b6f9f5..55c277031 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
 Author: Scott Moser <smoser@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -982,9 +982,12 @@
+@@ -981,9 +981,12 @@
                        error("%s. This could either mean that", key_msg);
                        error("DNS SPOOFING is happening or the IP address for the host");
                        error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
                }
                /* The host key has changed. */
                warn_changed_key(host_key);
-@@ -992,6 +995,8 @@
+@@ -991,6 +994,8 @@
                    user_hostfiles[0]);
                error("Offending %s key in %s:%lu", key_type(host_found->key),
                    host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 48c3ff598..d4eeee6e8 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
  https://bugs.launchpad.net/bugs/456660 (ssl(8))
 Author: Colin Watson <cjwatson@debian.org>
 Forwarded: not-needed
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/moduli.5
 ===================================================================
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
 .It Fl a Ar trials
 Specifies the number of primality tests to perform when screening DH-GEX
 candidates using the
-@@ -606,7 +602,7 @@
+@@ -605,7 +601,7 @@
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Sh CERTIFICATES
-@@ -801,7 +797,7 @@
+@@ -800,7 +796,7 @@
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
@@ -78,9 +78,9 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -736,6 +736,10 @@
+@@ -756,6 +756,10 @@
- .Sx HISTORY
+ but protocol 2 may use any.
- section of
+ The HISTORY section of
 .Xr ssl 8
 +(on non-OpenBSD systems, see
 +.nh
@@ -93,7 +93,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -69,7 +69,7 @@
+@@ -70,7 +70,7 @@
 .Nm
 listens for connections from clients.
 It is normally started at boot from
@@ -102,7 +102,7 @@ Index: b/sshd.8
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -858,7 +858,7 @@
+@@ -859,7 +859,7 @@
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
@@ -111,7 +111,7 @@ Index: b/sshd.8
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
-@@ -956,7 +956,6 @@
+@@ -957,7 +957,6 @@
 .Xr ssh-vulnkey 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -276,8 +276,7 @@
+@@ -283,8 +283,7 @@
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b922a185b..2be45ebf8 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,7 +5,7 @@ Description: Include the Debian version in our identification
 vulnerable-looking version strings.  (However, see debian-banner.patch.)
 Author: Matthew Vernon <matthew@debian.org>
 Forwarded: not-needed
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/sshconnect.c
 ===================================================================
@@ -28,7 +28,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -434,7 +434,7 @@
+@@ -440,7 +440,7 @@
        }
 
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -42,9 +42,9 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.2"
+ #define SSH_VERSION    "OpenSSH_6.3"
 
- #define SSH_PORTABLE   "p2"
+ #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
 +#define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE
 +#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index f25ff89d0..32f4cfc67 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
 Bug-Debian: http://bugs.debian.org/313371
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1710,8 +1710,10 @@
+@@ -1717,8 +1717,10 @@
                exit_status = 0;
        }
 
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index c41c78b3b..f3376c20a 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
 Author: Manoj Srivastava <srivasta@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2013-05-13
+Last-Update: 2013-09-14
 Index: b/auth.h
 ===================================================================
@@ -17,13 +17,13 @@ Index: b/auth.h
        char            *style;
 +       char            *role;
        void            *kbdintctxt;
+        char            *info;          /* Extra info for next auth_log */
        void            *jpake_ctx;
- #ifdef BSD_AUTH
 Index: b/auth1.c
 ===================================================================
 --- a/auth1.c
 +++ b/auth1.c
-@@ -385,7 +385,7 @@
+@@ -380,7 +380,7 @@
 do_authentication(Authctxt *authctxt)
 {
        u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
 
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(SSH_CMSG_USER);
-@@ -394,11 +394,17 @@
+@@ -389,11 +389,17 @@
        user = packet_get_cstring(&ulen);
        packet_check_eom();
 
@@ -54,7 +54,7 @@ Index: b/auth2.c
 ===================================================================
 --- a/auth2.c
 +++ b/auth2.c
-@@ -219,7 +219,7 @@
+@@ -222,7 +222,7 @@
 {
        Authctxt *authctxt = ctxt;
        Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
        int authenticated = 0;
 
        if (authctxt == NULL)
-@@ -231,8 +231,13 @@
+@@ -234,8 +234,13 @@
        debug("userauth-request for user %s service %s method %s", user, service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
@@ -77,7 +77,7 @@ Index: b/auth2.c
 
