aboutsummaryrefslogtreecommitdiffstats
path: root/main/openssh
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2014-11-21 09:52:21 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2014-11-21 08:37:03 +0000
commit480caba4acf001d21388b2d5b10e11fafc3ddd25 (patch)
treeb540d125b496b700289121180d657c446958a365 /main/openssh
parent9621f5bfd88b0c8012f20d96ce3ec1cb23d0a07e (diff)
downloadaports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.bz2
aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.xz
main/openssh: upgrade to 6.7p1
Diffstat (limited to 'main/openssh')
-rw-r--r--main/openssh/APKBUILD27
-rw-r--r--main/openssh/CVE-2014-2653.patch83
-rw-r--r--main/openssh/openssh-curve25519pad.patch169
-rw-r--r--main/openssh/openssh6.7-dynwindows.diff (renamed from main/openssh/openssh6.6-dynwindows.diff)321
4 files changed, 142 insertions, 458 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index a7c87f2fc5..7e0dbc17fd 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
-pkgver=6.6_p1
+pkgver=6.7_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=6
+pkgrel=0
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -12,14 +12,12 @@ depends="openssh-client"
makedepends="openssl-dev zlib-dev"
subpackages="$pkgname-doc $pkgname-client $pkgname-keysign"
source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
- openssh6.6-dynwindows.diff
+ openssh6.7-dynwindows.diff
openssh6.5-peaktput.diff
openssh-fix-includes.diff
openssh-fix-utmp.diff
sshd.initd
sshd.confd
- CVE-2014-2653.patch
- openssh-curve25519pad.patch
openssh-sftp-interactive.diff
"
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
@@ -63,7 +61,6 @@ build () {
--with-privsep-user=sshd \
--with-md5-passwords \
--with-ssl-engine \
- --without-tcp-wrappers \
--without-pam \
|| return 1
make || return 1
@@ -110,33 +107,27 @@ keysign() {
"$subpkgdir"/usr/lib/ssh/ || return 1
}
-md5sums="3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz
-776fca63396b534736d26f776d1dca7b openssh6.6-dynwindows.diff
+md5sums="3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz
+2121bdcba3751877b13f2f90802d4399 openssh6.7-dynwindows.diff
cd52fe99cb4b7d0d847bf5d710d93564 openssh6.5-peaktput.diff
7c86680602f7ad71b0773d9e98a30d73 openssh-fix-includes.diff
f7d9d6f96940ef66bd3c3a0aa27e57a7 openssh-fix-utmp.diff
bcf990d4ef7ff446160cde7dbd32bf1f sshd.initd
b35e9f3829f4cfca07168fcba98749c7 sshd.confd
-02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch
-da797337121f07bc3fac8a21afac20f8 openssh-curve25519pad.patch
2dd7e366607e95f9762273067309fd6e openssh-sftp-interactive.diff"
-sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb openssh-6.6p1.tar.gz
-83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad openssh6.6-dynwindows.diff
+sha256sums="b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 openssh-6.7p1.tar.gz
+7d02930524d1357232770e9dc5a92746e654d6dafcbd5762c8618b059f0bf7b9 openssh6.7-dynwindows.diff
bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff
c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59 openssh-fix-includes.diff
f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-utmp.diff
2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac sshd.initd
29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd
-03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch
-8b0caf249298eec28aad3cb77256d31a90652c77bdc1a54a00f04e8c1446d5c4 openssh-curve25519pad.patch
4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376 openssh-sftp-interactive.diff"
-sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b openssh-6.6p1.tar.gz
-3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd openssh6.6-dynwindows.diff
+sha512sums="2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d openssh-6.7p1.tar.gz
+4985134b4b1b06d9c8bc81af9f0e0690c3f23d78f3df2af70cd0030cc7ab5bd8d9aad60031ce8069902c6bb8ae6dde754aa87d6fd4587cdc6e99e7bb33f0d1bb openssh6.7-dynwindows.diff
e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff
70e2c6613ab77ec379e03ddf029c1c38e5d852bb225db40ceaa63e642d58b0261fa7c954b288710736bb1dc71f8057f2598ea0d1f5b1214135fa5e9541d5f05a openssh-fix-includes.diff
cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5 openssh-fix-utmp.diff
eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e sshd.initd
b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd
-be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch
-5c946726e9fb472412972ca73c6e4565598b7729558843be2391e04d8935f0e35a992b4fa9f89c8a98917665c12219ea5ad58359269cbe2cf90907f7d1e2cec8 openssh-curve25519pad.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 openssh-sftp-interactive.diff"
diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch
deleted file mode 100644
index b453081c5a..0000000000
--- a/main/openssh/CVE-2014-2653.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
-From: Matthew Vernon <mcv21@cam.ac.uk>
-Date: Wed, 26 Mar 2014 15:32:23 +0000
-Subject: Attempt SSHFP lookup even if server presents a certificate
-
-If an ssh server presents a certificate to the client, then the client
-does not check the DNS for SSHFP records. This means that a malicious
-server can essentially disable DNS-host-key-checking, which means the
-client will fall back to asking the user (who will just say "yes" to
-the fingerprint, sadly).
-
-This patch is by Damien Miller (of openssh upstream). It's simpler
-than the patch by Mark Wooding which I applied yesterday; a copy is
-taken of the proffered key/cert, the key extracted from the cert (if
-necessary), and then the DNS consulted.
-
-Signed-off-by: Matthew Vernon <matthew@debian.org>
-Bug-Debian: http://bugs.debian.org/742513
-Patch-Name: sshfp_with_server_cert_upstr
----
- sshconnect.c | 42 ++++++++++++++++++++++++++----------------
- 1 file changed, 26 insertions(+), 16 deletions(-)
-
-diff --git a/sshconnect.c b/sshconnect.c
-index 87c3770..324f5e0 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
- int flags = 0;
- char *fp;
-+ Key *plain = NULL;
-
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
- free(fp);
-
-- /* XXX certs are not yet supported for DNS */
-- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-- if (flags & DNS_VERIFY_FOUND) {
--
-- if (options.verify_host_key_dns == 1 &&
-- flags & DNS_VERIFY_MATCH &&
-- flags & DNS_VERIFY_SECURE)
-- return 0;
--
-- if (flags & DNS_VERIFY_MATCH) {
-- matching_host_key_dns = 1;
-- } else {
-- warn_changed_key(host_key);
-- error("Update the SSHFP RR in DNS with the new "
-- "host key to get rid of this message.");
-+ if (options.verify_host_key_dns) {
-+ /*
-+ * XXX certs are not yet supported for DNS, so downgrade
-+ * them and try the plain key.
-+ */
-+ plain = key_from_private(host_key);
-+ if (key_is_cert(plain))
-+ key_drop_cert(plain);
-+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
-+ if (flags & DNS_VERIFY_FOUND) {
-+ if (options.verify_host_key_dns == 1 &&
-+ flags & DNS_VERIFY_MATCH &&
-+ flags & DNS_VERIFY_SECURE) {
-+ key_free(plain);
-+ return 0;
-+ }
-+ if (flags & DNS_VERIFY_MATCH) {
-+ matching_host_key_dns = 1;
-+ } else {
-+ warn_changed_key(plain);
-+ error("Update the SSHFP RR in DNS "
-+ "with the new host key to get rid "
-+ "of this message.");
-+ }
- }
- }
-+ key_free(plain);
- }
-
- return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/main/openssh/openssh-curve25519pad.patch b/main/openssh/openssh-curve25519pad.patch
deleted file mode 100644
index 6c4ff72dcd..0000000000
--- a/main/openssh/openssh-curve25519pad.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
-
-Hi,
-
-So I screwed up when writing the support for the curve25519 KEX method
-that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
-leading zero bytes where they should have been skipped. The impact of
-this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
-peer that implements curve25519-sha256@libssh.org properly about 0.2%
-of the time (one in every 512ish connections).
-
-We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
-key exchange for previous versions, but I'd recommend distributors
-of OpenSSH apply this patch so the affected code doesn't become
-too entrenched in LTS releases.
-
-The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
-to distinguish itself from the incorrect versions so the compatibility
-code to disable the affected KEX isn't activated.
-
-I've committed this on the 6.6 branch too.
-
-Apologies for the hassle.
