Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Mar 2016 20:10:25 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r296619 - in vendor-crypto/openssh/dist: . contrib contrib/redhat contrib/suse openbsd-compat regress regress/unittests/sshkey
Message-ID:  <201603102010.u2AKAPEb088524@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Thu Mar 10 20:10:25 2016
New Revision: 296619
URL: https://svnweb.freebsd.org/changeset/base/296619

Log:
  Vendor import of OpenSSH 7.2p1.

Added:
  vendor-crypto/openssh/dist/platform-pledge.c   (contents, props changed)
  vendor-crypto/openssh/dist/regress/cert-file.sh   (contents, props changed)
  vendor-crypto/openssh/dist/regress/check-perm.c   (contents, props changed)
  vendor-crypto/openssh/dist/sandbox-pledge.c   (contents, props changed)
  vendor-crypto/openssh/dist/sandbox-solaris.c   (contents, props changed)
Deleted:
  vendor-crypto/openssh/dist/roaming_client.c
  vendor-crypto/openssh/dist/roaming_common.c
  vendor-crypto/openssh/dist/roaming_dummy.c
  vendor-crypto/openssh/dist/roaming_serv.c
Modified:
  vendor-crypto/openssh/dist/ChangeLog
  vendor-crypto/openssh/dist/Makefile.in
  vendor-crypto/openssh/dist/README
  vendor-crypto/openssh/dist/README.platform
  vendor-crypto/openssh/dist/auth-bsdauth.c
  vendor-crypto/openssh/dist/auth-krb5.c
  vendor-crypto/openssh/dist/auth-options.c
  vendor-crypto/openssh/dist/auth-pam.c
  vendor-crypto/openssh/dist/auth.h
  vendor-crypto/openssh/dist/auth2-pubkey.c
  vendor-crypto/openssh/dist/authfd.c
  vendor-crypto/openssh/dist/authfd.h
  vendor-crypto/openssh/dist/authfile.c
  vendor-crypto/openssh/dist/channels.c
  vendor-crypto/openssh/dist/cipher.c
  vendor-crypto/openssh/dist/clientloop.c
  vendor-crypto/openssh/dist/clientloop.h
  vendor-crypto/openssh/dist/config.h.in
  vendor-crypto/openssh/dist/configure
  vendor-crypto/openssh/dist/configure.ac
  vendor-crypto/openssh/dist/contrib/redhat/openssh.spec
  vendor-crypto/openssh/dist/contrib/ssh-copy-id
  vendor-crypto/openssh/dist/contrib/ssh-copy-id.1
  vendor-crypto/openssh/dist/contrib/suse/openssh.spec
  vendor-crypto/openssh/dist/defines.h
  vendor-crypto/openssh/dist/dh.h
  vendor-crypto/openssh/dist/includes.h
  vendor-crypto/openssh/dist/kex.c
  vendor-crypto/openssh/dist/kex.h
  vendor-crypto/openssh/dist/kexc25519s.c
  vendor-crypto/openssh/dist/kexdhs.c
  vendor-crypto/openssh/dist/kexecdhs.c
  vendor-crypto/openssh/dist/kexgexs.c
  vendor-crypto/openssh/dist/key.c
  vendor-crypto/openssh/dist/key.h
  vendor-crypto/openssh/dist/krl.c
  vendor-crypto/openssh/dist/krl.h
  vendor-crypto/openssh/dist/loginrec.c
  vendor-crypto/openssh/dist/misc.c
  vendor-crypto/openssh/dist/moduli.0
  vendor-crypto/openssh/dist/monitor.c
  vendor-crypto/openssh/dist/monitor_wrap.c
  vendor-crypto/openssh/dist/monitor_wrap.h
  vendor-crypto/openssh/dist/mux.c
  vendor-crypto/openssh/dist/myproposal.h
  vendor-crypto/openssh/dist/opacket.c
  vendor-crypto/openssh/dist/opacket.h
  vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.c
  vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.h
  vendor-crypto/openssh/dist/openbsd-compat/bsd-poll.h
  vendor-crypto/openssh/dist/openbsd-compat/glob.c
  vendor-crypto/openssh/dist/openbsd-compat/glob.h
  vendor-crypto/openssh/dist/openbsd-compat/openbsd-compat.h
  vendor-crypto/openssh/dist/openbsd-compat/port-solaris.c
  vendor-crypto/openssh/dist/openbsd-compat/port-solaris.h
  vendor-crypto/openssh/dist/openbsd-compat/realpath.c
  vendor-crypto/openssh/dist/packet.c
  vendor-crypto/openssh/dist/packet.h
  vendor-crypto/openssh/dist/platform.h
  vendor-crypto/openssh/dist/readconf.c