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
-@@ -256,8 +261,9 @@
+@@ -259,8 +264,9 @@
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
@@ -92,7 +92,7 @@ Index: b/monitor.c
 ===================================================================
 --- a/monitor.c
 +++ b/monitor.c
-@@ -145,6 +145,7 @@
+@@ -146,6 +146,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@@ -100,7 +100,7 @@ Index: b/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -226,6 +227,7 @@
+@@ -227,6 +228,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -837,6 +839,7 @@
+@@ -844,6 +846,7 @@
        else {
                /* Allow service/style information on the auth context */
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
        }
 #ifdef USE_PAM
-@@ -869,14 +872,37 @@
+@@ -874,14 +877,37 @@
 
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
@@ -127,12 +127,12 @@ Index: b/monitor.c
 +           __func__, authctxt->service, authctxt->style, authctxt->role);
 
        if (strlen(authctxt->style) == 0) {
-                xfree(authctxt->style);
+                free(authctxt->style);
                authctxt->style = NULL;
        }
 
 +       if (strlen(authctxt->role) == 0) {
-+               xfree(authctxt->role);
+               free(authctxt->role);
 +               authctxt->role = NULL;
 +       }
 +
@@ -149,14 +149,14 @@ Index: b/monitor.c
 +           __func__, authctxt->role);
 +
 +       if (strlen(authctxt->role) == 0) {
-+               xfree(authctxt->role);
+               free(authctxt->role);
 +               authctxt->role = NULL;
 +       }
 +
        return (0);
 }
 
-@@ -1471,7 +1497,7 @@
+@@ -1486,7 +1512,7 @@
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -182,7 +182,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -318,10 +318,10 @@
+@@ -320,10 +320,10 @@
        return (banner);
 }
 
@@ -195,7 +195,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
 
-@@ -330,11 +330,29 @@
+@@ -332,11 +332,29 @@
        buffer_init(&m);
        buffer_put_cstring(&m, service);
        buffer_put_cstring(&m, style ? style : "");
@@ -284,7 +284,7 @@ Index: b/openbsd-compat/port-linux.c
 #endif
 
        if (r != 0) {
-@@ -107,7 +120,7 @@
+@@ -105,7 +118,7 @@
 
 /* Set the execution context to the default for the specified user */
 void
@@ -293,7 +293,7 @@ Index: b/openbsd-compat/port-linux.c
 {
        security_context_t user_ctx = NULL;
 
-@@ -116,7 +129,7 @@
+@@ -114,7 +127,7 @@
 
        debug3("%s: setting execution context", __func__);
 
@@ -302,7 +302,7 @@ Index: b/openbsd-compat/port-linux.c
        if (setexeccon(user_ctx) != 0) {
                switch (security_getenforce()) {
                case -1:
-@@ -138,7 +151,7 @@
+@@ -136,7 +149,7 @@
 
 /* Set the TTY context for the specified user */
 void
@@ -311,7 +311,7 @@ Index: b/openbsd-compat/port-linux.c
 {
        security_context_t new_tty_ctx = NULL;
        security_context_t user_ctx = NULL;
-@@ -149,7 +162,7 @@
+@@ -147,7 +160,7 @@
 
        debug3("%s: setting TTY context on %s", __func__, tty);
 
@@ -392,7 +392,7 @@ Index: b/session.c
 
                if (options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1633,7 +1633,7 @@
+@@ -1646,7 +1646,7 @@
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
                child_close_fds();
                do_pwchange(s);
                exit(1);
-@@ -1660,7 +1660,7 @@
+@@ -1673,7 +1673,7 @@
                /* When PAM is enabled we rely on it to do the nologin check */
                if (!options.use_pam)
                        do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
                /*
                 * PAM session modules in do_setusercontext may have
                 * generated messages, so if this in an interactive
-@@ -2072,7 +2072,7 @@
+@@ -2084,7 +2084,7 @@
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -745,7 +745,7 @@
+@@ -753,7 +753,7 @@
        RAND_seed(rnd, sizeof(rnd));
 