-
--d
-
-Index: version.h
-===================================================================
-RCS file: /var/cvs/openssh/version.h,v
-retrieving revision 1.82
-diff -u -p -r1.82 version.h
---- a/version.h 27 Feb 2014 23:01:54 -0000 1.82
-+++ b/version.h 20 Apr 2014 03:35:15 -0000
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-
--#define SSH_VERSION "OpenSSH_6.6"
-+#define SSH_VERSION "OpenSSH_6.6.1"
-
- #define SSH_PORTABLE "p1"
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-Index: compat.c
-===================================================================
-RCS file: /var/cvs/openssh/compat.c,v
-retrieving revision 1.82
-retrieving revision 1.85
-diff -u -p -r1.82 -r1.85
---- a/compat.c 31 Dec 2013 01:25:41 -0000 1.82
-+++ b/compat.c 20 Apr 2014 03:33:59 -0000 1.85
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- { "OpenSSH_4*", 0 },
- { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
-+ { "OpenSSH_6.5*,"
-+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- { "OpenSSH*", SSH_NEW_OPENSSH },
- { "*MindTerm*", 0 },
- { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
- return cipher_prop;
- }
-
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
- if (*pkalg_prop == '\0')
- fatal("No supported PK algorithms found");
- return pkalg_prop;
-+}
-+
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+ return kex_prop;
-+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
-+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+ if (*kex_prop == '\0')
-+ fatal("No supported key exchange algorithms found");
-+ return kex_prop;
- }
-
-Index: compat.h
-===================================================================
-RCS file: /var/cvs/openssh/compat.h,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -p -r1.42 -r1.43
---- a/compat.h 31 Dec 2013 01:25:41 -0000 1.42
-+++ b/compat.h 20 Apr 2014 03:25:31 -0000 1.43
-@@ -60,6 +60,7 @@
- #define SSH_NEW_OPENSSH 0x04000000
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000
- #define SSH_BUG_LARGEWINDOW 0x10000000
-+#define SSH_BUG_CURVE25519PAD 0x20000000
-
- void enable_compat13(void);
- void enable_compat20(void);
-@@ -67,6 +68,7 @@ void compat_datafellows(const char *
- int proto_spec(const char *);
- char *compat_cipher_proposal(char *);
- char *compat_pkalg_proposal(char *);
-+char *compat_kex_proposal(char *);
-
- extern int compat13;
- extern int compat20;
-Index: sshd.c
-===================================================================
-RCS file: /var/cvs/openssh/sshd.c,v
-retrieving revision 1.448
-retrieving revision 1.453
-diff -u -p -r1.448 -r1.453
---- a/sshd.c 26 Feb 2014 23:20:08 -0000 1.448
-+++ b/sshd.c 20 Apr 2014 03:28:41 -0000 1.453
-@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-+
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- (time_t)options.rekey_interval);
-Index: sshconnect2.c
-===================================================================
-RCS file: /var/cvs/openssh/sshconnect2.c,v
-retrieving revision 1.197
-retrieving revision 1.199
-diff -u -p -r1.197 -r1.199
---- a/sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
-+++ b/sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
-@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
- }
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-Index: bufaux.c
-===================================================================
-RCS file: /var/cvs/openssh/bufaux.c,v
-retrieving revision 1.62
-retrieving revision 1.63
-diff -u -p -r1.62 -r1.63
---- a/bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
-+++ b/bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
-
- if (l > 8 * 1024)
- fatal("%s: length %u too long", __func__, l);
-+ /* Skip leading zero bytes */
-+ for (; l > 0 && *s == 0; l--, s++)
-+ ;
- p = buf = xmalloc(l + 1);
- /*
- * If most significant bit is set then prepend a zero byte to
diff --git a/main/openssh/openssh6.6-dynwindows.diff b/main/openssh/openssh6.7-dynwindows.diff
index 1708caa752..b49e7688b0 100644
--- a/main/openssh/openssh6.6-dynwindows.diff
+++ b/main/openssh/openssh6.7-dynwindows.diff
@@ -1,35 +1,20 @@
-diff --git a/buffer.c b/buffer.c
-index d240f67..88e16d0 100644
---- a/buffer.c
-+++ b/buffer.c
-@@ -128,7 +128,7 @@ restart:
-
- /* Increase the size of the buffer and retry. */
- newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
-- if (newlen > BUFFER_MAX_LEN)
-+ if (newlen > BUFFER_MAX_LEN_HPN)
- fatal("buffer_append_space: alloc %u not supported",
- newlen);
- buffer->buf = xrealloc(buffer->buf, 1, newlen);
-diff --git a/buffer.h b/buffer.h
-index 7df8a38..244de01 100644
---- a/buffer.h
-+++ b/buffer.h
+diff -ru openssh-6.7p1.orig/buffer.h openssh-6.7p1/buffer.h
+--- openssh-6.7p1.orig/buffer.h 2014-05-15 07:33:44.000000000 -0300
++++ openssh-6.7p1/buffer.h 2014-11-21 09:42:27.601954473 -0200
@@ -16,6 +16,9 @@
- #ifndef BUFFER_H
- #define BUFFER_H
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/* move the following to a more appropriate place and name */
+#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
+
- typedef struct {
- u_char *buf; /* Buffer for data. */
- u_int alloc; /* Number of bytes allocated for data. */
-diff --git a/channels.c b/channels.c
-index 9efe89c..bb01516 100644
---- a/channels.c
-+++ b/channels.c
-@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c, char *rtype);
+ /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
+
+ #ifndef BUFFER_H
+diff -ru openssh-6.7p1.orig/channels.c openssh-6.7p1/channels.c
+--- openssh-6.7p1.orig/channels.c 2014-07-18 07:11:25.000000000 -0300
++++ openssh-6.7p1/channels.c 2014-11-21 09:42:27.601954473 -0200
+@@ -179,8 +179,14 @@
static int connect_next(struct channel_connect *);
static void channel_connect_ctx_free(struct channel_connect *);
@@ -44,7 +29,7 @@ index 9efe89c..bb01516 100644
Channel *
channel_by_id(int id)
{
-@@ -323,6 +329,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+@@ -329,6 +335,7 @@
c->local_window_max = window;
c->local_consumed = 0;
c->local_maxpacket = maxpack;
@@ -52,7 +37,7 @@ index 9efe89c..bb01516 100644
c->remote_id = -1;
c->remote_name = xstrdup(remote_name);
c->remote_window = 0;
-@@ -819,11 +826,35 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
+@@ -833,11 +840,35 @@
FD_SET(c->sock, writeset);
}
@@ -88,7 +73,7 @@ index 9efe89c..bb01516 100644
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
buffer_len(&c->input) < limit &&
-@@ -1815,14 +1846,21 @@ channel_check_window(Channel *c)
+@@ -1842,14 +1873,21 @@
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
@@ -112,7 +97,7 @@ index 9efe89c..bb01516 100644
c->local_consumed = 0;
}
return 1;
-@@ -2738,6 +2776,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+@@ -2781,6 +2819,15 @@
return addr;
}
@@ -126,9 +111,9 @@ index 9efe89c..bb01516 100644
+}
+
static int
- channel_setup_fwd_listener(int type, const char *listen_addr,
- u_short listen_port, int *allocated_listen_port,
-@@ -2864,9 +2911,15 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
+ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
+ int *allocated_listen_port, struct ForwardOptions *fwd_opts)
+@@ -2905,9 +2952,15 @@
}
/* Allocate a channel number for the socket. */
@@ -142,9 +127,9 @@ index 9efe89c..bb01516 100644
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
c->path = xstrdup(host);
- c->host_port = port_to_connect;
+ c->host_port = fwd->connect_port;
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3514,10 +3567,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
+@@ -3939,10 +3992,17 @@
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
@@ -162,11 +147,10 @@ index 9efe89c..bb01516 100644
nc->single_connection = single_connection;
(*chanids)[n] = nc->self;
}
-diff --git a/channels.h b/channels.h
-index 4fab9d7..91ef316 100644
---- a/channels.h
-+++ b/channels.h
-@@ -132,8 +132,10 @@ struct Channel {
+diff -ru openssh-6.7p1.orig/channels.h openssh-6.7p1/channels.h
+--- openssh-6.7p1.orig/channels.h 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/channels.h 2014-11-21 09:42:27.601954473 -0200
+@@ -134,8 +134,10 @@
u_int local_window_max;
u_int local_consumed;
u_int local_maxpacket;
@@ -177,7 +161,7 @@ index 4fab9d7..91ef316 100644
char *ctype; /* type */
-@@ -169,8 +171,10 @@ struct Channel {
+@@ -171,8 +173,10 @@
/* default window/packet sizes for tcp/x11-fwd-channel */
#define CHAN_SES_PACKET_DEFAULT (32*1024)
#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
@@ -188,7 +172,7 @@ index 4fab9d7..91ef316 100644
#define CHAN_X11_PACKET_DEFAULT (16*1024)
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
-@@ -306,4 +310,7 @@ void chan_rcvd_ieof(Channel *);
+@@ -311,4 +315,7 @@
void chan_write_failed(Channel *);
void chan_obuf_empty(Channel *);
@@ -196,33 +180,10 @@ index 4fab9d7..91ef316 100644
+void channel_set_hpn(int, int);
+
#endif
-diff --git a/cipher.c b/cipher.c
-index 53d9b4f..74ba34e 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -71,7 +71,7 @@ struct Cipher {
- const EVP_CIPHER *(*evptype)(void);
- };
-
--static const struct Cipher ciphers[] = {
-+static struct Cipher ciphers[] = {
- { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
- { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
- { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-@@ -193,7 +193,7 @@ cipher_mask_ssh1(int client)
- const Cipher *
- cipher_by_name(const char *name)
- {
-- const Cipher *c;
-+ Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
- if (strcmp(c->name, name) == 0)
- return c;
-diff --git a/clientloop.c b/clientloop.c
-index 59ad3a2..e144fb6 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1891,9 +1891,15 @@ client_request_x11(const char *request_type, int rchan)
+diff -ru openssh-6.7p1.orig/clientloop.c openssh-6.7p1/clientloop.c
+--- openssh-6.7p1.orig/clientloop.c 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/clientloop.c 2014-11-21 09:42:27.601954473 -0200
+@@ -1899,9 +1899,15 @@
sock = x11_connect_display();
if (sock < 0)
return NULL;
@@ -238,34 +199,34 @@ index 59ad3a2..e144fb6 100644
c->force_drain = 1;
return c;
}
-@@ -1913,9 +1919,15 @@ client_request_agent(const char *request_type, int rchan)
+@@ -1921,9 +1927,15 @@
sock = ssh_get_authentication_socket();
if (sock < 0)
return NULL;
+ if (options.hpn_disabled)
-+ c = channel_new("authentication agent connection",
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+ "authentication agent connection", 1);
-+ else
c = channel_new("authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
++ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
++ "authentication agent connection", 1);
++ else
++ c = channel_new("authentication agent connection",
++ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
"authentication agent connection", 1);
c->force_drain = 1;
return c;
-@@ -1943,10 +1955,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+@@ -1951,10 +1963,18 @@
return -1;
}
+ if(options.hpn_disabled)
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
+ else
-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
c->datagram = 1;
@@ -275,11 +236,10 @@ index 59ad3a2..e144fb6 100644
#if defined(SSH_TUN_FILTER)
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
channel_register_filter(c->self, sys_tun_infilter,
-diff --git a/compat.c b/compat.c
-index 9d9fabe..235fc59 100644
---- a/compat.c
-+++ b/compat.c
-@@ -172,6 +172,15 @@ compat_datafellows(const char *version)
+diff -ru openssh-6.7p1.orig/compat.c openssh-6.7p1/compat.c
+--- openssh-6.7p1.orig/compat.c 2014-04-20 06:33:59.000000000 -0300
++++ openssh-6.7p1/compat.c 2014-11-21 09:42:27.601954473 -0200
+@@ -175,6 +175,15 @@
if (match_pattern_list(version, check[i].pat,
strlen(check[i].pat), 0) == 1) {
datafellows = check[i].bugs;
@@ -295,32 +255,30 @@ index 9d9fabe..235fc59 100644
debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, datafellows);
return;
-diff --git a/compat.h b/compat.h
-index b174fa1..9937347 100644
---- a/compat.h
-+++ b/compat.h
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR 0x02000000
+diff -ru openssh-6.7p1.orig/compat.h openssh-6.7p1/compat.h
+--- openssh-6.7p1.orig/compat.h 2014-04-20 06:25:31.000000000 -0300
++++ openssh-6.7p1/compat.h 2014-11-21 09:47:51.058623939 -0200
+@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
-+#define SSH_BUG_LARGEWINDOW 0x10000000
+ #define SSH_BUG_CURVE25519PAD 0x10000000
++#define SSH_BUG_LARGEWINDOW 0x20000000
