main/openssh: upgrade to 6.7p1

author: Timo Teräs <timo.teras@iki.fi> 2014-11-21 09:52:21 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2014-11-21 08:37:03 +0000
commit: 480caba4acf001d21388b2d5b10e11fafc3ddd25 (patch)
tree: b540d125b496b700289121180d657c446958a365 /main/openssh
parent: 9621f5bfd88b0c8012f20d96ce3ec1cb23d0a07e (diff)
download: aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.bz2
aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.xz
4 files changed, 142 insertions, 458 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index a7c87f2fc5..7e0dbc17fd 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -1,8 +1,8 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openssh
-pkgver=6.6_p1
+pkgver=6.7_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=6
+pkgrel=0
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -12,14 +12,12 @@ depends="openssh-client"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-client $pkgname-keysign"
 source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
-	openssh6.6-dynwindows.diff
+	openssh6.7-dynwindows.diff
 	openssh6.5-peaktput.diff
 	openssh-fix-includes.diff
 	openssh-fix-utmp.diff
 	sshd.initd
 	sshd.confd
-	CVE-2014-2653.patch
-	openssh-curve25519pad.patch
 	openssh-sftp-interactive.diff
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
@@ -63,7 +61,6 @@ build () {
 		--with-privsep-user=sshd \
 		--with-md5-passwords \
 		--with-ssl-engine \
-		--without-tcp-wrappers \
 		--without-pam \
 		|| return 1
 	make || return 1
@@ -110,33 +107,27 @@ keysign() {
 		"$subpkgdir"/usr/lib/ssh/ || return 1
 }
 
-md5sums="3e9800e6bca1fbac0eea4d41baa7f239  openssh-6.6p1.tar.gz
-776fca63396b534736d26f776d1dca7b  openssh6.6-dynwindows.diff
+md5sums="3246aa79317b1d23cae783a3bf8275d6  openssh-6.7p1.tar.gz
+2121bdcba3751877b13f2f90802d4399  openssh6.7-dynwindows.diff
 cd52fe99cb4b7d0d847bf5d710d93564  openssh6.5-peaktput.diff
 7c86680602f7ad71b0773d9e98a30d73  openssh-fix-includes.diff
 f7d9d6f96940ef66bd3c3a0aa27e57a7  openssh-fix-utmp.diff
 bcf990d4ef7ff446160cde7dbd32bf1f  sshd.initd
 b35e9f3829f4cfca07168fcba98749c7  sshd.confd
-02a7de5652d9769576e3b252d768cd0f  CVE-2014-2653.patch
-da797337121f07bc3fac8a21afac20f8  openssh-curve25519pad.patch
 2dd7e366607e95f9762273067309fd6e  openssh-sftp-interactive.diff"
-sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb  openssh-6.6p1.tar.gz
-83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad  openssh6.6-dynwindows.diff
+sha256sums="b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507  openssh-6.7p1.tar.gz
+7d02930524d1357232770e9dc5a92746e654d6dafcbd5762c8618b059f0bf7b9  openssh6.7-dynwindows.diff
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
 c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59  openssh-fix-includes.diff
 f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde  openssh-fix-utmp.diff
 2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac  sshd.initd
 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
-03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd  CVE-2014-2653.patch
-8b0caf249298eec28aad3cb77256d31a90652c77bdc1a54a00f04e8c1446d5c4  openssh-curve25519pad.patch
 4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  openssh-sftp-interactive.diff"
-sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b  openssh-6.6p1.tar.gz
-3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd  openssh6.6-dynwindows.diff
+sha512sums="2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d  openssh-6.7p1.tar.gz
+4985134b4b1b06d9c8bc81af9f0e0690c3f23d78f3df2af70cd0030cc7ab5bd8d9aad60031ce8069902c6bb8ae6dde754aa87d6fd4587cdc6e99e7bb33f0d1bb  openssh6.7-dynwindows.diff
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
 70e2c6613ab77ec379e03ddf029c1c38e5d852bb225db40ceaa63e642d58b0261fa7c954b288710736bb1dc71f8057f2598ea0d1f5b1214135fa5e9541d5f05a  openssh-fix-includes.diff
 cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5  openssh-fix-utmp.diff
 eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e  sshd.initd
 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
-be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40  CVE-2014-2653.patch
-5c946726e9fb472412972ca73c6e4565598b7729558843be2391e04d8935f0e35a992b4fa9f89c8a98917665c12219ea5ad58359269cbe2cf90907f7d1e2cec8  openssh-curve25519pad.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  openssh-sftp-interactive.diff"
diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch
deleted file mode 100644
index b453081c5a..0000000000
--- a/main/openssh/CVE-2014-2653.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
-From: Matthew Vernon <mcv21@cam.ac.uk>
-Date: Wed, 26 Mar 2014 15:32:23 +0000
-Subject: Attempt SSHFP lookup even if server presents a certificate
-
-If an ssh server presents a certificate to the client, then the client
-does not check the DNS for SSHFP records. This means that a malicious
-server can essentially disable DNS-host-key-checking, which means the
-client will fall back to asking the user (who will just say "yes" to
-the fingerprint, sadly).
-
-This patch is by Damien Miller (of openssh upstream). It's simpler
-than the patch by Mark Wooding which I applied yesterday; a copy is
-taken of the proffered key/cert, the key extracted from the cert (if
-necessary), and then the DNS consulted.
-
-Signed-off-by: Matthew Vernon <matthew@debian.org>
-Bug-Debian: http://bugs.debian.org/742513
-Patch-Name: sshfp_with_server_cert_upstr
----
- sshconnect.c | 42 ++++++++++++++++++++++++++----------------
- 1 file changed, 26 insertions(+), 16 deletions(-)
-
-diff --git a/sshconnect.c b/sshconnect.c
-index 87c3770..324f5e0 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
- 	int flags = 0;
- 	char *fp;
-+	Key *plain = NULL;
- 
- 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- 	debug("Server host key: %s %s", key_type(host_key), fp);
- 	free(fp);
- 
--	/* XXX certs are not yet supported for DNS */
--	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
--	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
--		if (flags & DNS_VERIFY_FOUND) {
--
--			if (options.verify_host_key_dns == 1 &&
--			    flags & DNS_VERIFY_MATCH &&
--			    flags & DNS_VERIFY_SECURE)
--				return 0;
--
--			if (flags & DNS_VERIFY_MATCH) {
--				matching_host_key_dns = 1;
--			} else {
--				warn_changed_key(host_key);
--				error("Update the SSHFP RR in DNS with the new "
--				    "host key to get rid of this message.");
-+	if (options.verify_host_key_dns) {
-+		/*
-+		 * XXX certs are not yet supported for DNS, so downgrade
-+		 * them and try the plain key.
-+		 */
-+		plain = key_from_private(host_key);
-+		if (key_is_cert(plain))
-+			key_drop_cert(plain);
-+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
-+			if (flags & DNS_VERIFY_FOUND) {
-+				if (options.verify_host_key_dns == 1 &&
-+				    flags & DNS_VERIFY_MATCH &&
-+				    flags & DNS_VERIFY_SECURE) {
-+					key_free(plain);
-+					return 0;
-+				}
-+				if (flags & DNS_VERIFY_MATCH) {
-+					matching_host_key_dns = 1;
-+				} else {
-+					warn_changed_key(plain);
-+					error("Update the SSHFP RR in DNS "
-+					    "with the new host key to get rid "
-+					    "of this message.");
-+				}
- 			}
- 		}
-+		key_free(plain);
- 	}
- 
- 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/main/openssh/openssh-curve25519pad.patch b/main/openssh/openssh-curve25519pad.patch
deleted file mode 100644
index 6c4ff72dcd..0000000000
--- a/main/openssh/openssh-curve25519pad.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
-