        /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index 0e43d9fe9..f5c2ebb52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,7 +26,6 @@ shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
-ssh-copy-id-portable.patch
 # Versioning
 package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index d4cbc3e5f..a1c6efc8d 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
 Bug-Debian: http://bugs.debian.org/492728
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/sshconnect.c
 ===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
                perror(argv[0]);
                exit(1);
        }
-@@ -1299,7 +1299,7 @@
+@@ -1298,7 +1298,7 @@
        if (pid == 0) {
                signal(SIGPIPE, SIG_DFL);
                debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 42bee0739..3311a797c 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,13 +1,13 @@
 Description: Support synchronisation with service supervisor using SIGSTOP
 Author: Colin Watson <cjwatson@debian.org>
 Forwarded: no
-Last-Update: 2013-08-12
+Last-Update: 2013-09-14
 Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1855,6 +1855,10 @@
+@@ -1914,6 +1914,10 @@
                        }
                }
 
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 6f4a3cd9a..28d144221 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
 manual page from ssh(1).
 Bug-Debian: http://bugs.debian.org/111341
 Forwarded: not-needed
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1433,6 +1433,7 @@
+@@ -1451,6 +1451,7 @@
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-portable.patch b/debian/patches/ssh-copy-id-portable.patch
deleted file mode 100644
index 9583eab4b..000000000
--- a/debian/patches/ssh-copy-id-portable.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Description: Fix non-portable shell in ssh-copy-id
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
-Bug-Debian: http://bugs.debian.org/711162
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
-Last-Update: 2013-06-05
-Index: b/contrib/ssh-copy-id
-===================================================================
--- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -165,7 +165,7 @@
- 
- eval set -- "$SAVEARGS"
- 
-if [ $# == 0 ] ; then
-+if [ $# = 0 ] ; then
-   usage
- fi
- if [ $# != 1 ] ; then
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 03d6f15d9..a56911290 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
 See CVE-2008-0166.
 Author: Colin Watson <cjwatson@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/Makefile.in
 ===================================================================
@@ -52,7 +52,7 @@ Index: b/Makefile.in
 MANTYPE                = @MANTYPE@
 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -174,6 +176,9 @@
+@@ -176,6 +178,9 @@
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
        $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
 
@@ -62,7 +62,7 @@ Index: b/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
        $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -269,6 +274,7 @@
+@@ -272,6 +277,7 @@
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -283,6 +289,7 @@
+@@ -286,6 +292,7 @@
        $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/slogin
        ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -364,6 +371,7 @@
+@@ -367,6 +374,7 @@
        -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
        -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -376,6 +384,7 @@
+@@ -379,6 +387,7 @@
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,8 +111,8 @@ Index: b/auth-rsa.c
 ===================================================================
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -233,7 +233,7 @@
+@@ -237,7 +237,7 @@
-                            file, linenum, BN_num_bits(key->rsa->n), bits);
+                free(fp);
 
                /* Never accept a revoked key */
 -               if (auth_key_is_revoked(key))
@@ -132,7 +132,7 @@ Index: b/auth.c
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-@@ -635,10 +636,34 @@
+@@ -657,10 +658,34 @@
 
 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
 int
@@ -151,7 +151,7 @@ Index: b/auth.c
 +                               logit("Public key %s from %s blacklisted (see "
 +                                   "ssh-vulnkey(1)); continuing anyway",
 +                                   key_fp, get_remote_ipaddr());
-+                       xfree(key_fp);
+                       free(key_fp);
 +               } else {
 +                       if (hostkey)
 +                               error("Host key %s blacklisted (see "
@@ -160,7 +160,7 @@ Index: b/auth.c
 +                               logit("Public key %s from %s blacklisted (see "
 +                                   "ssh-vulnkey(1))",
 +                                   key_fp, get_remote_ipaddr());
-+                       xfree(key_fp);
+                       free(key_fp);
 +                       return 1;
 +               }
 +       }
@@ -172,7 +172,7 @@ Index: b/auth.h
 ===================================================================
 --- a/auth.h
 +++ b/auth.h
-@@ -185,7 +185,7 @@
+@@ -191,7 +191,7 @@
 
