diff options
author | Timo Teräs <timo.teras@iki.fi> | 2014-11-21 09:52:21 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-11-21 08:37:03 +0000 |
commit | 480caba4acf001d21388b2d5b10e11fafc3ddd25 (patch) | |
tree | b540d125b496b700289121180d657c446958a365 /main | |
parent | 9621f5bfd88b0c8012f20d96ce3ec1cb23d0a07e (diff) | |
download | aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.bz2 aports-480caba4acf001d21388b2d5b10e11fafc3ddd25.tar.xz |
main/openssh: upgrade to 6.7p1
Diffstat (limited to 'main')
-rw-r--r-- | main/openssh/APKBUILD | 27 | ||||
-rw-r--r-- | main/openssh/CVE-2014-2653.patch | 83 | ||||
-rw-r--r-- | main/openssh/openssh-curve25519pad.patch | 169 | ||||
-rw-r--r-- | main/openssh/openssh6.7-dynwindows.diff (renamed from main/openssh/openssh6.6-dynwindows.diff) | 321 |
4 files changed, 142 insertions, 458 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index a7c87f2fc5..7e0dbc17fd 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openssh -pkgver=6.6_p1 +pkgver=6.7_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=6 +pkgrel=0 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -12,14 +12,12 @@ depends="openssh-client" makedepends="openssl-dev zlib-dev" subpackages="$pkgname-doc $pkgname-client $pkgname-keysign" source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz - openssh6.6-dynwindows.diff + openssh6.7-dynwindows.diff openssh6.5-peaktput.diff openssh-fix-includes.diff openssh-fix-utmp.diff sshd.initd sshd.confd - CVE-2014-2653.patch - openssh-curve25519pad.patch openssh-sftp-interactive.diff " # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh @@ -63,7 +61,6 @@ build () { --with-privsep-user=sshd \ --with-md5-passwords \ --with-ssl-engine \ - --without-tcp-wrappers \ --without-pam \ || return 1 make || return 1 @@ -110,33 +107,27 @@ keysign() { "$subpkgdir"/usr/lib/ssh/ || return 1 } -md5sums="3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz -776fca63396b534736d26f776d1dca7b openssh6.6-dynwindows.diff +md5sums="3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz +2121bdcba3751877b13f2f90802d4399 openssh6.7-dynwindows.diff cd52fe99cb4b7d0d847bf5d710d93564 openssh6.5-peaktput.diff 7c86680602f7ad71b0773d9e98a30d73 openssh-fix-includes.diff f7d9d6f96940ef66bd3c3a0aa27e57a7 openssh-fix-utmp.diff bcf990d4ef7ff446160cde7dbd32bf1f sshd.initd b35e9f3829f4cfca07168fcba98749c7 sshd.confd -02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch -da797337121f07bc3fac8a21afac20f8 openssh-curve25519pad.patch 2dd7e366607e95f9762273067309fd6e openssh-sftp-interactive.diff" -sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb openssh-6.6p1.tar.gz -83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad openssh6.6-dynwindows.diff +sha256sums="b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 openssh-6.7p1.tar.gz +7d02930524d1357232770e9dc5a92746e654d6dafcbd5762c8618b059f0bf7b9 openssh6.7-dynwindows.diff bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59 openssh-fix-includes.diff f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-utmp.diff 2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac sshd.initd 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd -03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch -8b0caf249298eec28aad3cb77256d31a90652c77bdc1a54a00f04e8c1446d5c4 openssh-curve25519pad.patch 4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376 openssh-sftp-interactive.diff" -sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b openssh-6.6p1.tar.gz -3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd openssh6.6-dynwindows.diff +sha512sums="2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d openssh-6.7p1.tar.gz +4985134b4b1b06d9c8bc81af9f0e0690c3f23d78f3df2af70cd0030cc7ab5bd8d9aad60031ce8069902c6bb8ae6dde754aa87d6fd4587cdc6e99e7bb33f0d1bb openssh6.7-dynwindows.diff e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff 70e2c6613ab77ec379e03ddf029c1c38e5d852bb225db40ceaa63e642d58b0261fa7c954b288710736bb1dc71f8057f2598ea0d1f5b1214135fa5e9541d5f05a openssh-fix-includes.diff cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5 openssh-fix-utmp.diff eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e sshd.initd b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd -be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch -5c946726e9fb472412972ca73c6e4565598b7729558843be2391e04d8935f0e35a992b4fa9f89c8a98917665c12219ea5ad58359269cbe2cf90907f7d1e2cec8 openssh-curve25519pad.patch c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 openssh-sftp-interactive.diff" diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch deleted file mode 100644 index b453081c5a..0000000000 --- a/main/openssh/CVE-2014-2653.