-Hi,
-
-So I screwed up when writing the support for the curve25519 KEX method
-that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
-leading zero bytes where they should have been skipped. The impact of
-this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
-peer that implements curve25519-sha256@libssh.org properly about 0.2%
-of the time (one in every 512ish connections).
-
-We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
-key exchange for previous versions, but I'd recommend distributors
-of OpenSSH apply this patch so the affected code doesn't become
-too entrenched in LTS releases.
-
-The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
-to distinguish itself from the incorrect versions so the compatibility
-code to disable the affected KEX isn't activated.
-
-I've committed this on the 6.6 branch too.
-
-Apologies for the hassle.
-
--d
-
-Index: version.h
-===================================================================
-RCS file: /var/cvs/openssh/version.h,v
-retrieving revision 1.82
-diff -u -p -r1.82 version.h
---- a/version.h	27 Feb 2014 23:01:54 -0000	1.82
-+++ b/version.h	20 Apr 2014 03:35:15 -0000
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
- 
--#define SSH_VERSION	"OpenSSH_6.6"
-+#define SSH_VERSION	"OpenSSH_6.6.1"
- 
- #define SSH_PORTABLE	"p1"
- #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-Index: compat.c
-===================================================================
-RCS file: /var/cvs/openssh/compat.c,v
-retrieving revision 1.82
-retrieving revision 1.85
-diff -u -p -r1.82 -r1.85
---- a/compat.c	31 Dec 2013 01:25:41 -0000	1.82
-+++ b/compat.c	20 Apr 2014 03:33:59 -0000	1.85
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- 		{ "OpenSSH_4*",		0 },
- 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
-+		{ "OpenSSH_6.5*,"
-+		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
- 		{ "*MindTerm*",		0 },
- 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
- 	return cipher_prop;
- }
- 
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
- 	if (*pkalg_prop == '\0')
- 		fatal("No supported PK algorithms found");
- 	return pkalg_prop;
-+}
-+
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+	if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+		return kex_prop;
-+	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
-+	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+	if (*kex_prop == '\0')
-+		fatal("No supported key exchange algorithms found");
-+	return kex_prop;
- }
- 
-Index: compat.h
-===================================================================
-RCS file: /var/cvs/openssh/compat.h,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -p -r1.42 -r1.43
---- a/compat.h	31 Dec 2013 01:25:41 -0000	1.42
-+++ b/compat.h	20 Apr 2014 03:25:31 -0000	1.43
-@@ -60,6 +60,7 @@
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
- #define SSH_BUG_LARGEWINDOW     0x10000000
-+#define SSH_BUG_CURVE25519PAD	0x20000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-@@ -67,6 +68,7 @@ void     compat_datafellows(const char *
- int	 proto_spec(const char *);
- char	*compat_cipher_proposal(char *);
- char	*compat_pkalg_proposal(char *);
-+char	*compat_kex_proposal(char *);
- 
- extern int compat13;
- extern int compat20;
-Index: sshd.c
-===================================================================
-RCS file: /var/cvs/openssh/sshd.c,v
-retrieving revision 1.448
-retrieving revision 1.453
-diff -u -p -r1.448 -r1.453
---- a/sshd.c	26 Feb 2014 23:20:08 -0000	1.448
-+++ b/sshd.c	20 Apr 2014 03:28:41 -0000	1.453
-@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
- 
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
-+
- 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- 		    (time_t)options.rekey_interval);
-Index: sshconnect2.c
-===================================================================
-RCS file: /var/cvs/openssh/sshconnect2.c,v
-retrieving revision 1.197
-retrieving revision 1.199
-diff -u -p -r1.197 -r1.199
---- a/sshconnect2.c	4 Feb 2014 00:20:16 -0000	1.197
-+++ b/sshconnect2.c	20 Apr 2014 03:25:31 -0000	1.199
-@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	}
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
- 
- 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-Index: bufaux.c
-===================================================================
-RCS file: /var/cvs/openssh/bufaux.c,v
-retrieving revision 1.62
-retrieving revision 1.63
-diff -u -p -r1.62 -r1.63
---- a/bufaux.c	4 Feb 2014 00:20:15 -0000	1.62
-+++ b/bufaux.c	20 Apr 2014 03:24:50 -0000	1.63
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
- 
- 	if (l > 8 * 1024)
- 		fatal("%s: length %u too long", __func__, l);
-+	/* Skip leading zero bytes */
-+	for (; l > 0 && *s == 0; l--, s++)
-+		;
- 	p = buf = xmalloc(l + 1);
- 	/*
- 	 * If most significant bit is set then prepend a zero byte to
diff --git a/main/openssh/openssh6.6-dynwindows.diff b/main/openssh/openssh6.7-dynwindows.diff
index 1708caa752..b49e7688b0 100644
--- a/main/openssh/openssh6.6-dynwindows.diff
+++ b/main/openssh/openssh6.7-dynwindows.diff
@@ -1,35 +1,20 @@
-diff --git a/buffer.c b/buffer.c
-index d240f67..88e16d0 100644
---- a/buffer.c
-+++ b/buffer.c
-@@ -128,7 +128,7 @@ restart:
- 
- 	/* Increase the size of the buffer and retry. */
- 	newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
--	if (newlen > BUFFER_MAX_LEN)
-+	if (newlen > BUFFER_MAX_LEN_HPN)
- 		fatal("buffer_append_space: alloc %u not supported",
- 		    newlen);
- 	buffer->buf = xrealloc(buffer->buf, 1, newlen);
-diff --git a/buffer.h b/buffer.h
-index 7df8a38..244de01 100644
---- a/buffer.h
-+++ b/buffer.h
+diff -ru openssh-6.7p1.orig/buffer.h openssh-6.7p1/buffer.h
+--- openssh-6.7p1.orig/buffer.h	2014-05-15 07:33:44.000000000 -0300
++++ openssh-6.7p1/buffer.h	2014-11-21 09:42:27.601954473 -0200
 @@ -16,6 +16,9 @@
- #ifndef BUFFER_H
- #define BUFFER_H
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
  