 FILE   *auth_openkeyfile(const char *, struct passwd *, int);
 FILE   *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,7 +185,7 @@ Index: b/auth2-hostbased.c
 ===================================================================
 --- a/auth2-hostbased.c
 +++ b/auth2-hostbased.c
-@@ -146,7 +146,7 @@
+@@ -150,7 +150,7 @@
        int len;
        char *fp;
 
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -608,9 +608,10 @@
+@@ -647,9 +647,10 @@
        u_int success, i;
        char *file;
 
@@ -223,7 +223,7 @@ Index: b/authfile.c
 
 #define MAX_KEY_FILE_SIZE      (1024 * 1024)
 
-@@ -944,3 +945,140 @@
+@@ -944,3 +945,139 @@
        return ret;
 }
 
@@ -316,10 +316,9 @@ Index: b/authfile.c
 +       }
 +
 +out:
-+       if (dgst_packed)
+       free(dgst_packed);
-+               xfree(dgst_packed);
 +       if (ret != 1 && dgst_hex) {
-+               xfree(dgst_hex);
+               free(dgst_hex);
 +               dgst_hex = NULL;
 +       }
 +       if (fp)
@@ -347,7 +346,7 @@ Index: b/authfile.c
 +       xasprintf(&blacklist_file, "%s.%s-%u",
 +           _PATH_BLACKLIST, key_type(public), key_size(public));
 +       ret = blacklisted_key_in_file(public, blacklist_file, fp);
-+       xfree(blacklist_file);
+       free(blacklist_file);
 +       if (ret > 0) {
 +               key_free(public);
 +               return ret;
@@ -356,7 +355,7 @@ Index: b/authfile.c
 +       xasprintf(&blacklist_file, "%s.%s-%u",
 +           _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
 +       ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
-+       xfree(blacklist_file);
+       free(blacklist_file);
 +       if (ret2 > ret)
 +               ret = ret2;
 +
@@ -404,7 +403,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -125,6 +125,7 @@
+@@ -128,6 +128,7 @@
        oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
        oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +411,7 @@ Index: b/readconf.c
        oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-@@ -158,6 +159,7 @@
+@@ -161,6 +162,7 @@
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +419,7 @@ Index: b/readconf.c
        { "rsaauthentication", oRSAAuthentication },
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -510,6 +512,10 @@
+@@ -523,6 +525,10 @@
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
 
@@ -431,7 +430,7 @@ Index: b/readconf.c
        case oGssAuthentication:
                intptr = &options->gss_authentication;
                goto parse_flag;
-@@ -1200,6 +1206,7 @@
+@@ -1210,6 +1216,7 @@
        options->kbd_interactive_devices = NULL;
        options->rhosts_rsa_authentication = -1;
        options->hostbased_authentication = -1;
@@ -439,7 +438,7 @@ Index: b/readconf.c
        options->batch_mode = -1;
        options->check_host_ip = -1;
        options->strict_host_key_checking = -1;
-@@ -1310,6 +1317,8 @@
+@@ -1320,6 +1327,8 @@
                options->rhosts_rsa_authentication = 0;
        if (options->hostbased_authentication == -1)
                options->hostbased_authentication = 0;
@@ -464,7 +463,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -109,6 +109,7 @@
+@@ -114,6 +114,7 @@
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -472,7 +471,7 @@ Index: b/servconf.c
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->use_login = -1;
-@@ -250,6 +251,8 @@
+@@ -257,6 +258,8 @@
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
@@ -481,16 +480,16 @@ Index: b/servconf.c
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
-@@ -327,7 +330,7 @@
+@@ -338,7 +341,7 @@
        sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 -       sStrictModes, sEmptyPasswd, sTCPKeepAlive,
 +       sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
-        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+        sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -439,6 +442,7 @@
+@@ -451,6 +454,7 @@
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +497,7 @@ Index: b/servconf.c
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1134,6 +1138,10 @@
+@@ -1158,6 +1162,10 @@
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
 
@@ -509,7 +508,7 @@ Index: b/servconf.c
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
-@@ -1980,6 +1988,7 @@
+@@ -2036,6 +2044,7 @@
        dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
        dump_cfg_fmtint(sStrictModes, o->strict_modes);
        dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +520,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -120,6 +120,7 @@
+@@ -121,6 +121,7 @@
        int     challenge_response_authentication;
        int     zero_knowledge_password_authentication;
                                        /* If true, permit jpake auth */
@@ -572,9 +571,9 @@ Index: b/ssh-add.c
 +       if (blacklisted_key(private, &fp) == 1) {
 +               fprintf(stderr, "Public key %s blacklisted (see "
 +                   "ssh-vulnkey(1)); refusing to add it\n", fp);
-+               xfree(fp);
+               free(fp);
 +               key_free(private);
-+               xfree(comment);
+               free(comment);
 +               return -1;
 +       }
 
@@ -584,7 +583,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -810,6 +810,7 @@
+@@ -809,6 +809,7 @@
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
@@ -843,7 +842,7 @@ Index: b/ssh-vulnkey.c
 ===================================================================
 --- /dev/null
 +++ b/ssh-vulnkey.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,386 @@
 +/*
 + * Copyright (c) 2008 Canonical Ltd.  All rights reserved.
 + *
@@ -940,7 +939,7 @@ Index: b/ssh-vulnkey.c
 +               printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
 +                   key_type(key), key_size(key), fp, comment);
 +       }
-+       xfree(fp);
+       free(fp);
 +}
 +
 +static int
@@ -1093,8 +1092,7 @@ Index: b/ssh-vulnkey.c
 +                               ret = 0;
 +                       found = 1;
 +               }
-+               if (comment)
+               free(comment);
-+                       xfree(comment);
 +       }
 +
 +       return ret;
@@ -1128,12 +1126,12 @@ Index: b/ssh-vulnkey.c
 +       for (i = 0; default_files[i]; i++) {
 +               xasprintf(&file, "%s/%s", dir, default_files[i]);
 +               if (stat(file, &st) < 0 && errno == ENOENT) {
-+                       xfree(file);
+                       free(file);
 +                       continue;
 +               }
 +               if (!do_filename(file, 0))
 +                       ret = 0;
-+               xfree(file);
+               free(file);
 +       }
 +
 +       return ret;
@@ -1235,7 +1233,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1429,6 +1429,7 @@
+@@ -1447,6 +1447,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1247,7 +1245,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1492,7 +1492,7 @@
+@@ -1525,7 +1525,7 @@
 static void
 load_public_identity_files(void)
 {
@@ -1256,7 +1254,7 @@ Index: b/ssh.c
        char *pwdir = NULL, *pwname = NULL;
        int i = 0;
        Key *public;
-@@ -1550,6 +1550,22 @@
+@@ -1583,6 +1583,22 @@
                public = key_load_public(filename, NULL);
                debug("identity file %s type %d", filename,
                    public ? public->type : -1);
@@ -1268,22 +1266,22 @@ Index: b/ssh.c
 +                               logit("Public key %s blacklisted (see "
 +                                   "ssh-vulnkey(1)); refusing to send it",
 +                                   fp);
-+                       xfree(fp);
+                       free(fp);
 +                       if (!options.use_blacklisted_keys) {
 +                               key_free(public);
-+                               xfree(filename);
+                               free(filename);
 +                               filename = NULL;
 +                               public = NULL;
 +                       }
 +               }
-                xfree(options.identity_files[i]);
+                free(options.identity_files[i]);
                identity_files[n_ids] = filename;
                identity_keys[n_ids] = public;
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1201,6 +1201,23 @@
+@@ -1229,6 +1229,23 @@
 .Dq any .
 The default is
 .Dq any:any .
@@ -1320,7 +1318,7 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1609,7 +1611,7 @@
+@@ -1608,7 +1610,7 @@
                        debug("Offering %s public key: %s", key_type(id->key),
                            id->filename);
                        sent = send_pubkey_test(authctxt, id);
@@ -1333,7 +1331,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -953,6 +953,7 @@
+@@ -954,6 +954,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1345,23 +1343,23 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1631,6 +1631,11 @@
+@@ -1688,6 +1688,11 @@
-                        sensitive_data.host_keys[i] = NULL;
+                        sensitive_data.host_pubkeys[i] = NULL;
                        continue;
                }
-+               if (auth_key_is_revoked(key, 1)) {
+               if (auth_key_is_revoked(key != NULL ? key : pubkey, 1)) {
-+                       key_free(key);
 +                       sensitive_data.host_keys[i] = NULL;
+                       sensitive_data.host_pubkeys[i] = NULL;
 +                       continue;
 +               }
-                switch (key->type) {
+ 
+                switch (keytype) {
                case KEY_RSA1:
-                        sensitive_data.ssh1_host_key = key;
 Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -870,6 +870,20 @@
+@@ -885,6 +885,20 @@
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 87211e8a3..de61e1dd9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,13 +1,13 @@
 Description: Partial server keep-alive implementation for SSH1
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
-Last-Update: 2013-05-07
+Last-Update: 2013-09-14
 Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -565,16 +565,21 @@
+@@ -563,16 +563,21 @@
 static void
 server_alive_check(void)
 {
@@ -38,20 +38,20 @@ Index: b/clientloop.c
 }
 
