7 files changed, 49 insertions, 8 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index f64723622..8d8bd30fa 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
-ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
+5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
+5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d8745c0e5..d98a173ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -154,6 +154,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
       mechanism itself were still applied.  Found by Kingcope.
   * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
     GSSAPI key exchange patch.
+  * Document the Debian-specific change to the default value of
+    ForwardX11Trusted in ssh(1) (closes: #781469).
 
  -- Colin Watson <cjwatson@debian.org>  Wed, 19 Aug 2015 15:19:54 +0100
 
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch
index 00ace37f1..24b7ce271 100644
--- a/debian/patches/backport-do-not-resend-username-to-pam.patch
+++ b/debian/patches/backport-do-not-resend-username-to-pam.patch
@@ -1,4 +1,4 @@
-From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001
+From f84305e9391e13c01a78df0d93e2edd40c14f601 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Tue, 11 Aug 2015 13:33:24 +1000
 Subject: Don't resend username to PAM; it already has it.
diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch
index 2cff74911..cbd5a12c4 100644
--- a/debian/patches/backport-fix-pty-permissions.patch
+++ b/debian/patches/backport-fix-pty-permissions.patch
@@ -1,4 +1,4 @@
-From 12577aa167c76d517bfe78f603fe805f190d8d05 Mon Sep 17 00:00:00 2001
+From bf3247821b4335eddd22664b0e1b30393ba31415 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Thu, 30 Jul 2015 23:09:15 +0000
 Subject: Fix pty permissions
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch
index 0973503c9..c7e395d86 100644
--- a/debian/patches/backport-kbdint-duplicates.patch
+++ b/debian/patches/backport-kbdint-duplicates.patch
@@ -1,4 +1,4 @@
-From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001
+From 5c0c1192be30b7c0e60d96b5e6739c4ad49f087b Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sat, 18 Jul 2015 07:57:14 +0000
 Subject: only query each keyboard-interactive device once per authentication
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch
index 460654953..52690882c 100644
--- a/debian/patches/backport-pam-use-after-free.patch
+++ b/debian/patches/backport-pam-use-after-free.patch
@@ -1,4 +1,4 @@
-From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001
+From a97f75bc484762111ae4e994791f4a5af6294c26 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Tue, 11 Aug 2015 13:34:12 +1000
 Subject: set sshpam_ctxt to NULL after free
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 4f5db8a91..c990a01c3 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 Mon Sep 17 00:00:00 2001
+From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -27,11 +27,12 @@ Last-Update: 2015-08-19
 Patch-Name: debian-config.patch
 ---
  readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
  ssh_config    |  7 ++++++-
  ssh_config.5  | 19 ++++++++++++++++++-
  sshd_config   |  3 ++-
  sshd_config.5 | 25 +++++++++++++++++++++++++
- 5 files changed, 52 insertions(+), 4 deletions(-)
+ 6 files changed, 73 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
 index 5f6c37f..f0769b5 100644
@@ -46,6 +47,44 @@ index 5f6c37f..f0769b5 100644
         if (options->forward_x11_timeout == -1)
                 options->forward_x11_timeout = 1200;
         if (options->exit_on_forward_failure == -1)
+diff --git a/ssh.1 b/ssh.1
+index 2178863..e2cce49 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -670,12 +670,33 @@ option and the
+ directive in
+ .Xr ssh_config 5
+ for more information.
++.Pp
++(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
++restrictions by default, because too many programs currently crash in this
++mode.
++Set the
++.Cm ForwardX11Trusted
++option to
++.Dq no
++to restore the upstream behaviour.
++This may change in future depending on client-side improvements.)
+ .It Fl x
+ Disables X11 forwarding.
+ .It Fl Y
+ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
++.Pp
++(Debian-specific: This option does nothing in the default configuration: it
++is equivalent to
++.Dq Cm ForwardX11Trusted No yes ,
++which is the default as described above.
++Set the
++.Cm ForwardX11Trusted
++option to
++.Dq no
++to restore the upstream behaviour.
++This may change in future depending on client-side improvements.)
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
 diff --git a/ssh_config b/ssh_config
 index 228e5ab..c9386aa 100644
 --- a/ssh_config