 +/* move the following to a more appropriate place and name */
 +#define BUFFER_MAX_LEN_HPN          0x4000000  /* 64MB */
 +
- typedef struct {
- 	u_char	*buf;		/* Buffer for data. */
- 	u_int	 alloc;		/* Number of bytes allocated for data. */
-diff --git a/channels.c b/channels.c
-index 9efe89c..bb01516 100644
---- a/channels.c
-+++ b/channels.c
-@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c, char *rtype);
+ /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
+ 
+ #ifndef BUFFER_H
+diff -ru openssh-6.7p1.orig/channels.c openssh-6.7p1/channels.c
+--- openssh-6.7p1.orig/channels.c	2014-07-18 07:11:25.000000000 -0300
++++ openssh-6.7p1/channels.c	2014-11-21 09:42:27.601954473 -0200
+@@ -179,8 +179,14 @@
  static int connect_next(struct channel_connect *);
  static void channel_connect_ctx_free(struct channel_connect *);
  
@@ -44,7 +29,7 @@ index 9efe89c..bb01516 100644
  Channel *
  channel_by_id(int id)
  {
-@@ -323,6 +329,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+@@ -329,6 +335,7 @@
  	c->local_window_max = window;
  	c->local_consumed = 0;
  	c->local_maxpacket = maxpack;
@@ -52,7 +37,7 @@ index 9efe89c..bb01516 100644
  	c->remote_id = -1;
  	c->remote_name = xstrdup(remote_name);
  	c->remote_window = 0;
-@@ -819,11 +826,35 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
+@@ -833,11 +840,35 @@
  		FD_SET(c->sock, writeset);
  }
  
@@ -88,7 +73,7 @@ index 9efe89c..bb01516 100644
  	if (c->istate == CHAN_INPUT_OPEN &&
  	    limit > 0 &&
  	    buffer_len(&c->input) < limit &&
-@@ -1815,14 +1846,21 @@ channel_check_window(Channel *c)
+@@ -1842,14 +1873,21 @@
  	    c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
@@ -112,7 +97,7 @@ index 9efe89c..bb01516 100644
  		c->local_consumed = 0;
  	}
  	return 1;
-@@ -2738,6 +2776,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+@@ -2781,6 +2819,15 @@
  	return addr;
  }
  
@@ -126,9 +111,9 @@ index 9efe89c..bb01516 100644
 +}
 +
  static int
- channel_setup_fwd_listener(int type, const char *listen_addr,
-     u_short listen_port, int *allocated_listen_port,
-@@ -2864,9 +2911,15 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
+ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
+     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
+@@ -2905,9 +2952,15 @@
  		}
  
  		/* Allocate a channel number for the socket. */
@@ -142,9 +127,9 @@ index 9efe89c..bb01516 100644
 + 			  hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 + 			  0, "port listener", 1);
  		c->path = xstrdup(host);
- 		c->host_port = port_to_connect;
+ 		c->host_port = fwd->connect_port;
  		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3514,10 +3567,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
+@@ -3939,10 +3992,17 @@
  	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
  	for (n = 0; n < num_socks; n++) {
  		sock = socks[n];
@@ -162,11 +147,10 @@ index 9efe89c..bb01516 100644
  		nc->single_connection = single_connection;
  		(*chanids)[n] = nc->self;
  	}
-diff --git a/channels.h b/channels.h
-index 4fab9d7..91ef316 100644
---- a/channels.h
-+++ b/channels.h
-@@ -132,8 +132,10 @@ struct Channel {
+diff -ru openssh-6.7p1.orig/channels.h openssh-6.7p1/channels.h
+--- openssh-6.7p1.orig/channels.h	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/channels.h	2014-11-21 09:42:27.601954473 -0200
+@@ -134,8 +134,10 @@
  	u_int	local_window_max;
  	u_int	local_consumed;
  	u_int	local_maxpacket;
@@ -177,7 +161,7 @@ index 4fab9d7..91ef316 100644
  
  	char   *ctype;		/* type */
  
-@@ -169,8 +171,10 @@ struct Channel {
+@@ -171,8 +173,10 @@
  /* default window/packet sizes for tcp/x11-fwd-channel */
  #define CHAN_SES_PACKET_DEFAULT	(32*1024)
  #define CHAN_SES_WINDOW_DEFAULT	(64*CHAN_SES_PACKET_DEFAULT)
@@ -188,7 +172,7 @@ index 4fab9d7..91ef316 100644
  #define CHAN_X11_PACKET_DEFAULT	(16*1024)
  #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
  
-@@ -306,4 +310,7 @@ void	 chan_rcvd_ieof(Channel *);
+@@ -311,4 +315,7 @@
  void	 chan_write_failed(Channel *);
  void	 chan_obuf_empty(Channel *);
  
@@ -196,33 +180,10 @@ index 4fab9d7..91ef316 100644
 +void     channel_set_hpn(int, int);
 +
  #endif
-diff --git a/cipher.c b/cipher.c
-index 53d9b4f..74ba34e 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -71,7 +71,7 @@ struct Cipher {
- 	const EVP_CIPHER	*(*evptype)(void);
- };
- 
--static const struct Cipher ciphers[] = {
-+static struct Cipher ciphers[] = {
- 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
- 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
- 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-@@ -193,7 +193,7 @@ cipher_mask_ssh1(int client)
- const Cipher *
- cipher_by_name(const char *name)
- {
--	const Cipher *c;
-+	Cipher *c;
- 	for (c = ciphers; c->name != NULL; c++)
- 		if (strcmp(c->name, name) == 0)
- 			return c;
-diff --git a/clientloop.c b/clientloop.c
-index 59ad3a2..e144fb6 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1891,9 +1891,15 @@ client_request_x11(const char *request_type, int rchan)
+diff -ru openssh-6.7p1.orig/clientloop.c openssh-6.7p1/clientloop.c
+--- openssh-6.7p1.orig/clientloop.c	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/clientloop.c	2014-11-21 09:42:27.601954473 -0200
+@@ -1899,9 +1899,15 @@
  	sock = x11_connect_display();
  	if (sock < 0)
  		return NULL;
@@ -238,34 +199,34 @@ index 59ad3a2..e144fb6 100644
  	c->force_drain = 1;
  	return c;
  }
-@@ -1913,9 +1919,15 @@ client_request_agent(const char *request_type, int rchan)
+@@ -1921,9 +1927,15 @@
  	sock = ssh_get_authentication_socket();
  	if (sock < 0)
  		return NULL;
 +	if (options.hpn_disabled)
-+	c = channel_new("authentication agent connection",
-+	    SSH_CHANNEL_OPEN, sock, sock, -1,
-+		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+		    "authentication agent connection", 1);
-+	else
  	c = channel_new("authentication agent connection",
  	    SSH_CHANNEL_OPEN, sock, sock, -1,
 -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
++		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
++		    "authentication agent connection", 1);
++	else
++	c = channel_new("authentication agent connection",
++	    SSH_CHANNEL_OPEN, sock, sock, -1,
 +	    options.hpn_buffer_size, options.hpn_buffer_size, 0,
  	    "authentication agent connection", 1);
  	c->force_drain = 1;
  	return c;
-@@ -1943,10 +1955,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+@@ -1951,10 +1963,18 @@
  		return -1;
  	}
  
 +	if(options.hpn_disabled)
- 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +				CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 +				0, "tun", 1);
 +	else
-+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +				options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +				0, "tun", 1);
  	c->datagram = 1;
@@ -275,11 +236,10 @@ index 59ad3a2..e144fb6 100644
  #if defined(SSH_TUN_FILTER)
  	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
  		channel_register_filter(c->self, sys_tun_infilter,
-diff --git a/compat.c b/compat.c
-index 9d9fabe..235fc59 100644
---- a/compat.c
-+++ b/compat.c
-@@ -172,6 +172,15 @@ compat_datafellows(const char *version)
+diff -ru openssh-6.7p1.orig/compat.c openssh-6.7p1/compat.c
+--- openssh-6.7p1.orig/compat.c	2014-04-20 06:33:59.000000000 -0300
++++ openssh-6.7p1/compat.c	2014-11-21 09:42:27.601954473 -0200
+@@ -175,6 +175,15 @@
  		if (match_pattern_list(version, check[i].pat,
  		    strlen(check[i].pat), 0) == 1) {
  			datafellows = check[i].bugs;
@@ -295,32 +255,30 @@ index 9d9fabe..235fc59 100644
  			debug("match: %s pat %s compat 0x%08x",
  			    version, check[i].pat, datafellows);
  			return;
-diff --git a/compat.h b/compat.h
-index b174fa1..9937347 100644
---- a/compat.h
-+++ b/compat.h
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR	0x02000000
+diff -ru openssh-6.7p1.orig/compat.h openssh-6.7p1/compat.h
+--- openssh-6.7p1.orig/compat.h	2014-04-20 06:25:31.000000000 -0300
++++ openssh-6.7p1/compat.h	2014-11-21 09:47:51.058623939 -0200
+@@ -60,6 +60,7 @@
  #define SSH_NEW_OPENSSH		0x04000000
  #define SSH_BUG_DYNAMIC_RPORT	0x08000000
-+#define SSH_BUG_LARGEWINDOW     0x10000000
+ #define SSH_BUG_CURVE25519PAD	0x10000000
++#define SSH_BUG_LARGEWINDOW     0x20000000
  
  void     enable_compat13(void);
  void     enable_compat20(void);
-diff --git a/readconf.c b/readconf.c
-index dc884c9..ce083f4 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -149,6 +149,7 @@ typedef enum {
- 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+diff -ru openssh-6.7p1.orig/readconf.c openssh-6.7p1/readconf.c
+--- openssh-6.7p1.orig/readconf.c	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/readconf.c	2014-11-21 09:49:31.348624811 -0200
+@@ -151,6 +151,7 @@
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+ 	oStreamLocalBindMask, oStreamLocalBindUnlink,
 +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
  	oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -263,6 +264,11 @@ static struct {
- 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+@@ -267,6 +268,11 @@
+ 	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
  	{ "ignoreunknown", oIgnoreUnknown },
  
 +	{ "tcprcvbufpoll", oTcpRcvBufPoll },
@@ -331,7 +289,7 @@ index dc884c9..ce083f4 100644
  	{ NULL, oBadOption }
  };
  
-@@ -853,6 +859,18 @@ parse_time:
+@@ -877,6 +883,18 @@
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
@@ -350,7 +308,7 @@ index dc884c9..ce083f4 100644
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		multistate_ptr = multistate_yesnoask;
-@@ -1015,6 +1033,10 @@ parse_int:
+@@ -1039,6 +1057,10 @@
  		intptr = &options->connection_attempts;
  		goto parse_int;
  
@@ -361,7 +319,7 @@ index dc884c9..ce083f4 100644
  	case oCipher:
  		intptr = &options->cipher;
  		arg = strdelim(&s);
-@@ -1561,6 +1583,10 @@ initialize_options(Options * options)
+@@ -1602,6 +1624,10 @@
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
@@ -372,7 +330,7 @@ index dc884c9..ce083f4 100644
  	options->proxy_use_fdpass = -1;
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
-@@ -1707,6 +1733,28 @@ fill_default_options(Options * options)
+@@ -1752,6 +1778,28 @@
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
@@ -401,11 +359,10 @@ index dc884c9..ce083f4 100644
  	if (options->control_master == -1)
  		options->control_master = 0;
  	if (options->control_persist == -1) {
-diff --git a/readconf.h b/readconf.h
-index 75e3f8f..a471114 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -66,6 +66,10 @@ typedef struct {
+diff -ru openssh-6.7p1.orig/readconf.h openssh-6.7p1/readconf.h
+--- openssh-6.7p1.orig/readconf.h	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/readconf.h	2014-11-21 09:42:27.605287806 -0200
+@@ -57,6 +57,10 @@
  	int     compression_level;	/* Compression level 1 (fast) to 9
  					 * (best). */
  	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
@@ -416,20 +373,19 @@ index 75e3f8f..a471114 100644
  	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
  	LogLevel log_level;	/* Level for logging. */
-diff --git a/scp.c b/scp.c
-index 18d3b1d..2ab8f15 100644
---- a/scp.c
-+++ b/scp.c
-@@ -749,7 +749,7 @@ source(int argc, char **argv)
+diff -ru openssh-6.7p1.orig/scp.c openssh-6.7p1/scp.c
+--- openssh-6.7p1.orig/scp.c	2014-07-02 08:29:01.000000000 -0300
++++ openssh-6.7p1/scp.c	2014-11-21 09:42:27.605287806 -0200
+@@ -749,7 +749,7 @@
  	off_t i, statbytes;
- 	size_t amt;
+ 	size_t amt, nr;
  	int fd = -1, haderr, indx;
 -	char *last, *name, buf[2048], encname[MAXPATHLEN];
 +	char *last, *name, buf[16384], encname[MAXPATHLEN];
  	int len;
  
  	for (indx = 0; indx < argc; ++indx) {
-@@ -914,7 +914,7 @@ sink(int argc, char **argv)
+@@ -918,7 +918,7 @@
  	off_t size, statbytes;
  	unsigned long long ull;
  	int setimes, targisdir, wrerrno = 0;
@@ -438,11 +394,10 @@ index 18d3b1d..2ab8f15 100644
  	struct timeval tv[2];
  
  #define	atime	tv[0]
-diff --git a/servconf.c b/servconf.c
-index 7ba65d5..32bb711 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -150,6 +150,9 @@ initialize_server_options(ServerOptions *options)
+diff -ru openssh-6.7p1.orig/servconf.c openssh-6.7p1/servconf.c
+--- openssh-6.7p1.orig/servconf.c	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/servconf.c	2014-11-21 09:42:27.605287806 -0200
+@@ -154,6 +154,9 @@
  	options->revoked_keys_file = NULL;
  	options->trusted_user_ca_keys = NULL;
  	options->authorized_principals_file = NULL;
@@ -452,7 +407,7 @@ index 7ba65d5..32bb711 100644
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
-@@ -158,6 +161,11 @@ initialize_server_options(ServerOptions *options)
+@@ -162,6 +165,11 @@
  void
  fill_default_server_options(ServerOptions *options)
  {
@@ -464,7 +419,7 @@ index 7ba65d5..32bb711 100644
  	/* Portable-specific options */
  	if (options->use_pam == -1)
  		options->use_pam = 0;
-@@ -294,6 +302,41 @@ fill_default_server_options(ServerOptions *options)
+@@ -302,6 +310,41 @@
  	}
  	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
@@ -506,15 +461,15 @@ index 7ba65d5..32bb711 100644
  	if (options->ip_qos_interactive == -1)
  		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
-@@ -345,6 +388,7 @@ typedef enum {
+@@ -357,6 +400,7 @@
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 +	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods, sHostKeyAgent,
-@@ -468,6 +512,9 @@ static struct {
+ 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+@@ -483,6 +527,9 @@
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -524,7 +479,7 @@ index 7ba65d5..32bb711 100644
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -500,6 +547,7 @@ parse_token(const char *cp, const char *filename,
+@@ -518,6 +565,7 @@
  
  	for (i = 0; keywords[i].name; i++)
  		if (strcasecmp(cp, keywords[i].name) == 0) {
@@ -532,7 +487,7 @@ index 7ba65d5..32bb711 100644
  			*flags = keywords[i].flags;
  			return keywords[i].opcode;
  		}
-@@ -1042,6 +1090,19 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1060,6 +1108,19 @@
  			*intptr = value;
  		break;
  
@@ -552,11 +507,10 @@ index 7ba65d5..32bb711 100644
  	case sIgnoreUserKnownHosts:
  		intptr = &options->ignore_user_known_hosts;
  		goto parse_flag;
-diff --git a/servconf.h b/servconf.h
-index 752d1c5..0b9f59d 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -164,6 +164,9 @@ typedef struct {
+diff -ru openssh-6.7p1.orig/servconf.h openssh-6.7p1/servconf.h
+--- openssh-6.7p1.orig/servconf.h	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/servconf.h	2014-11-21 09:42:27.605287806 -0200
+@@ -166,6 +166,9 @@
  	char   *adm_forced_command;
  
  	int	use_pam;		/* Enable auth via PAM */
@@ -566,11 +520,10 @@ index 752d1c5..0b9f59d 100644
  
  	int	permit_tun;
  
-diff --git a/serverloop.c b/serverloop.c
-index 2f8e3a0..4868e5f 100644
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -1015,8 +1015,12 @@ server_request_tun(void)
+diff -ru openssh-6.7p1.orig/serverloop.c openssh-6.7p1/serverloop.c
+--- openssh-6.7p1.orig/serverloop.c	2014-08-19 04:14:17.000000000 -0300
++++ openssh-6.7p1/serverloop.c	2014-11-21 09:42:27.605287806 -0200
+@@ -1047,8 +1047,12 @@
  	sock = tun_open(tun, mode);
  	if (sock < 0)
  		goto done;
@@ -583,7 +536,7 @@ index 2f8e3a0..4868e5f 100644
  	c->datagram = 1;
  #if defined(SSH_TUN_FILTER)
  	if (mode == SSH_TUNMODE_POINTOPOINT)
-@@ -1052,6 +1056,8 @@ server_request_session(void)
+@@ -1084,6 +1088,8 @@
  	c = channel_new("session", SSH_CHANNEL_LARVAL,
  	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
  	    0, "server-session", 1);
@@ -592,19 +545,18 @@ index 2f8e3a0..4868e5f 100644
  	if (session_open(the_authctxt, c->self) != 1) {
  		debug("session open failed, free channel %d", c->self);
  		channel_free(c);
-diff --git a/session.c b/session.c
-index 2bcf818..817afc9 100644
---- a/session.c
-+++ b/session.c
-@@ -237,6 +237,7 @@ auth_input_request_forwarding(struct passwd * pw)
- 	}
+diff -ru openssh-6.7p1.orig/session.c openssh-6.7p1/session.c
+--- openssh-6.7p1.orig/session.c	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/session.c	2014-11-21 09:42:27.605287806 -0200
+@@ -219,6 +219,7 @@
+ 		goto authsock_err;
  
  	/* Allocate a channel for the authentication agent socket. */
 +	/* this shouldn't matter if its hpn or not - cjr */
  	nc = channel_new("auth socket",
  	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
  	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-@@ -2331,10 +2332,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
+@@ -2328,10 +2329,16 @@
  	 */
  	if (s->chanid == -1)
  		fatal("no channel for session %d", s->self);
@@ -621,11 +573,10 @@ index 2bcf818..817afc9 100644
  }
  
  /*
-diff --git a/sftp.1 b/sftp.1
-index a700c2a..8e00b13 100644
---- a/sftp.1
-+++ b/sftp.1
-@@ -261,7 +261,8 @@ diagnostic messages from
+diff -ru openssh-6.7p1.orig/sftp.1 openssh-6.7p1/sftp.1
+--- openssh-6.7p1.orig/sftp.1	2014-05-15 06:47:37.000000000 -0300
++++ openssh-6.7p1/sftp.1	2014-11-21 09:42:27.605287806 -0200
+@@ -261,7 +261,8 @@
  Specify how many requests may be outstanding at any one time.
  Increasing this may slightly improve file transfer speed
  but will increase memory usage.
@@ -635,11 +586,10 @@ index a700c2a..8e00b13 100644
  .It Fl r
  Recursively copy entire directories when uploading and downloading.
  Note that
-diff --git a/sftp.c b/sftp.c
-index ad1f8c8..1575d5e 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -68,7 +68,7 @@ typedef void EditLine;
+diff -ru openssh-6.7p1.orig/sftp.c openssh-6.7p1/sftp.c
+--- openssh-6.7p1.orig/sftp.c	2014-07-09 06:07:06.000000000 -0300
++++ openssh-6.7p1/sftp.c	2014-11-21 09:42:27.605287806 -0200
+@@ -68,7 +68,7 @@
  #include "sftp-client.h"
  
  #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
@@ -648,11 +598,10 @@ index ad1f8c8..1575d5e 100644
  
  /* File to read commands from */
  FILE* infile;
-diff --git a/ssh.c b/ssh.c
-index 1e6cb90..7c91d6d 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -1611,6 +1611,9 @@ ssh_session2_open(void)
+diff -ru openssh-6.7p1.orig/ssh.c openssh-6.7p1/ssh.c
+--- openssh-6.7p1.orig/ssh.c	2014-07-18 08:04:11.000000000 -0300
++++ openssh-6.7p1/ssh.c	2014-11-21 09:42:27.608621140 -0200
+@@ -1682,6 +1682,9 @@
  {
  	Channel *c;
  	int window, packetmax, in, out, err;
@@ -662,7 +611,7 @@ index 1e6cb90..7c91d6d 100644
  
  	if (stdin_null_flag) {
  		in = open(_PATH_DEVNULL, O_RDONLY);
-@@ -1631,9 +1634,74 @@ ssh_session2_open(void)
+@@ -1702,9 +1705,74 @@
  	if (!isatty(err))
  		set_nonblock(err);
  
@@ -738,7 +687,7 @@ index 1e6cb90..7c91d6d 100644
  		window >>= 1;
  		packetmax >>= 1;
  	}
-@@ -1642,6 +1710,10 @@ ssh_session2_open(void)
+@@ -1713,6 +1781,10 @@
  	    window, packetmax, CHAN_EXTENDED_WRITE,
  	    "client-session", /*nonblock*/0);
  
@@ -749,11 +698,10 @@ index 1e6cb90..7c91d6d 100644
  	debug3("ssh_session2_open: channel_new: %d", c->self);
  
  	channel_send_open(c->self);
-diff --git a/sshconnect.c b/sshconnect.c
-index 573d7a8..9cf6947 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -263,6 +263,31 @@ ssh_kill_proxy_command(void)
+diff -ru openssh-6.7p1.orig/sshconnect.c openssh-6.7p1/sshconnect.c
+--- openssh-6.7p1.orig/sshconnect.c	2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/sshconnect.c	2014-11-21 09:42:27.608621140 -0200
+@@ -264,6 +264,31 @@
  }
  
  /*
@@ -785,7 +733,7 @@ index 573d7a8..9cf6947 100644
   * Creates a (possibly privileged) socket for use as the ssh connection.
   */
  static int
-@@ -278,6 +303,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -279,6 +304,9 @@
  	}
  	fcntl(sock, F_SETFD, FD_CLOEXEC);
  
@@ -795,7 +743,7 @@ index 573d7a8..9cf6947 100644
  	/* Bind the socket to an alternative local IP address */
  	if (options.bind_address == NULL && !privileged)
  		return sock;
-@@ -520,10 +548,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -521,10 +549,10 @@
  	/* Send our own protocol version identification. */
  	if (compat20) {
  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -808,11 +756,10 @@ index 573d7a8..9cf6947 100644
  	}
  	if (roaming_atomicio(vwrite, connection_out, client_version_string,
  	    strlen(client_version_string)) != strlen(client_version_string))
-diff --git a/sshd.c b/sshd.c
-index 7523de9..9623887 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -436,7 +436,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+diff -ru openssh-6.7p1.orig/sshd.c openssh-6.7p1/sshd.c
+--- openssh-6.7p1.orig/sshd.c	2014-08-26 21:11:55.000000000 -0300
++++ openssh-6.7p1/sshd.c	2014-11-21 09:42:27.608621140 -0200
+@@ -432,7 +432,7 @@
  	}
  
  	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -821,7 +768,7 @@ index 7523de9..9623887 100644
  	    *options.version_addendum == '\0' ? "" : " ",
  	    options.version_addendum, newline);
  
-@@ -1082,6 +1082,8 @@ server_listen(void)
+@@ -1092,6 +1092,8 @@
  	int ret, listen_sock, on = 1;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -830,7 +777,7 @@ index 7523de9..9623887 100644
  
  	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1122,6 +1124,11 @@ server_listen(void)
+@@ -1132,6 +1134,11 @@
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -842,7 +789,7 @@ index 7523de9..9623887 100644
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -2058,6 +2065,9 @@ main(int ac, char **av)
+@@ -2060,6 +2067,9 @@
  	    remote_ip, remote_port,
  	    get_local_ipaddr(sock_in), get_local_port());
  
@@ -852,11 +799,10 @@ index 7523de9..9623887 100644
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-diff --git a/sshd_config b/sshd_config
-index e9045bc..7495fc9 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -125,6 +125,17 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
+diff -ru openssh-6.7p1.orig/sshd_config openssh-6.7p1/sshd_config
+--- openssh-6.7p1.orig/sshd_config	2014-01-12 10:20:47.000000000 -0200
++++ openssh-6.7p1/sshd_config	2014-11-21 09:42:27.608621140 -0200
+@@ -125,6 +125,17 @@
  # override default of no subsystems
  Subsystem	sftp	/usr/libexec/sftp-server
  
@@ -874,12 +820,11 @@ index e9045bc..7495fc9 100644
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
-diff --git a/version.h b/version.h
-index a1579ac..4fe1849 100644
---- a/version.h
-+++ b/version.h
+diff -ru openssh-6.7p1.orig/version.h openssh-6.7p1/version.h
+--- openssh-6.7p1.orig/version.h	2014-04-20 06:25:31.000000000 -0300
++++ openssh-6.7p1/version.h	2014-11-21 09:42:27.608621140 -0200
 @@ -3,4 +3,5 @@
- #define SSH_VERSION	"OpenSSH_6.6"
+ #define SSH_VERSION	"OpenSSH_6.7"
  
  #define SSH_PORTABLE	"p1"
 -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
author	Timo Teräs <timo.teras@iki.fi>	2014-11-21 09:52:21 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2014-11-21 08:37:03 +0000
commit	480caba4acf001d21388b2d5b10e11fafc3ddd25 (patch)
tree	b540d125b496b700289121180d657c446958a365 /main/openssh
parent	9621f5bfd88b0c8012f20d96ce3ec1cb23d0a07e (diff)
download	aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.bz2 aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.xz