 /*
-@@ -636,7 +641,7 @@
+@@ -634,7 +639,7 @@
         */
 
        timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
-       if (options.server_alive_interval > 0 && compat20)
+-       if (options.server_alive_interval > 0 && compat20) {
-+       if (options.server_alive_interval > 0)
+       if (options.server_alive_interval > 0) {
                timeout_secs = options.server_alive_interval;
-        set_control_persist_exit_time();
+                server_alive_time = now + options.server_alive_interval;
-        if (control_persist_exit_time > 0) {
+        }
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1102,7 +1102,10 @@
+@@ -1130,7 +1130,10 @@
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2bac7c8cb..f8be76c89 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -8,13 +8,13 @@ Description: "LogLevel SILENT" compatibility
 Author: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/log.c
 ===================================================================
 --- a/log.c
 +++ b/log.c
-@@ -92,6 +92,7 @@
+@@ -94,6 +94,7 @@
        LogLevel val;
 } log_levels[] =
 {
@@ -26,7 +26,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -711,7 +711,7 @@
+@@ -740,7 +740,7 @@
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
            options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index d0de9c006..ac00edac6 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
-Last-Update: 2013-05-16
+Last-Update: 2013-09-14
 Index: b/readconf.c
 ===================================================================
@@ -21,10 +21,10 @@ Index: b/readconf.c
 #include <unistd.h>
 +#include <pwd.h>
 +#include <grp.h>
- 
+ #ifdef HAVE_UTIL_H
- #include "xmalloc.h"
+ #include <util.h>
- #include "ssh.h"
+ #endif
-@@ -1150,8 +1152,7 @@
+@@ -1160,8 +1162,7 @@
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,10 +38,10 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1320,6 +1320,8 @@
+@@ -1338,6 +1338,8 @@
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
- read/write for the user, and not accessible by others.
+ read/write for the user, and not writable by others.
 +It may be group-writable provided that the group in question contains only
 +the user.
 .Pp
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1356,6 +1356,8 @@
+@@ -1382,6 +1382,8 @@
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
 ===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -386,8 +386,7 @@
+@@ -408,8 +408,7 @@
                user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                if (options.strict_modes &&
                    (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
-@@ -449,8 +448,7 @@
+@@ -471,8 +470,7 @@
                snprintf(err, errlen, "%s is not a regular file", buf);
                return -1;
        }
@@ -84,7 +84,7 @@ Index: b/auth.c
                snprintf(err, errlen, "bad ownership or modes for file %s",
                    buf);
                return -1;
-@@ -465,8 +463,7 @@
+@@ -487,8 +485,7 @@
                strlcpy(buf, cp, sizeof(buf));
 
                if (stat(buf, &st) < 0 ||
@@ -117,7 +117,7 @@ Index: b/misc.c
 
 /* remove newline at end of string */
 char *
-@@ -641,6 +643,71 @@
+@@ -642,6 +644,71 @@
        return -1;
 }
 
@@ -193,7 +193,7 @@ Index: b/misc.h
 ===================================================================
 --- a/misc.h
 +++ b/misc.h
-@@ -103,4 +103,6 @@
+@@ -104,4 +104,6 @@
 int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);