  vendor-crypto/openssh/dist/readconf.h
  vendor-crypto/openssh/dist/readpass.c
  vendor-crypto/openssh/dist/regress/Makefile
  vendor-crypto/openssh/dist/regress/agent-ptrace.sh
  vendor-crypto/openssh/dist/regress/dhgex.sh
  vendor-crypto/openssh/dist/regress/hostkey-rotate.sh
  vendor-crypto/openssh/dist/regress/keys-command.sh
  vendor-crypto/openssh/dist/regress/keyscan.sh
  vendor-crypto/openssh/dist/regress/limit-keytype.sh
  vendor-crypto/openssh/dist/regress/principals-command.sh
  vendor-crypto/openssh/dist/regress/proxy-connect.sh
  vendor-crypto/openssh/dist/regress/rekey.sh
  vendor-crypto/openssh/dist/regress/setuid-allowed.c
  vendor-crypto/openssh/dist/regress/sftp-chroot.sh
  vendor-crypto/openssh/dist/regress/unittests/sshkey/test_file.c
  vendor-crypto/openssh/dist/regress/unittests/sshkey/test_fuzz.c
  vendor-crypto/openssh/dist/regress/unittests/sshkey/test_sshkey.c
  vendor-crypto/openssh/dist/roaming.h
  vendor-crypto/openssh/dist/sandbox-seccomp-filter.c
  vendor-crypto/openssh/dist/sandbox-systrace.c
  vendor-crypto/openssh/dist/scp.0
  vendor-crypto/openssh/dist/scp.1
  vendor-crypto/openssh/dist/scp.c
  vendor-crypto/openssh/dist/servconf.c
  vendor-crypto/openssh/dist/serverloop.c
  vendor-crypto/openssh/dist/session.c
  vendor-crypto/openssh/dist/sftp-client.c
  vendor-crypto/openssh/dist/sftp-client.h
  vendor-crypto/openssh/dist/sftp-server-main.c
  vendor-crypto/openssh/dist/sftp-server.0
  vendor-crypto/openssh/dist/sftp-server.c
  vendor-crypto/openssh/dist/sftp.0
  vendor-crypto/openssh/dist/sftp.1
  vendor-crypto/openssh/dist/sftp.c
  vendor-crypto/openssh/dist/ssh-add.0
  vendor-crypto/openssh/dist/ssh-add.c
  vendor-crypto/openssh/dist/ssh-agent.0
  vendor-crypto/openssh/dist/ssh-agent.1
  vendor-crypto/openssh/dist/ssh-agent.c
  vendor-crypto/openssh/dist/ssh-dss.c
  vendor-crypto/openssh/dist/ssh-ecdsa.c
  vendor-crypto/openssh/dist/ssh-keygen.0
  vendor-crypto/openssh/dist/ssh-keygen.1
  vendor-crypto/openssh/dist/ssh-keygen.c
  vendor-crypto/openssh/dist/ssh-keyscan.0
  vendor-crypto/openssh/dist/ssh-keyscan.1
  vendor-crypto/openssh/dist/ssh-keyscan.c
  vendor-crypto/openssh/dist/ssh-keysign.0
  vendor-crypto/openssh/dist/ssh-keysign.8
  vendor-crypto/openssh/dist/ssh-keysign.c
  vendor-crypto/openssh/dist/ssh-pkcs11-client.c
  vendor-crypto/openssh/dist/ssh-pkcs11-helper.0
  vendor-crypto/openssh/dist/ssh-pkcs11-helper.c
  vendor-crypto/openssh/dist/ssh-pkcs11.c
  vendor-crypto/openssh/dist/ssh-rsa.c
  vendor-crypto/openssh/dist/ssh.0
  vendor-crypto/openssh/dist/ssh.1
  vendor-crypto/openssh/dist/ssh.c
  vendor-crypto/openssh/dist/ssh.h
  vendor-crypto/openssh/dist/ssh2.h
  vendor-crypto/openssh/dist/ssh_api.c
  vendor-crypto/openssh/dist/ssh_config
  vendor-crypto/openssh/dist/ssh_config.0
  vendor-crypto/openssh/dist/ssh_config.5
  vendor-crypto/openssh/dist/sshbuf-getput-basic.c
  vendor-crypto/openssh/dist/sshbuf.c
  vendor-crypto/openssh/dist/sshbuf.h
  vendor-crypto/openssh/dist/sshconnect.c
  vendor-crypto/openssh/dist/sshconnect.h
  vendor-crypto/openssh/dist/sshconnect1.c
  vendor-crypto/openssh/dist/sshconnect2.c
  vendor-crypto/openssh/dist/sshd.0
  vendor-crypto/openssh/dist/sshd.8
  vendor-crypto/openssh/dist/sshd.c
  vendor-crypto/openssh/dist/sshd_config
  vendor-crypto/openssh/dist/sshd_config.0
  vendor-crypto/openssh/dist/sshd_config.5
  vendor-crypto/openssh/dist/ssherr.c
  vendor-crypto/openssh/dist/sshkey.c
  vendor-crypto/openssh/dist/sshkey.h
  vendor-crypto/openssh/dist/sshlogin.c
  vendor-crypto/openssh/dist/uidswap.c
  vendor-crypto/openssh/dist/version.h
  vendor-crypto/openssh/dist/xmalloc.c
  vendor-crypto/openssh/dist/xmalloc.h

Modified: vendor-crypto/openssh/dist/ChangeLog
==============================================================================
--- vendor-crypto/openssh/dist/ChangeLog	Thu Mar 10 18:21:03 2016	(r296618)
+++ vendor-crypto/openssh/dist/ChangeLog	Thu Mar 10 20:10:25 2016	(r296619)
@@ -1,7615 +1,8907 @@
-commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jan 14 11:08:19 2016 +1100
+commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Feb 26 14:40:04 2016 +1100
 
-    bump version numbers
+    Add a note about using xlc on AIX.
+
+commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Feb 24 10:44:25 2016 +1100
+
+    Skip PrintLastLog in config dump mode.
+    
+    When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
+    config dump since it'll be reported as UNKNOWN.
 
-commit 302bc21e6fadacb04b665868cd69b625ef69df90
+commit 99135c764fa250801da5ec3b8d06cbd0111caae8
 Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jan 14 11:04:04 2016 +1100
+Date:   Tue Feb 23 20:17:23 2016 +1100
 
-    openssh-7.1p2
+    update spec/README versions ahead of release
 
-commit 6b33763242c063e4e0593877e835eeb1fd1b60aa
+commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
 Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jan 14 11:02:58 2016 +1100
+Date:   Tue Feb 23 20:16:53 2016 +1100
 
-    forcibly disable roaming support in the client
+    put back portable patchlevel to p1
 
-commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13
+commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Oct 5 17:11:21 2015 +0000
+Date:   Tue Feb 23 09:14:34 2016 +0000
 
     upstream commit
     
-    some more bzero->explicit_bzero, from Michael McConville
+    openssh-7.2
     
-    Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
+    Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
 
-commit 8f5b93026797b9f7fba90d0c717570421ccebbd3
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date:   Fri Sep 11 08:50:04 2015 +0000
+commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Feb 23 16:12:13 2016 +1100
 
-    upstream commit
-    
-    Use explicit_bzero() when zeroing before free()
+    Disable tests where fs perms are incorrect
     
-    from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu)
-    ok millert@ djm@
+    Some tests have strict requirements on the filesystem permissions
+    for certain files and directories. This adds a regress/check-perm
+    tool that copies the relevant logic from sshd to exactly test
+    the paths in question. This lets us skip tests when the local
+    filesystem doesn't conform to our expectations rather than
+    continuing and failing the test run.
     
-    Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
+    ok dtucker@
 
-commit d77148e3a3ef6c29b26ec74331455394581aa257
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Nov 8 21:59:11 2015 +0000
+commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Feb 23 12:56:59 2016 +1100
 
-    upstream commit
+    fix sandbox on OSX Lion
     
-    fix OOB read in packet code caused by missing return
-     statement found by Ben Hawkes; ok markus@ deraadt@
+    sshd was failing with:
     
-    Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
-
-commit 076d849e17ab12603627f87b301e2dca71bae518
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Nov 14 18:44:49 2015 +1100
-
-    read back from libcrypto RAND when privdropping
+    ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
+      image not found [preauth]
     
-    makes certain libcrypto implementations cache a /dev/urandom fd
-    in preparation of sandboxing. Based on patch by Greg Hartman.
+    caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
+    to sshd. Spotted by Darren.
 
-commit f72adc0150011a28f177617a8456e1f83733099d
+commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Dec 13 22:42:23 2015 +0000
+Date:   Tue Feb 23 01:34:14 2016 +0000
 
     upstream commit
     
-    unbreak connections with peers that set
-     first_kex_follows; fix from Matt Johnston va bz#2515
+    fix spurious error message when incorrect passphrase
+     entered for keys; reported by espie@ ok deraadt@
     
-    Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
+    Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
 
-commit 04bd8d019ccd906cac1a2b362517b8505f3759e6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jan 12 23:42:54 2016 +0000
+commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date:   Sat Feb 20 23:06:23 2016 +0000
 
     upstream commit
     
-    use explicit_bzero() more liberally in the buffer code; ok
-     deraadt
+    set ssh(1) protocol version to 2 only.
     
-    Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
+    ok djm@
+    
+    Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
 
-commit e91346dc2bbf460246df2ab591b7613908c1b0ad
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 14:49:03 2015 +1000
+commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date:   Sat Feb 20 23:02:39 2016 +0000
 
-    we don't use Github for issues/pull-requests
+    upstream commit
+    
+    add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
+     IdentityFile.
+    
+    ok djm@
+    
+    Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
 
-commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 14:43:55 2015 +1000
+commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date:   Sat Feb 20 23:01:46 2016 +0000
 
-    fix URL for connect.c
+    upstream commit
+    
+    AddressFamily defaults to any.
+    
+    ok djm@
+    
+    Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
 
-commit d026a8d3da0f8186598442997c7d0a28e7275414
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 21 13:47:10 2015 +1000
+commit 907091acb188b1057d50c2158f74c3ecf1c2302b
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Feb 19 09:05:39 2016 +1100
 
-    update version numbers for 7.1
+    Make Solaris privs code build on older systems.
+    
+    Not all systems with Solaris privs have priv_basicset so factor that
+    out and provide backward compatibility code.  Similarly, not all have
+    PRIV_NET_ACCESS so wrap that in #ifdef.  Based on code from
+    alex at cooperi.net and djm@ with help from carson at taltos.org and
+    wieland at purdue.edu.
 
-commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
+commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 03:45:26 2015 +0000
+Date:   Wed Feb 17 22:20:14 2016 +0000
 
     upstream commit
     
-    openssh-7.1
+    rekey refactor broke SSH1; spotted by Tom G. Christensen
     
-    Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
+    Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
 
-commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
+commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 21 03:42:19 2015 +0000
+Date:   Wed Feb 17 08:57:34 2016 +0000
 
     upstream commit
     
-    fix inverted logic that broke PermitRootLogin; reported
-     by Mantas Mikulenas; ok markus@
+    rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
+     in *KeyTypes options yet. Remove them from the lists of algorithms for now.
+     committing on behalf of markus@ ok djm@
     
-    Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
+    Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
 
-commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Aug 20 22:32:42 2015 +0000
+commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed Feb 17 07:38:19 2016 +0000
 
     upstream commit
     
-    Do not cast result of malloc/calloc/realloc* if stdlib.h
-     is in scope ok krw millert
-    
-    Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
-
-commit 05291e5288704d1a98bacda269eb5a0153599146
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Thu Aug 20 19:20:06 2015 +0000
-
-    upstream commit
+    since these pages now clearly tell folks to avoid v1,
+     normalise the docs from a v2 perspective (i.e. stop pointing out which bits
+     are v2 only);
     
-    In the certificates section, be consistent about using
-     "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@
+    ok/tweaks djm ok markus
     
-    Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
+    Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
 
-commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
+commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:21:42 2015 +0000
+Date:   Wed Feb 17 05:29:04 2016 +0000
 
     upstream commit
     
-    Better compat matching for WinSCP, add compat matching
-     for FuTTY (fork of PuTTY); ok markus@ deraadt@
+    make sandboxed privilege separation the default, not just
+     for new installs; "absolutely" deraadt@
     
-    Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
+    Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
 
-commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:19:01 2015 +0000
+commit eb3f7337a651aa01d5dec019025e6cdc124ed081
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Tue Feb 16 07:47:54 2016 +0000
 
     upstream commit
     
-    fix double-free() in error path of DSA key generation
-     reported by Mateusz Kocielski; ok markus@
+    no need to state that protocol 2 is the default twice;
     
-    Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
+    Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
 
-commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
+commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:18:26 2015 +0000
+Date:   Tue Feb 16 05:11:04 2016 +0000
 
     upstream commit
     
-    fix free() of uninitialised pointer reported by Mateusz
-     Kocielski; ok markus@
+    Replace list of ciphers and MACs adjacent to -1/-2 flag
+     descriptions in ssh(1) with a strong recommendation not to use protocol 1.
+     Add a similar warning to the Protocol option descriptions in ssh_config(5)
+     and sshd_config(5);
     
-    Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
+    prompted by and ok mmcc@
+    
+    Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
 
-commit c837643b93509a3ef538cb6624b678c5fe32ff79
+commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 19 23:17:51 2015 +0000
+Date:   Tue Feb 16 03:37:48 2016 +0000
 
     upstream commit
     
-    fixed unlink([uninitialised memory]) reported by Mateusz
-     Kocielski; ok markus@
+    add a "Close session" log entry (at loglevel=verbose) to
+     correspond to the existing "Starting session" one. Also include the session
+     id number to make multiplexed sessions more apparent.
     
-    Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
+    feedback and ok dtucker@
+    
+    Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
 
-commit 1f8d3d629cd553031021068eb9c646a5f1e50994
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Aug 14 15:32:41 2015 +0000
+commit 624fd395b559820705171f460dd33d67743d13d6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 17 02:24:17 2016 +0000
 
     upstream commit
     
-    match myproposal.h order; from brian conway (i snuck in a
-     tweak while here)
-    
-    ok dtucker
+    include bad $SSH_CONNECTION in failure output
     
-    Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
+    Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
 
-commit 1dc8d93ce69d6565747eb44446ed117187621b26
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Aug 6 14:53:21 2015 +0000
+commit 60d860e54b4f199e5e89963b1c086981309753cb
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Feb 17 13:37:09 2016 +1100
 
-    upstream commit
-    
-    add prohibit-password as a synonymn for without-password,
-     since the without-password is causing too many questions.  Harden it to ban
-     all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
-     djm, ok markus
+    Rollback addition of va_start.
     
-    Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
+    va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
+    it has the wrong number of args and it's not usable in non-variadic
+    functions anyway so it breaks things (for example Solaris 2.6 as
+    reported by Tom G. Christensen).i  ok djm@
 
-commit 90a95a4745a531b62b81ce3b025e892bdc434de5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:53:41 2015 +1000
+commit 2fee909c3cee2472a98b26eb82696297b81e0d38
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Wed Feb 17 09:48:15 2016 +1100
 
-    update version in README
+    Look for gethostbyname in libresolv and libnsl.
+    
+    Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
 
-commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
+commit 5ac712d81a84396aab441a272ec429af5b738302
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:53:09 2015 +1000
+Date:   Tue Feb 16 10:45:02 2016 +1100
 
-    update versions in *.spec
+    make existing ssh_malloc_init only for __OpenBSD__
 
-commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:34:12 2015 +1000
+commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Feb 15 23:32:37 2016 +0000
 
-    set sshpam_ctxt to NULL after free
+    upstream commit
     
-    Avoids use-after-free in monitor when privsep child is compromised.
-    Reported by Moritz Jodeit; ok dtucker@
-
-commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Aug 11 13:33:24 2015 +1000
-
-    Don't resend username to PAM; it already has it.
+    memleak of algorithm name in mm_answer_sign; reported by
+     Jakub Jelen
     
-    Pointed out by Moritz Jodeit; ok dtucker@
-
-commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Mon Jul 27 12:14:25 2015 +1000
-
-    Import updated moduli file from OpenBSD.
+    Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
 
-commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Aug 10 11:13:44 2015 +1000
+commit ffb1e7e896139a42ceb78676f637658f44612411
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Feb 15 09:47:49 2016 +0000
 
-    let principals-command.sh work for noexec /var/run
+    upstream commit
+    
+    Add a function to enable security-related malloc_options.
+      With and ok deraadt@, something similar has been in the snaps for a while.
+    
+    Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
 
-commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
+commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
 Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 6 11:43:42 2015 +1000
+Date:   Tue Feb 16 10:34:39 2016 +1100
 
-    work around echo -n / sed behaviour in tests
+    sync ssh-copy-id with upstream 783ef08b0a75
 
-commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
+commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 5 05:27:33 2015 +0000
+Date:   Fri Feb 12 00:20:30 2016 +0000
 
     upstream commit
     
-    adjust for RSA minimum modulus switch; ok deraadt@
+    avoid fatal() for PKCS11 tokens that present empty key IDs
+     bz#1773, ok markus@
     
-    Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
+    Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
 
-commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
+commit e4c918a6c721410792b287c9fd21356a1bed5805
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Aug 4 05:23:06 2015 +0000
+Date:   Thu Feb 11 02:56:32 2016 +0000
 
     upstream commit
     
-    backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
-     release; problems spotted by sthen@ ok deraadt@ markus@
+    sync crypto algorithm lists in ssh_config(5) and
+     sshd_config(5) with current reality. bz#2527
     
-    Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
+    Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
 
-commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
+commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Aug 2 09:56:42 2015 +0000
+Date:   Thu Feb 11 02:21:34 2016 +0000
 
     upstream commit
     
-    openssh 7.0; ok deraadt@
+    fix regression in openssh-6.8 sftp client: existing
+     destination directories would incorrectly terminate recursive uploads;
+     bz#2528
     
-    Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
+    Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
 
-commit 3d5728a0f6874ce4efb16913a12963595070f3a9
-Author: chris@openbsd.org <chris@openbsd.org>
-Date:   Fri Jul 31 15:38:09 2015 +0000
+commit 714e367226ded4dc3897078be48b961637350b05
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Feb 9 05:30:04 2016 +0000
 
     upstream commit
     
-    Allow PermitRootLogin to be overridden by config
-    
-    ok markus@ deeradt@
+    turn off more old crypto in the client: hmac-md5, ripemd,
+     truncated HMACs, RC4, blowfish. ok markus@ dtucker@
     
-    Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
+    Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
 
-commit 6f941396b6835ad18018845f515b0c4fe20be21a
+commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jul 30 23:09:15 2015 +0000
+Date:   Mon Feb 8 23:40:12 2016 +0000
 
     upstream commit
     
-    fix pty permissions; patch from Nikolay Edigaryev; ok
-     deraadt
+    don't attempt to percent_expand() already-canonicalised
+     addresses, avoiding unnecessary failures when attempting to connect to scoped
+     IPv6 addresses (that naturally contain '%' characters)
     
-    Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
+    Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
 
-commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Thu Jul 30 19:23:02 2015 +0000
+commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Feb 8 10:57:07 2016 +0000
 
     upstream commit
     
-    change default: PermitRootLogin without-password matching
-     install script changes coming as well ok djm markus
+    refactor activation of rekeying
     
-    Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
+    This makes automatic rekeying internal to the packet code (previously
+    the server and client loops needed to assist). In doing to it makes
+    application of rekey limits more accurate by accounting for packets
+    about to be sent as well as packets queued during rekeying events
+    themselves.
+    
+    Based on a patch from dtucker@ which was in turn based on a patch
+    Aleksander Adamowski in bz#2521; ok markus@
+    
+    Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
 
-commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 30 12:31:39 2015 +1000
+commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Fri Feb 5 13:28:19 2016 +0000
 
-    downgrade OOM adjustment logging: verbose -> debug
+    upstream commit
+    
+    Only check errno if read() has returned an error.  EOF is
+     not an error. This fixes a problem where the mux master would sporadically
+     fail to notice that the client had exited. ok mikeb@ djm@
+    
+    Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
 
-commit f9eca249d4961f28ae4b09186d7dc91de74b5895
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jul 30 00:01:34 2015 +0000
+commit 56d7dac790693ce420d225119283bc355cff9185
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Fri Feb 5 04:31:21 2016 +0000
 
     upstream commit
     
-    Allow ssh_config and sshd_config kex parameters options be
-     prefixed by a '+' to indicate that the specified items be appended to the
-     default rather than replacing it.
-    
-    approach suggested by dtucker@, feedback dlg@, ok markus@
+    avoid an uninitialised value when NumberOfPasswordPrompts
+     is 0 ok markus@ djm@
     
-    Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
+    Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
 
-commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
+commit deae7d52d59c5019c528f977360d87fdda15d20b
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 29 08:34:54 2015 +0000
+Date:   Fri Feb 5 03:07:06 2016 +0000
 
     upstream commit
     
-    fix bug in previous; was printing incorrect string for
-     failed host key algorithms negotiation
+    mention internal DH-GEX fallback groups; bz#2302
     
-    Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
+    Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
 
-commit f319912b0d0e1675b8bb051ed8213792c788bcb2
+commit cac3b6665f884d46192c0dc98a64112e8b11a766
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 29 04:43:06 2015 +0000
+Date:   Fri Feb 5 02:37:56 2016 +0000
 
     upstream commit
     
-    include the peer's offer when logging a failure to
-     negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
+    better description for MaxSessions; bz#2531
     
-    Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
+    Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
 
-commit b6ea0e573042eb85d84defb19227c89eb74cf05a
+commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Jan 27 17:45:56 2016 +1100
+
+    avoid FreeBSD RCS Id in comment
+    
+    Change old $FreeBSD version string in comment so it doesn't
+    become an RCS ident downstream; requested by des AT des.no
+
+commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 28 23:20:42 2015 +0000
+Date:   Thu Feb 4 23:43:48 2016 +0000
 
     upstream commit
     
-    add Cisco to the list of clients that choke on the
-     hostkeys update extension. Pointed out by Howard Kash
+    printf argument casts to avoid warnings on strict
+     compilers
     
-    Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
+    Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
 
-commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date:   Mon Jul 27 16:29:23 2015 +0000
+commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Mon Feb 1 21:18:17 2016 +0000
 
     upstream commit
     
-    Permit kbind(2) use in the sandbox now, to ease testing
-     of ld.so work using it
-    
-    reminded by miod@, ok deraadt@
+    Avoid ugly "DISPLAY "(null)" invalid; disabling X11
+     forwarding" message when DISPLAY is not set.  This could also result in a
+     crash on systems with a printf that doesn't handle NULL.  OK djm@
     
-    Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
+    Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
 
-commit ebe27ebe520098bbc0fe58945a87ce8490121edb
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 18:44:12 2015 +0000
+commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 29 05:18:15 2016 +0000
 
     upstream commit
     
-    Move .Pp before .Bl, not after to quiet mandoc -Tlint.
-     Noticed by jmc@
+    Add regression test for RekeyLimit parsing of >32bit values
+     (4G and 8G).
     
-    Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
+    Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
 
-commit d5d91d0da819611167782c66ab629159169d94d4
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 18:42:35 2015 +0000
+commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 29 23:04:46 2016 +0000
 
     upstream commit
     
-    Sync usage with SYNOPSIS
+    Remove leftover roaming dead code.  ok djm markus.
     
-    Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
+    Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
 
-commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Jul 20 15:39:52 2015 +0000
+commit 28136471809806d6246ef41e4341467a39fe2f91
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jan 29 05:46:01 2016 +0000
 
     upstream commit
     
-    Better desciption of Unix domain socket forwarding.
-     bz#2423; ok jmc@
+    include packet type of non-data packets in debug3 output;
+     ok markus dtucker
     
-    Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
+    Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
 
-commit d56fd1828074a4031b18b8faa0bf949669eb18a0
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Jul 20 11:19:51 2015 +1000
-
-    make realpath.c compile -Wsign-compare clean
-
-commit c63c9a691dca26bb7648827f5a13668832948929
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 20 00:30:01 2015 +0000
+commit 6fd6e28daccafaa35f02741036abe64534c361a1
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 29 03:31:03 2016 +0000
 
     upstream commit
     
-    mention that the default of UseDNS=no implies that
-     hostnames cannot be used for host matching in sshd_config and
-     authorized_keys; bz#2045, ok dtucker@
+    Revert "account for packets buffered but not yet
+     processed" change as it breaks for very small RekeyLimit values due to
+     continuous rekeying.  ok djm@
     
-    Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
+    Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
 
-commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 08:02:17 2015 +0000
+commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 29 02:54:45 2016 +0000
 
     upstream commit
     
-    don't ignore PKCS#11 hosted keys that return empty
-     CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
+    Allow RekeyLimits in excess of 4G up to 2**63 bits
+     (limited by the return type of scan_scaled).  Part of bz#2521, ok djm.
     
-    Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
+    Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
 
-commit b15fd989c8c62074397160147a8d5bc34b3f3c63
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 08:00:21 2015 +0000
+commit c0060a65296f01d4634f274eee184c0e93ba0f23
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 29 02:42:46 2016 +0000
 
     upstream commit
     
-    skip uninitialised PKCS#11 slots; patch from Jakub Jelen
-     in bz#2427 ok markus@
+    Account for packets buffered but not yet processed when
+     computing whether or not it is time to perform rekeying.  bz#2521, based
+     loosely on a patch from olo at fb.com, ok djm@
     
-    Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
+    Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
 
-commit 5b64f85bb811246c59ebab70aed331f26ba37b18
+commit 44cf930e670488c85c9efeb373fa5f4b455692ac
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 18 07:57:14 2015 +0000
+Date:   Wed Jan 27 06:44:58 2016 +0000
 
     upstream commit
     
-    only query each keyboard-interactive device once per
-     authentication request regardless of how many times it is listed; ok markus@
+    change old $FreeBSD version string in comment so it doesn't
+     become an RCS ident downstream; requested by des AT des.no
     
-    Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+    Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
 
-commit cd7324d0667794eb5c236d8a4e0f236251babc2d
+commit ebacd377769ac07d1bf3c75169644336056b7060
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:34:27 2015 +0000
+Date:   Wed Jan 27 00:53:12 2016 +0000
 
     upstream commit
     
-    remove -u flag to diff (only used for error output) to make
-     things easier for -portable
+    make the debug messages a bit more useful here
     
-    Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
+    Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
 
-commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:09:19 2015 +0000
+commit 458abc2934e82034c5c281336d8dc0f910aecad3
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Sat Jan 23 05:31:35 2016 +0000
 
     upstream commit
     
-    direct-streamlocal@openssh.com Unix domain foward
-     messages do not contain a "reserved for future use" field and in fact,
-     serverloop.c checks that there isn't one. Remove erroneous mention from
-     PROTOCOL description. bz#2421 from Daniel Black
+    Zero a stack buffer with explicit_bzero() instead of
+     memset() when returning from client_loop() for consistency with
+     buffer_free()/sshbuf_free().
     
-    Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
+    ok dtucker@ deraadt@ djm@
+    
+    Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
 
-commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 03:04:27 2015 +0000
+commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jan 20 09:22:39 2016 +0000
 
     upstream commit
     
-    describe magic for setting up Unix domain socket fowards
-     via the mux channel; bz#2422 patch from Daniel Black
+    Include sys/time.h for gettimeofday.  From sortie at
+     maxsi.org.
     
-    Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
+    Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
 
-commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Fri Jul 17 12:52:34 2015 +1000
+commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Thu Jan 14 22:56:56 2016 +0000
 
-    Check if realpath works on nonexistent files.
-    
-    On some platforms the native realpath doesn't work with non-existent
-    files (this is actually specified in some versions of POSIX), however
-    the sftp spec says its realpath with "canonicalize any given path name".
-    On those platforms, use realpath from the compat library.
+    upstream commit
     
-    In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
-    the realpath symbol to the checked version, so redefine ours to
-    something else so we pick up the compat version we want.
+    fd leaks; report Qualys Security Advisory team; ok
+     deraadt@
     
-    bz#2428, ok djm@
+    Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
 
-commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 17 02:47:45 2015 +0000
+commit a306863831c57ec5fad918687cc5d289ee8e2635
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Thu Jan 14 16:17:39 2016 +0000
 
     upstream commit
     
-    fix incorrect test for SSH1 keys when compiled without SSH1
-     support
+    remove roaming support; ok djm@
     
-    Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
+    Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
 
-commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 15 08:00:11 2015 +0000
+commit 6ef49e83e30688504552ac10875feabd5521565f
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Thu Jan 14 14:34:34 2016 +0000
 
     upstream commit
     
-    fix NULL-deref when SSH1 reenabled
+    Disable experimental client-side roaming support.  Server
+     side was disabled/gutted for years already, but this aspect was surprisingly
+     forgotten. Thanks for report from Qualys
     
-    Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
+    Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
 
-commit 41e38c4d49dd60908484e6703316651333f16b93
+commit 8d7b523b96d3be180572d9d338cedaafc0570f60
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jan 14 11:08:19 2016 +1100
+
+    bump version numbers
+
+commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jan 14 11:04:04 2016 +1100
+
+    openssh-7.1p2
+
+commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jan 15 01:30:36 2016 +1100
+
+    forcibly disable roaming support in the client
+
+commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 15 07:19:50 2015 +0000
+Date:   Wed Jan 13 23:04:47 2016 +0000
 
     upstream commit
     
-    regen RSA1 test keys; the last batch was missing their
-     private parts
+    eliminate fallback from untrusted X11 forwarding to trusted
+     forwarding when the X server disables the SECURITY extension; Reported by
+     Thomas Hoger; ok deraadt@
     
-    Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
+    Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
 
-commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Fri Jul 10 06:23:25 2015 +0000
+commit 9a728cc918fad67c8a9a71201088b1e150340ba4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jan 12 23:42:54 2016 +0000
 
     upstream commit
     
-    Adapt tests, now that DSA if off by default; use
-     PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
+    use explicit_bzero() more liberally in the buffer code; ok
+     deraadt
     
-    Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
+    Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
 
-commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Jul 7 14:54:16 2015 +0000
+commit 4626cbaf78767fc8e9c86dd04785386c59ae0839
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jan 8 14:24:56 2016 +1100
 
-    upstream commit
+    Support Illumos/Solaris fine-grained privileges
     
-    regen test data after mktestdata.sh changes
+    Includes a pre-auth privsep sandbox and several pledge()
+    emulations. bz#2511, patch by Alex Wilson.
     
-    Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
+    ok dtucker@
 
-commit 7c8c174c69f681d4910fa41c37646763692b28e2
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Tue Jul 7 14:53:30 2015 +0000
+commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Dec 31 00:33:52 2015 +0000
 
     upstream commit
     
-    adapt tests to new minimum RSA size and default FP format
+    fix three bugs in KRL code related to (unused) signature
+     support: verification length was being incorrectly calculated, multiple
+     signatures were being incorrectly processed and a NULL dereference that
+     occurred when signatures were verified. Reported by Carl Jackson
     
-    Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
+    Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
 
-commit 6a977a4b68747ade189e43d302f33403fd4a47ac
+commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 3 04:39:23 2015 +0000
+Date:   Wed Dec 30 23:46:14 2015 +0000
 
     upstream commit
     
-    legacy v00 certificates are gone; adapt and don't try to
-     test them; "sure" markus@ dtucker@
+    unused prototype
     
-    Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
+    Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
 
-commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 1 23:11:18 2015 +0000
+commit 6213f0e180e54122bb1ba928e11c784e2b4e5380
+Author: guenther@openbsd.org <guenther@openbsd.org>
+Date:   Sat Dec 26 20:51:35 2015 +0000
 
     upstream commit

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603102010.u2AKAPEb088524>