void enable_compat13(void);
void enable_compat20(void);
-diff --git a/readconf.c b/readconf.c
-index dc884c9..ce083f4 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -149,6 +149,7 @@ typedef enum {
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+diff -ru openssh-6.7p1.orig/readconf.c openssh-6.7p1/readconf.c
+--- openssh-6.7p1.orig/readconf.c 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/readconf.c 2014-11-21 09:49:31.348624811 -0200
+@@ -151,6 +151,7 @@
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+ oStreamLocalBindMask, oStreamLocalBindUnlink,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
-@@ -263,6 +264,11 @@ static struct {
- { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+@@ -267,6 +268,11 @@
+ { "streamlocalbindunlink", oStreamLocalBindUnlink },
{ "ignoreunknown", oIgnoreUnknown },
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
@@ -331,7 +289,7 @@ index dc884c9..ce083f4 100644
{ NULL, oBadOption }
};
-@@ -853,6 +859,18 @@ parse_time:
+@@ -877,6 +883,18 @@
intptr = &options->check_host_ip;
goto parse_flag;
@@ -350,7 +308,7 @@ index dc884c9..ce083f4 100644
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
-@@ -1015,6 +1033,10 @@ parse_int:
+@@ -1039,6 +1057,10 @@
intptr = &options->connection_attempts;
goto parse_int;
@@ -361,7 +319,7 @@ index dc884c9..ce083f4 100644
case oCipher:
intptr = &options->cipher;
arg = strdelim(&s);
-@@ -1561,6 +1583,10 @@ initialize_options(Options * options)
+@@ -1602,6 +1624,10 @@
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@@ -372,7 +330,7 @@ index dc884c9..ce083f4 100644
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
-@@ -1707,6 +1733,28 @@ fill_default_options(Options * options)
+@@ -1752,6 +1778,28 @@
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -401,11 +359,10 @@ index dc884c9..ce083f4 100644
if (options->control_master == -1)
options->control_master = 0;
if (options->control_persist == -1) {
-diff --git a/readconf.h b/readconf.h
-index 75e3f8f..a471114 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -66,6 +66,10 @@ typedef struct {
+diff -ru openssh-6.7p1.orig/readconf.h openssh-6.7p1/readconf.h
+--- openssh-6.7p1.orig/readconf.h 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/readconf.h 2014-11-21 09:42:27.605287806 -0200
+@@ -57,6 +57,10 @@
int compression_level; /* Compression level 1 (fast) to 9
* (best). */
int tcp_keep_alive; /* Set SO_KEEPALIVE. */
@@ -416,20 +373,19 @@ index 75e3f8f..a471114 100644
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
LogLevel log_level; /* Level for logging. */
-diff --git a/scp.c b/scp.c
-index 18d3b1d..2ab8f15 100644
---- a/scp.c
-+++ b/scp.c
-@@ -749,7 +749,7 @@ source(int argc, char **argv)
+diff -ru openssh-6.7p1.orig/scp.c openssh-6.7p1/scp.c
+--- openssh-6.7p1.orig/scp.c 2014-07-02 08:29:01.000000000 -0300
++++ openssh-6.7p1/scp.c 2014-11-21 09:42:27.605287806 -0200
+@@ -749,7 +749,7 @@
off_t i, statbytes;
- size_t amt;
+ size_t amt, nr;
int fd = -1, haderr, indx;
- char *last, *name, buf[2048], encname[MAXPATHLEN];
+ char *last, *name, buf[16384], encname[MAXPATHLEN];
int len;
for (indx = 0; indx < argc; ++indx) {
-@@ -914,7 +914,7 @@ sink(int argc, char **argv)
+@@ -918,7 +918,7 @@
off_t size, statbytes;
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
@@ -438,11 +394,10 @@ index 18d3b1d..2ab8f15 100644
struct timeval tv[2];
#define atime tv[0]
-diff --git a/servconf.c b/servconf.c
-index 7ba65d5..32bb711 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -150,6 +150,9 @@ initialize_server_options(ServerOptions *options)
+diff -ru openssh-6.7p1.orig/servconf.c openssh-6.7p1/servconf.c
+--- openssh-6.7p1.orig/servconf.c 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/servconf.c 2014-11-21 09:42:27.605287806 -0200
+@@ -154,6 +154,9 @@
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
@@ -452,7 +407,7 @@ index 7ba65d5..32bb711 100644
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
-@@ -158,6 +161,11 @@ initialize_server_options(ServerOptions *options)
+@@ -162,6 +165,11 @@
void
fill_default_server_options(ServerOptions *options)
{
@@ -464,7 +419,7 @@ index 7ba65d5..32bb711 100644
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
-@@ -294,6 +302,41 @@ fill_default_server_options(ServerOptions *options)
+@@ -302,6 +310,41 @@
}
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
@@ -506,15 +461,15 @@ index 7ba65d5..32bb711 100644
if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
-@@ -345,6 +388,7 @@ typedef enum {
+@@ -357,6 +400,7 @@
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- sAuthenticationMethods, sHostKeyAgent,
-@@ -468,6 +512,9 @@ static struct {
+ sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+@@ -483,6 +527,9 @@
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -524,7 +479,7 @@ index 7ba65d5..32bb711 100644
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -500,6 +547,7 @@ parse_token(const char *cp, const char *filename,
+@@ -518,6 +565,7 @@
for (i = 0; keywords[i].name; i++)
if (strcasecmp(cp, keywords[i].name) == 0) {
@@ -532,7 +487,7 @@ index 7ba65d5..32bb711 100644
*flags = keywords[i].flags;
return keywords[i].opcode;
}
-@@ -1042,6 +1090,19 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1060,6 +1108,19 @@
*intptr = value;
break;
@@ -552,11 +507,10 @@ index 7ba65d5..32bb711 100644
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
-diff --git a/servconf.h b/servconf.h
-index 752d1c5..0b9f59d 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -164,6 +164,9 @@ typedef struct {
+diff -ru openssh-6.7p1.orig/servconf.h openssh-6.7p1/servconf.h
+--- openssh-6.7p1.orig/servconf.h 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/servconf.h 2014-11-21 09:42:27.605287806 -0200
+@@ -166,6 +166,9 @@
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
@@ -566,11 +520,10 @@ index 752d1c5..0b9f59d 100644
int permit_tun;
-diff --git a/serverloop.c b/serverloop.c
-index 2f8e3a0..4868e5f 100644
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -1015,8 +1015,12 @@ server_request_tun(void)
+diff -ru openssh-6.7p1.orig/serverloop.c openssh-6.7p1/serverloop.c
+--- openssh-6.7p1.orig/serverloop.c 2014-08-19 04:14:17.000000000 -0300
++++ openssh-6.7p1/serverloop.c 2014-11-21 09:42:27.605287806 -0200
+@@ -1047,8 +1047,12 @@
sock = tun_open(tun, mode);
if (sock < 0)
goto done;
@@ -583,7 +536,7 @@ index 2f8e3a0..4868e5f 100644
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (mode == SSH_TUNMODE_POINTOPOINT)
-@@ -1052,6 +1056,8 @@ server_request_session(void)
+@@ -1084,6 +1088,8 @@
c = channel_new("session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
@@ -592,19 +545,18 @@ index 2f8e3a0..4868e5f 100644
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
channel_free(c);
-diff --git a/session.c b/session.c
-index 2bcf818..817afc9 100644
---- a/session.c
-+++ b/session.c
-@@ -237,6 +237,7 @@ auth_input_request_forwarding(struct passwd * pw)
- }
+diff -ru openssh-6.7p1.orig/session.c openssh-6.7p1/session.c
+--- openssh-6.7p1.orig/session.c 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/session.c 2014-11-21 09:42:27.605287806 -0200
+@@ -219,6 +219,7 @@
+ goto authsock_err;
/* Allocate a channel for the authentication agent socket. */
+ /* this shouldn't matter if its hpn or not - cjr */
nc = channel_new("auth socket",
SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-@@ -2331,10 +2332,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
+@@ -2328,10 +2329,16 @@
*/
if (s->chanid == -1)
fatal("no channel for session %d", s->self);
@@ -621,11 +573,10 @@ index 2bcf818..817afc9 100644
}
/*
-diff --git a/sftp.1 b/sftp.1
-index a700c2a..8e00b13 100644
---- a/sftp.1
-+++ b/sftp.1
-@@ -261,7 +261,8 @@ diagnostic messages from
+diff -ru openssh-6.7p1.orig/sftp.1 openssh-6.7p1/sftp.1
+--- openssh-6.7p1.orig/sftp.1 2014-05-15 06:47:37.000000000 -0300
++++ openssh-6.7p1/sftp.1 2014-11-21 09:42:27.605287806 -0200
+@@ -261,7 +261,8 @@
Specify how many requests may be outstanding at any one time.
Increasing this may slightly improve file transfer speed
but will increase memory usage.
@@ -635,11 +586,10 @@ index a700c2a..8e00b13 100644
.It Fl r
Recursively copy entire directories when uploading and downloading.
Note that
-diff --git a/sftp.c b/sftp.c
-index ad1f8c8..1575d5e 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -68,7 +68,7 @@ typedef void EditLine;
+diff -ru openssh-6.7p1.orig/sftp.c openssh-6.7p1/sftp.c
+--- openssh-6.7p1.orig/sftp.c 2014-07-09 06:07:06.000000000 -0300
++++ openssh-6.7p1/sftp.c 2014-11-21 09:42:27.605287806 -0200
+@@ -68,7 +68,7 @@
#include "sftp-client.h"
#define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
@@ -648,11 +598,10 @@ index ad1f8c8..1575d5e 100644
/* File to read commands from */
FILE* infile;
-diff --git a/ssh.c b/ssh.c
-index 1e6cb90..7c91d6d 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -1611,6 +1611,9 @@ ssh_session2_open(void)
+diff -ru openssh-6.7p1.orig/ssh.c openssh-6.7p1/ssh.c
+--- openssh-6.7p1.orig/ssh.c 2014-07-18 08:04:11.000000000 -0300
++++ openssh-6.7p1/ssh.c 2014-11-21 09:42:27.608621140 -0200
+@@ -1682,6 +1682,9 @@
{
Channel *c;
int window, packetmax, in, out, err;
@@ -662,7 +611,7 @@ index 1e6cb90..7c91d6d 100644
if (stdin_null_flag) {
in = open(_PATH_DEVNULL, O_RDONLY);
-@@ -1631,9 +1634,74 @@ ssh_session2_open(void)
+@@ -1702,9 +1705,74 @@
if (!isatty(err))
set_nonblock(err);
@@ -738,7 +687,7 @@ index 1e6cb90..7c91d6d 100644
window >>= 1;
packetmax >>= 1;
}
-@@ -1642,6 +1710,10 @@ ssh_session2_open(void)
+@@ -1713,6 +1781,10 @@
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
@@ -749,11 +698,10 @@ index 1e6cb90..7c91d6d 100644
debug3("ssh_session2_open: channel_new: %d", c->self);
channel_send_open(c->self);
-diff --git a/sshconnect.c b/sshconnect.c
-index 573d7a8..9cf6947 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -263,6 +263,31 @@ ssh_kill_proxy_command(void)
+diff -ru openssh-6.7p1.orig/sshconnect.c openssh-6.7p1/sshconnect.c
+--- openssh-6.7p1.orig/sshconnect.c 2014-07-18 07:11:26.000000000 -0300
++++ openssh-6.7p1/sshconnect.c 2014-11-21 09:42:27.608621140 -0200
+@@ -264,6 +264,31 @@
}
/*
@@ -785,7 +733,7 @@ index 573d7a8..9cf6947 100644
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
-@@ -278,6 +303,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -279,6 +304,9 @@
}
fcntl(sock, F_SETFD, FD_CLOEXEC);
@@ -795,7 +743,7 @@ index 573d7a8..9cf6947 100644
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
-@@ -520,10 +548,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -521,10 +549,10 @@
/* Send our own protocol version identification. */
if (compat20) {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -808,11 +756,10 @@ index 573d7a8..9cf6947 100644
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
-diff --git a/sshd.c b/sshd.c
-index 7523de9..9623887 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -436,7 +436,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+diff -ru openssh-6.7p1.orig/sshd.c openssh-6.7p1/sshd.c
+--- openssh-6.7p1.orig/sshd.c 2014-08-26 21:11:55.000000000 -0300
++++ openssh-6.7p1/sshd.c 2014-11-21 09:42:27.608621140 -0200
+@@ -432,7 +432,7 @@
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -821,7 +768,7 @@ index 7523de9..9623887 100644
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1082,6 +1082,8 @@ server_listen(void)
+@@ -1092,6 +1092,8 @@
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -830,7 +777,7 @@ index 7523de9..9623887 100644
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1122,6 +1124,11 @@ server_listen(void)
+@@ -1132,6 +1134,11 @@
debug("Bind to port %s on %s.", strport, ntop);
@@ -842,7 +789,7 @@ index 7523de9..9623887 100644
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -2058,6 +2065,9 @@ main(int ac, char **av)
+@@ -2060,6 +2067,9 @@
remote_ip, remote_port,
get_local_ipaddr(sock_in), get_local_port());
@@ -852,11 +799,10 @@ index 7523de9..9623887 100644
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-diff --git a/sshd_config b/sshd_config
-index e9045bc..7495fc9 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -125,6 +125,17 @@ UsePrivilegeSeparation sandbox # Default for new installations.
+diff -ru openssh-6.7p1.orig/sshd_config openssh-6.7p1/sshd_config
+--- openssh-6.7p1.orig/sshd_config 2014-01-12 10:20:47.000000000 -0200
++++ openssh-6.7p1/sshd_config 2014-11-21 09:42:27.608621140 -0200
+@@ -125,6 +125,17 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
@@ -874,12 +820,11 @@ index e9045bc..7495fc9 100644
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index a1579ac..4fe1849 100644
---- a/version.h
-+++ b/version.h
+diff -ru openssh-6.7p1.orig/version.h openssh-6.7p1/version.h
+--- openssh-6.7p1.orig/version.h 2014-04-20 06:25:31.000000000 -0300
++++ openssh-6.7p1/version.h 2014-11-21 09:42:27.608621140 -0200
@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_6.6"
+ #define SSH_VERSION "OpenSSH_6.7"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE