4 files changed, 43 insertions, 17 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c10ac230e..10768e918 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-762c062828f5a8f6ed189ed6e44ad38fd92f8b36
+44f0937b56758f662ff388d474213107e3290863
-762c062828f5a8f6ed189ed6e44ad38fd92f8b36
+44f0937b56758f662ff388d474213107e3290863
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 openssh_6.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 894f97b0f..18b08f984 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:6.7p1-4) UNRELEASED; urgency=medium
+  * Send/accept only specific known LC_* variables, rather than using a
+    wildcard (closes: #765633).
+ -- Colin Watson <cjwatson@debian.org>  Thu, 06 Nov 2014 10:39:11 +0000
 openssh (1:6.7p1-3) unstable; urgency=medium
  * Debconf translations:
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 5131b2647..12ccb4f76 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -147,6 +147,13 @@ update_server_key_bits() {
 }
+update_accept_env() {
+        if [ "$(get_config_option AcceptEnv)" = 'LANG LC_*' ]; then
+                set_config_option AcceptEnv 'LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL'
+        fi
+}
 create_sshdconfig() {
        if [ -e /etc/ssh/sshd_config ] ; then
            # Upgrade an existing sshd configuration.
@@ -168,6 +175,10 @@ create_sshdconfig() {
                update_server_key_bits
            fi
+            if dpkg --compare-versions "$oldversion" lt 1:6.7p1-4; then
+                update_accept_env
+            fi
            return 0
        fi
@@ -246,7 +257,7 @@ TCPKeepAlive yes
 #Banner /etc/issue.net
 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+AcceptEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL
 Subsystem sftp /usr/lib/openssh/sftp-server
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 661d30ca8..f81d731f1 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 Mon Sep 17 00:00:00 2001
+From 44f0937b56758f662ff388d474213107e3290863 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -22,16 +22,16 @@ debian/openssh-server.postinst.
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2014-02-12
+Last-Update: 2014-11-06
 Patch-Name: debian-config.patch
 ---
 readconf.c    |  2 +-
 ssh_config    |  7 ++++++-
- ssh_config.5  | 19 ++++++++++++++++++-
+ ssh_config.5  | 23 ++++++++++++++++++++++-
 sshd_config   |  1 +
- sshd_config.5 | 25 +++++++++++++++++++++++++
+ sshd_config.5 | 29 +++++++++++++++++++++++++++++
- 5 files changed, 51 insertions(+), 3 deletions(-)
+ 5 files changed, 59 insertions(+), 3 deletions(-)
 diff --git a/readconf.c b/readconf.c
 index 0648867..29338b6 100644
@@ -47,7 +47,7 @@ index 0648867..29338b6 100644
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
 diff --git a/ssh_config b/ssh_config
-index 228e5ab..c9386aa 100644
+index 228e5ab..91be1e7 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -17,9 +17,10 @@
@@ -66,15 +66,15 @@ index 228e5ab..c9386aa 100644
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
-+    SendEnv LANG LC_*
+    SendEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index a1005ba..da3c177 100644
+index a1005ba..5985769 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
+@@ -71,6 +71,26 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
@@ -87,7 +87,11 @@ index a1005ba..da3c177 100644
 +.Pp
 +.Bl -bullet -offset indent -compact
 +.It
-+.Cm SendEnv No LANG LC_*
+.Cm SendEnv No LANG Xo
+.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
+.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
+.No LC_ALL
+.Xc
 +.It
 +.Cm HashKnownHosts No yes
 +.It
@@ -97,7 +101,7 @@ index a1005ba..da3c177 100644
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -673,7 +693,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
@@ -120,10 +124,10 @@ index d9b8594..4db32f5 100644
 #StrictModes yes
 #MaxAuthTries 6
 diff --git a/sshd_config.5 b/sshd_config.5
-index 7396b23..7aa7b47 100644
+index 7396b23..09bb5fe 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+@@ -57,6 +57,35 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
@@ -145,7 +149,11 @@ index 7396b23..7aa7b47 100644
 +.It
 +.Cm PrintMotd No no
 +.It
-+.Cm AcceptEnv No LANG LC_*
+.Cm AcceptEnv No LANG Xo
+.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
+.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
+.No LC_ALL
+.Xc
 +.It
 +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
 +.It