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001 -From: Matthew Vernon <mcv21@cam.ac.uk> -Date: Wed, 26 Mar 2014 15:32:23 +0000 -Subject: Attempt SSHFP lookup even if server presents a certificate - -If an ssh server presents a certificate to the client, then the client -does not check the DNS for SSHFP records. This means that a malicious -server can essentially disable DNS-host-key-checking, which means the -client will fall back to asking the user (who will just say "yes" to -the fingerprint, sadly). - -This patch is by Damien Miller (of openssh upstream). It's simpler -than the patch by Mark Wooding which I applied yesterday; a copy is -taken of the proffered key/cert, the key extracted from the cert (if -necessary), and then the DNS consulted. - -Signed-off-by: Matthew Vernon <matthew@debian.org> -Bug-Debian: http://bugs.debian.org/742513 -Patch-Name: sshfp_with_server_cert_upstr ---- - sshconnect.c | 42 ++++++++++++++++++++++++++---------------- - 1 file changed, 26 insertions(+), 16 deletions(-) - -diff --git a/sshconnect.c b/sshconnect.c -index 87c3770..324f5e0 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) - { - int flags = 0; - char *fp; -+ Key *plain = NULL; - - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - debug("Server host key: %s %s", key_type(host_key), fp); - free(fp); - -- /* XXX certs are not yet supported for DNS */ -- if (!key_is_cert(host_key) && options.verify_host_key_dns && -- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { -- if (flags & DNS_VERIFY_FOUND) { -- -- if (options.verify_host_key_dns == 1 && -- flags & DNS_VERIFY_MATCH && -- flags & DNS_VERIFY_SECURE) -- return 0; -- -- if (flags & DNS_VERIFY_MATCH) { -- matching_host_key_dns = 1; -- } else { -- warn_changed_key(host_key); -- error("Update the SSHFP RR in DNS with the new " -- "host key to get rid of this message."); -+ if (options.verify_host_key_dns) { -+ /* -+ * XXX certs are not yet supported for DNS, so downgrade -+ * them and try the plain key. -+ */ -+ plain = key_from_private(host_key); -+ if (key_is_cert(plain)) -+ key_drop_cert(plain); -+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { -+ if (flags & DNS_VERIFY_FOUND) { -+ if (options.verify_host_key_dns == 1 && -+ flags & DNS_VERIFY_MATCH && -+ flags & DNS_VERIFY_SECURE) { -+ key_free(plain); -+ return 0; -+ } -+ if (flags & DNS_VERIFY_MATCH) { -+ matching_host_key_dns = 1; -+ } else { -+ warn_changed_key(plain); -+ error("Update the SSHFP RR in DNS " -+ "with the new host key to get rid " -+ "of this message."); -+ } - } - } -+ key_free(plain); - } - - return check_host_key(host, hostaddr, options.port, host_key, RDRW, diff --git a/main/openssh/openssh-curve25519pad.patch b/main/openssh/openssh-curve25519pad.patch deleted file mode 100644 index 6c4ff72dcd..0000000000 --- a/main/openssh/openssh-curve25519pad.patch +++ /dev/null @@ -1,169 +0,0 @@ -https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html - -Hi, - -So I screwed up when writing the support for the curve25519 KEX method -that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left -leading zero bytes where they should have been skipped. The impact of -this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a -peer that implements curve25519-sha256@libssh.org properly about 0.2% -of the time (one in every 512ish connections). - -We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 -key exchange for previous versions, but I'd recommend distributors -of OpenSSH apply this patch so the affected code doesn't become -too entrenched in LTS releases. - -The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as -to distinguish itself from the incorrect versions so the compatibility -code to disable the affected KEX isn't activated. - -I've committed this on the 6.6 branch too. - -Apologies for the hassle. - --d - -Index: version.h -=================================================================== -RCS file: /var/cvs/openssh/version.h,v -retrieving revision 1.82 -diff -u -p -r1.82 version.h ---- a/version.h 27 Feb 2014 23:01:54 -0000 1.82 -+++ b/version.h 20 Apr 2014 03:35:15 -0000 -@@ -1,6 +1,6 @@ - /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ - --#define SSH_VERSION "OpenSSH_6.6" -+#define SSH_VERSION "OpenSSH_6.6.1" - - #define SSH_PORTABLE "p1" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -Index: compat.c -=================================================================== -RCS file: /var/cvs/openssh/compat.c,v -retrieving revision 1.82 -retrieving revision 1.85 -diff -u -p -r1.82 -r1.85 ---- a/compat.c 31 Dec 2013 01:25:41 -0000 1.82 -+++ b/compat.c 20 Apr 2014 03:33:59 -0000 1.85 -@@ -95,6 +95,9 @@ compat_datafellows(const char *version) - { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, - { "OpenSSH_4*", 0 }, - { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, -+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, -+ { "OpenSSH_6.5*," -+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, - { "OpenSSH*", SSH_NEW_OPENSSH }, - { "*MindTerm*", 0 }, - { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| -@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop - return cipher_prop; - } - -- - char * - compat_pkalg_proposal(char *pkalg_prop) - { -@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) - if (*pkalg_prop == '\0') - fatal("No supported PK algorithms found"); - return pkalg_prop; -+} -+ -+char * -+compat_kex_proposal(char *kex_prop) -+{ -+ if (!(datafellows & SSH_BUG_CURVE25519PAD)) -+ return kex_prop; -+ debug2("%s: original KEX proposal: %s", __func__, kex_prop); -+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); -+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); -+ if (*kex_prop == '\0') -+ fatal("No supported key exchange algorithms found"); -+ return kex_prop; - } - -Index: compat.h -=================================================================== -RCS file: /var/cvs/openssh/compat.h,v -retrieving revision 1.42 -retrieving revision 1.43 -diff -u -p -r1.42 -r1.43 ---- a/compat.h 31 Dec 2013 01:25:41 -0000 1.42 -+++ b/compat.h 20 Apr 2014 03:25:31 -0000 1.43 -@@ -60,6 +60,7 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_LARGEWINDOW 0x10000000 -+#define SSH_BUG_CURVE25519PAD 0x20000000 - - void enable_compat13(void); - void enable_compat20(void); -@@ -67,6 +68,7 @@ void compat_datafellows(const char * - int proto_spec(const char *); - char *compat_cipher_proposal(char *); - char *compat_pkalg_proposal(char *); -+char *compat_kex_proposal(char *); - - extern int compat13; - extern int compat20; -Index: sshd.c -=================================================================== -RCS file: /var/cvs/openssh/sshd.c,v -retrieving revision 1.448 -retrieving revision 1.453 -diff -u -p -r1.448 -r1.453 ---- a/sshd.c 26 Feb 2014 23:20:08 -0000 1.448 -+++ b/sshd.c 20 Apr 2014 03:28:41 -0000 1.453 -@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); -+ - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, - (time_t)options.rekey_interval); -Index: sshconnect2.c -=================================================================== -RCS file: /var/cvs/openssh/sshconnect2.c,v -retrieving revision 1.197 -retrieving revision 1.199 -diff -u -p -r1.197 -r1.199 ---- a/sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 -+++ b/sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 -@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); - - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, -Index: bufaux.c -=================================================================== -RCS file: /var/cvs/openssh/bufaux.c,v -retrieving revision 1.62 -retrieving revision 1.63 -diff -u -p -r1.62 -r1.63 ---- a/bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 -+++ b/bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 -@@ -1,4 +1,4 @@ --/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ -+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b - - if (l > 8 * 1024) - fatal("%s: length %u too long", __func__, l); -+ /* Skip leading zero bytes */ -+ for (; l > 0 && *s == 0; l--, s++) -+ ; - p = buf = xmalloc(l + 1); - /* - * If most significant bit is set then prepend a zero byte to diff --git a/main/openssh/openssh6.6-dynwindows.diff b/main/openssh/openssh6.7-dynwindows.diff index 1708caa752..b49e7688b0 100644 --- a/main/openssh/openssh6.6-dynwindows.diff +++ b/main/openssh/openssh6.7-dynwindows.diff @@ -1,35 +1,20 @@ -diff --git a/buffer.c b/buffer.c -index d240f67..88e16d0 100644 ---- a/buffer.c -+++ b/buffer.c -@@ -128,7 +128,7 @@ restart: - - /* Increase the size of the buffer and retry. */ - newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ); -- if (newlen > BUFFER_MAX_LEN) -+ if (newlen > BUFFER_MAX_LEN_HPN) - fatal("buffer_append_space: alloc %u not supported", - newlen); - buffer->buf = xrealloc(buffer->buf, 1, newlen); -diff --git a/buffer.h b/buffer.h -index 7df8a38..244de01 100644 ---- a/buffer.h -+++ b/buffer.h +diff -ru openssh-6.7p1.orig/buffer.h openssh-6.7p1/buffer.h +--- openssh-6.7p1.orig/buffer.h 2014-05-15 07:33:44.000000000 -0300 ++++ openssh-6.7p1/buffer.h 2014-11-21 09:42:27.601954473 -0200 @@ -16,6 +16,9 @@ - #ifndef BUFFER_H - #define BUFFER_H + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +/* move the following to a more appropriate place and name */ +#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */ + - typedef struct { - u_char *buf; /* Buffer for data. */ - u_int alloc; /* Number of bytes allocated for data. */ -diff --git a/channels.c b/channels.c -index 9efe89c..bb01516 100644 ---- a/channels.c -+++ b/channels.c -@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c, char *rtype); + /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */ + + #ifndef BUFFER_H +diff -ru openssh-6.7p1.orig/channels.c openssh-6.7p1/channels.c +--- openssh-6.7p1.orig/channels.c 2014-07-18 07:11:25.000000000 -0300 ++++ openssh-6.7p1/channels.c 2014-11-21 09:42:27.601954473 -0200 +@@ -179,8 +179,14 @@ static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); @@ -44,7 +29,7 @@ index 9efe89c..bb01516 100644 Channel * channel_by_id(int id) { -@@ -323,6 +329,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, +@@ -329,6 +335,7 @@ c->local_window_max = window; c->local_consumed = 0; c->local_maxpacket = maxpack; @@ -52,7 +37,7 @@ index 9efe89c..bb01516 100644 c->remote_id = -1; c->remote_name = xstrdup(remote_name); c->remote_window = 0; -@@ -819,11 +826,35 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) +@@ -833,11 +840,35 @@ FD_SET(c->sock, writeset); } @@ -88,7 +73,7 @@ index 9efe89c..bb01516 100644 if (c->istate == CHAN_INPUT_OPEN && limit > 0 && buffer_len(&c->input) < limit && -@@ -1815,14 +1846,21 @@ channel_check_window(Channel *c) +@@ -1842,14 +1873,21 @@ c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -112,7 +97,7 @@ index 9efe89c..bb01516 100644 c->local_consumed = 0; } return 1; -@@ -2738,6 +2776,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, +@@ -2781,6 +2819,15 @@ return addr; } @@ -126,9 +111,9 @@ index 9efe89c..bb01516 100644 +} + static int - channel_setup_fwd_listener(int type, const char *listen_addr, - u_short listen_port, int *allocated_listen_port, -@@ -2864,9 +2911,15 @@ channel_setup_fwd_listener(int type, const char *listen_addr, + channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, + int *allocated_listen_port, struct ForwardOptions *fwd_opts) +@@ -2905,9 +2952,15 @@ } /* Allocate a channel number for the socket. */ @@ -142,9 +127,9 @@ index 9efe89c..bb01516 100644 + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); c->path = xstrdup(host); - c->host_port = port_to_connect; + c->host_port = fwd->connect_port; c->listening_addr = addr == NULL ? NULL : xstrdup(addr); -@@ -3514,10 +3567,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, +@@ -3939,10 +3992,17 @@ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -162,11 +147,10 @@ index 9efe89c..bb01516 100644 nc->single_connection = single_connection; (*chanids)[n] = nc->self; } -diff --git a/channels.h b/channels.h -index 4fab9d7..91ef316 100644 ---- a/channels.h -+++ b/channels.h -@@ -132,8 +132,10 @@ struct Channel { +diff -ru openssh-6.7p1.orig/channels.h openssh-6.7p1/channels.h +--- openssh-6.7p1.orig/channels.h 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/channels.h 2014-11-21 09:42:27.601954473 -0200 +@@ -134,8 +134,10 @@ u_int local_window_max; u_int local_consumed; u_int local_maxpacket; @@ -177,7 +161,7 @@ index 4fab9d7..91ef316 100644 char *ctype; /* type */ -@@ -169,8 +171,10 @@ struct Channel { +@@ -171,8 +173,10 @@ /* default window/packet sizes for tcp/x11-fwd-channel */ #define CHAN_SES_PACKET_DEFAULT (32*1024) #define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) @@ -188,7 +172,7 @@ index 4fab9d7..91ef316 100644 #define CHAN_X11_PACKET_DEFAULT (16*1024) #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) -@@ -306,4 +310,7 @@ void chan_rcvd_ieof(Channel *); +@@ -311,4 +315,7 @@ void chan_write_failed(Channel *); void chan_obuf_empty(Channel *); @@ -196,33 +180,10 @@ index 4fab9d7..91ef316 100644 +void channel_set_hpn(int, int); + #endif -diff --git a/cipher.c b/cipher.c -index 53d9b4f..74ba34e 100644 ---- a/cipher.c -+++ b/cipher.c -@@ -71,7 +71,7 @@ struct Cipher { - const EVP_CIPHER *(*evptype)(void); - }; - --static const struct Cipher ciphers[] = { -+static struct Cipher ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, -@@ -193,7 +193,7 @@ cipher_mask_ssh1(int client) - const Cipher * - cipher_by_name(const char *name) - { -- const Cipher *c; -+ Cipher *c; - for (c = ciphers; c->name != NULL; c++) - if (strcmp(c->name, name) == 0) - return c; -diff --git a/clientloop.c b/clientloop.c -index 59ad3a2..e144fb6 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -1891,9 +1891,15 @@ client_request_x11(const char *request_type, int rchan) +diff -ru openssh-6.7p1.orig/clientloop.c openssh-6.7p1/clientloop.c +--- openssh-6.7p1.orig/clientloop.c 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/clientloop.c 2014-11-21 09:42:27.601954473 -0200 +@@ -1899,9 +1899,15 @@ sock = x11_connect_display(); if (sock < 0) return NULL; @@ -238,34 +199,34 @@ index 59ad3a2..e144fb6 100644 c->force_drain = 1; return c; } -@@ -1913,9 +1919,15 @@ client_request_agent(const char *request_type, int rchan) +@@ -1921,9 +1927,15 @@ sock = ssh_get_authentication_socket(); if (sock < 0) return NULL; + if (options.hpn_disabled) -+ c = channel_new("authentication agent connection", -+ SSH_CHANNEL_OPEN, sock, sock, -1, -+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, -+ "authentication agent connection", 1); -+ else c = channel_new("authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, ++ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, ++ "authentication agent connection", 1); ++ else ++ c = channel_new("authentication agent connection", ++ SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, options.hpn_buffer_size, 0, "authentication agent connection", 1); c->force_drain = 1; return c; -@@ -1943,10 +1955,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun) +@@ -1951,10 +1963,18 @@ return -1; } + if(options.hpn_disabled) - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, -- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "tun", 1); + else -+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, +- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "tun", 1); c->datagram = 1; @@ -275,11 +236,10 @@ index 59ad3a2..e144fb6 100644 #if defined(SSH_TUN_FILTER) if (options.tun_open == SSH_TUNMODE_POINTOPOINT) channel_register_filter(c->self, sys_tun_infilter, -diff --git a/compat.c b/compat.c -index 9d9fabe..235fc59 100644 ---- a/compat.c -+++ b/compat.c -@@ -172,6 +172,15 @@ compat_datafellows(const char *version) +diff -ru openssh-6.7p1.orig/compat.c openssh-6.7p1/compat.c +--- openssh-6.7p1.orig/compat.c 2014-04-20 06:33:59.000000000 -0300 ++++ openssh-6.7p1/compat.c 2014-11-21 09:42:27.601954473 -0200 +@@ -175,6 +175,15 @@ if (match_pattern_list(version, check[i].pat, strlen(check[i].pat), 0) == 1) { datafellows = check[i].bugs; @@ -295,32 +255,30 @@ index 9d9fabe..235fc59 100644 debug("match: %s pat %s compat 0x%08x", version, check[i].pat, datafellows); return; -diff --git a/compat.h b/compat.h -index b174fa1..9937347 100644 ---- a/compat.h -+++ b/compat.h -@@ -59,6 +59,7 @@ - #define SSH_BUG_RFWD_ADDR 0x02000000 +diff -ru openssh-6.7p1.orig/compat.h openssh-6.7p1/compat.h +--- openssh-6.7p1.orig/compat.h 2014-04-20 06:25:31.000000000 -0300 ++++ openssh-6.7p1/compat.h 2014-11-21 09:47:51.058623939 -0200 +@@ -60,6 +60,7 @@ #define SSH_NEW_OPENSSH 0x04000000 #define SSH_BUG_DYNAMIC_RPORT 0x08000000 -+#define SSH_BUG_LARGEWINDOW 0x10000000 + #define SSH_BUG_CURVE25519PAD 0x10000000 ++#define SSH_BUG_LARGEWINDOW 0x20000000 void enable_compat13(void); void enable_compat20(void); -diff --git a/readconf.c b/readconf.c -index dc884c9..ce083f4 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -149,6 +149,7 @@ typedef enum { - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, +diff -ru openssh-6.7p1.orig/readconf.c openssh-6.7p1/readconf.c +--- openssh-6.7p1.orig/readconf.c 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/readconf.c 2014-11-21 09:49:31.348624811 -0200 +@@ -151,6 +151,7 @@ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, + oStreamLocalBindMask, oStreamLocalBindUnlink, + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; -@@ -263,6 +264,11 @@ static struct { - { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, +@@ -267,6 +268,11 @@ + { "streamlocalbindunlink", oStreamLocalBindUnlink }, { "ignoreunknown", oIgnoreUnknown }, + { "tcprcvbufpoll", oTcpRcvBufPoll }, @@ -331,7 +289,7 @@ index dc884c9..ce083f4 100644 { NULL, oBadOption } }; -@@ -853,6 +859,18 @@ parse_time: +@@ -877,6 +883,18 @@ intptr = &options->check_host_ip; goto parse_flag; @@ -350,7 +308,7 @@ index dc884c9..ce083f4 100644 case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -1015,6 +1033,10 @@ parse_int: +@@ -1039,6 +1057,10 @@ intptr = &options->connection_attempts; goto parse_int; @@ -361,7 +319,7 @@ index dc884c9..ce083f4 100644 case oCipher: intptr = &options->cipher; arg = strdelim(&s); -@@ -1561,6 +1583,10 @@ initialize_options(Options * options) +@@ -1602,6 +1624,10 @@ options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; @@ -372,7 +330,7 @@ index dc884c9..ce083f4 100644 options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; -@@ -1707,6 +1733,28 @@ fill_default_options(Options * options) +@@ -1752,6 +1778,28 @@ options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; @@ -401,11 +359,10 @@ index dc884c9..ce083f4 100644 if (options->control_master == -1) options->control_master = 0; if (options->control_persist == -1) { -diff --git a/readconf.h b/readconf.h -index 75e3f8f..a471114 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -66,6 +66,10 @@ typedef struct { +diff -ru openssh-6.7p1.orig/readconf.h openssh-6.7p1/readconf.h +--- openssh-6.7p1.orig/readconf.h 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/readconf.h 2014-11-21 09:42:27.605287806 -0200 +@@ -57,6 +57,10 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int tcp_keep_alive; /* Set SO_KEEPALIVE. */ @@ -416,20 +373,19 @@ index 75e3f8f..a471114 100644 int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ LogLevel log_level; /* Level for logging. */ -diff --git a/scp.c b/scp.c -index 18d3b1d..2ab8f15 100644 ---- a/scp.c -+++ b/scp.c -@@ -749,7 +749,7 @@ source(int argc, char **argv) +diff -ru openssh-6.7p1.orig/scp.c openssh-6.7p1/scp.c +--- openssh-6.7p1.orig/scp.c 2014-07-02 08:29:01.000000000 -0300 ++++ openssh-6.7p1/scp.c 2014-11-21 09:42:27.605287806 -0200 +@@ -749,7 +749,7 @@ off_t i, statbytes; - size_t amt; + size_t amt, nr; int fd = -1, haderr, indx; - char *last, *name, buf[2048], encname[MAXPATHLEN]; + char *last, *name, buf[16384], encname[MAXPATHLEN]; int len; for (indx = 0; indx < argc; ++indx) { -@@ -914,7 +914,7 @@ sink(int argc, char **argv) +@@ -918,7 +918,7 @@ off_t size, statbytes; unsigned long long ull; int setimes, targisdir, wrerrno = 0; @@ -438,11 +394,10 @@ index 18d3b1d..2ab8f15 100644 struct timeval tv[2]; #define atime tv[0] -diff --git a/servconf.c b/servconf.c -index 7ba65d5..32bb711 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -150,6 +150,9 @@ initialize_server_options(ServerOptions *options) +diff -ru openssh-6.7p1.orig/servconf.c openssh-6.7p1/servconf.c +--- openssh-6.7p1.orig/servconf.c 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/servconf.c 2014-11-21 09:42:27.605287806 -0200 +@@ -154,6 +154,9 @@ options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; options->authorized_principals_file = NULL; @@ -452,7 +407,7 @@ index 7ba65d5..32bb711 100644 options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -158,6 +161,11 @@ initialize_server_options(ServerOptions *options) +@@ -162,6 +165,11 @@ void fill_default_server_options(ServerOptions *options) { @@ -464,7 +419,7 @@ index 7ba65d5..32bb711 100644 /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; -@@ -294,6 +302,41 @@ fill_default_server_options(ServerOptions *options) +@@ -302,6 +310,41 @@ } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -506,15 +461,15 @@ index 7ba65d5..32bb711 100644 if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -345,6 +388,7 @@ typedef enum { +@@ -357,6 +400,7 @@ sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, -@@ -468,6 +512,9 @@ static struct { + sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, +@@ -483,6 +527,9 @@ { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -524,7 +479,7 @@ index 7ba65d5..32bb711 100644 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -500,6 +547,7 @@ parse_token(const char *cp, const char *filename, +@@ -518,6 +565,7 @@ for (i = 0; keywords[i].name; i++) if (strcasecmp(cp, keywords[i].name) == 0) { @@ -532,7 +487,7 @@ index 7ba65d5..32bb711 100644 *flags = keywords[i].flags; return keywords[i].opcode; } -@@ -1042,6 +1090,19 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1060,6 +1108,19 @@ *intptr = value; break; @@ -552,11 +507,10 @@ index 7ba65d5..32bb711 100644 case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; goto parse_flag; -diff --git a/servconf.h b/servconf.h -index 752d1c5..0b9f59d 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -164,6 +164,9 @@ typedef struct { +diff -ru openssh-6.7p1.orig/servconf.h openssh-6.7p1/servconf.h +--- openssh-6.7p1.orig/servconf.h 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/servconf.h 2014-11-21 09:42:27.605287806 -0200 +@@ -166,6 +166,9 @@ char *adm_forced_command; int use_pam; /* Enable auth via PAM */ @@ -566,11 +520,10 @@ index 752d1c5..0b9f59d 100644 int permit_tun; -diff --git a/serverloop.c b/serverloop.c -index 2f8e3a0..4868e5f 100644 ---- a/serverloop.c -+++ b/serverloop.c -@@ -1015,8 +1015,12 @@ server_request_tun(void) +diff -ru openssh-6.7p1.orig/serverloop.c openssh-6.7p1/serverloop.c +--- openssh-6.7p1.orig/serverloop.c 2014-08-19 04:14:17.000000000 -0300 ++++ openssh-6.7p1/serverloop.c 2014-11-21 09:42:27.605287806 -0200 +@@ -1047,8 +1047,12 @@ sock = tun_open(tun, mode); if (sock < 0) goto done; @@ -583,7 +536,7 @@ index 2f8e3a0..4868e5f 100644 c->datagram = 1; #if defined(SSH_TUN_FILTER) if (mode == SSH_TUNMODE_POINTOPOINT) -@@ -1052,6 +1056,8 @@ server_request_session(void) +@@ -1084,6 +1088,8 @@ c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); @@ -592,19 +545,18 @@ index 2f8e3a0..4868e5f 100644 if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); -diff --git a/session.c b/session.c -index 2bcf818..817afc9 100644 ---- a/session.c -+++ b/session.c -@@ -237,6 +237,7 @@ auth_input_request_forwarding(struct passwd * pw) - } +diff -ru openssh-6.7p1.orig/session.c openssh-6.7p1/session.c +--- openssh-6.7p1.orig/session.c 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/session.c 2014-11-21 09:42:27.605287806 -0200 +@@ -219,6 +219,7 @@ + goto authsock_err; /* Allocate a channel for the authentication agent socket. */ + /* this shouldn't matter if its hpn or not - cjr */ nc = channel_new("auth socket", SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, -@@ -2331,10 +2332,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr, +@@ -2328,10 +2329,16 @@ */ if (s->chanid == -1) fatal("no channel for session %d", s->self); @@ -621,11 +573,10 @@ index 2bcf818..817afc9 100644 } /* -diff --git a/sftp.1 b/sftp.1 -index a700c2a..8e00b13 100644 ---- a/sftp.1 -+++ b/sftp.1 -@@ -261,7 +261,8 @@ diagnostic messages from +diff -ru openssh-6.7p1.orig/sftp.1 openssh-6.7p1/sftp.1 +--- openssh-6.7p1.orig/sftp.1 2014-05-15 06:47:37.000000000 -0300 ++++ openssh-6.7p1/sftp.1 2014-11-21 09:42:27.605287806 -0200 +@@ -261,7 +261,8 @@ Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. @@ -635,11 +586,10 @@ index a700c2a..8e00b13 100644 .It Fl r Recursively copy entire directories when uploading and downloading. Note that -diff --git a/sftp.c b/sftp.c -index ad1f8c8..1575d5e 100644 ---- a/sftp.c -+++ b/sftp.c -@@ -68,7 +68,7 @@ typedef void EditLine; +diff -ru openssh-6.7p1.orig/sftp.c openssh-6.7p1/sftp.c +--- openssh-6.7p1.orig/sftp.c 2014-07-09 06:07:06.000000000 -0300 ++++ openssh-6.7p1/sftp.c 2014-11-21 09:42:27.605287806 -0200 +@@ -68,7 +68,7 @@ #include "sftp-client.h" #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ @@ -648,11 +598,10 @@ index ad1f8c8..1575d5e 100644 /* File to read commands from */ FILE* infile; -diff --git a/ssh.c b/ssh.c -index 1e6cb90..7c91d6d 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -1611,6 +1611,9 @@ ssh_session2_open(void) +diff -ru openssh-6.7p1.orig/ssh.c openssh-6.7p1/ssh.c +--- openssh-6.7p1.orig/ssh.c 2014-07-18 08:04:11.000000000 -0300 ++++ openssh-6.7p1/ssh.c 2014-11-21 09:42:27.608621140 -0200 +@@ -1682,6 +1682,9 @@ { Channel *c; int window, packetmax, in, out, err; @@ -662,7 +611,7 @@ index 1e6cb90..7c91d6d 100644 if (stdin_null_flag) { in = open(_PATH_DEVNULL, O_RDONLY); -@@ -1631,9 +1634,74 @@ ssh_session2_open(void) +@@ -1702,9 +1705,74 @@ if (!isatty(err)) set_nonblock(err); @@ -738,7 +687,7 @@ index 1e6cb90..7c91d6d 100644 window >>= 1; packetmax >>= 1; } -@@ -1642,6 +1710,10 @@ ssh_session2_open(void) +@@ -1713,6 +1781,10 @@ window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); @@ -749,11 +698,10 @@ index 1e6cb90..7c91d6d 100644 debug3("ssh_session2_open: channel_new: %d", c->self); channel_send_open(c->self); -diff --git a/sshconnect.c b/sshconnect.c -index 573d7a8..9cf6947 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -263,6 +263,31 @@ ssh_kill_proxy_command(void) +diff -ru openssh-6.7p1.orig/sshconnect.c openssh-6.7p1/sshconnect.c +--- openssh-6.7p1.orig/sshconnect.c 2014-07-18 07:11:26.000000000 -0300 ++++ openssh-6.7p1/sshconnect.c 2014-11-21 09:42:27.608621140 -0200 +@@ -264,6 +264,31 @@ } /* @@ -785,7 +733,7 @@ index 573d7a8..9cf6947 100644 * Creates a (possibly privileged) socket for use as the ssh connection. */ static int -@@ -278,6 +303,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai) +@@ -279,6 +304,9 @@ } fcntl(sock, F_SETFD, FD_CLOEXEC); @@ -795,7 +743,7 @@ index 573d7a8..9cf6947 100644 /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && !privileged) return sock; -@@ -520,10 +548,10 @@ send_client_banner(int connection_out, int minor1) +@@ -521,10 +549,10 @@ /* Send our own protocol version identification. */ if (compat20) { xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", @@ -808,11 +756,10 @@ index 573d7a8..9cf6947 100644 } if (roaming_atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) -diff --git a/sshd.c b/sshd.c -index 7523de9..9623887 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -436,7 +436,7 @@ sshd_exchange_identification(int sock_in, int sock_out) +diff -ru openssh-6.7p1.orig/sshd.c openssh-6.7p1/sshd.c +--- openssh-6.7p1.orig/sshd.c 2014-08-26 21:11:55.000000000 -0300 ++++ openssh-6.7p1/sshd.c 2014-11-21 09:42:27.608621140 -0200 +@@ -432,7 +432,7 @@ } xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", @@ -821,7 +768,7 @@ index 7523de9..9623887 100644 *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); -@@ -1082,6 +1082,8 @@ server_listen(void) +@@ -1092,6 +1092,8 @@ int ret, listen_sock, on = 1; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -830,7 +777,7 @@ index 7523de9..9623887 100644 for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1122,6 +1124,11 @@ server_listen(void) +@@ -1132,6 +1134,11 @@ debug("Bind to port %s on %s.", strport, ntop); @@ -842,7 +789,7 @@ index 7523de9..9623887 100644 /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -2058,6 +2065,9 @@ main(int ac, char **av) +@@ -2060,6 +2067,9 @@ remote_ip, remote_port, get_local_ipaddr(sock_in), get_local_port()); @@ -852,11 +799,10 @@ index 7523de9..9623887 100644 /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -diff --git a/sshd_config b/sshd_config -index e9045bc..7495fc9 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -125,6 +125,17 @@ UsePrivilegeSeparation sandbox # Default for new installations. +diff -ru openssh-6.7p1.orig/sshd_config openssh-6.7p1/sshd_config +--- openssh-6.7p1.orig/sshd_config 2014-01-12 10:20:47.000000000 -0200 ++++ openssh-6.7p1/sshd_config 2014-11-21 09:42:27.608621140 -0200 +@@ -125,6 +125,17 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server @@ -874,12 +820,11 @@ index e9045bc..7495fc9 100644 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no -diff --git a/version.h b/version.h -index a1579ac..4fe1849 100644 ---- a/version.h -+++ b/version.h +diff -ru openssh-6.7p1.orig/version.h openssh-6.7p1/version.h +--- openssh-6.7p1.orig/version.h 2014-04-20 06:25:31.000000000 -0300 ++++ openssh-6.7p1/version.h 2014-11-21 09:42:27.608621140 -0200 @@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_6.6" + #define SSH_VERSION "OpenSSH_6.7" #define SSH_PORTABLE "p1" -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |