6.2p2-8 + 0.9.3-5

CVE-2014-2532

openssh-6.2p1-audit.patch

@@ -1670,7 +1670,7 @@ index 0c7f2e3..f47c7df 100644
  
  struct Session;
 diff --git a/packet.c b/packet.c
-index a51c1f2..faa3a85 100644
+index 06406dc..0e58db3 100644
 --- a/packet.c
 +++ b/packet.c
 @@ -60,6 +60,7 @@
@@ -1780,7 +1780,7 @@ index a51c1f2..faa3a85 100644
  	}
  	active_state->newkeys[mode] = kex_get_newkeys(mode);
  	if (active_state->newkeys[mode] == NULL)
-@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode)
+@@ -1975,6 +1993,47 @@ packet_get_newkeys(int mode)
  	return (void *)active_state->newkeys[mode];
  }
  
@@ -1828,7 +1828,7 @@ index a51c1f2..faa3a85 100644
  /*
   * Save the state for the real connection, and use a separate state when
   * resuming a suspended connection.
-@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode)
+@@ -1982,18 +2041,12 @@ packet_get_newkeys(int mode)
  void
  packet_backup_state(void)
  {
@@ -1848,7 +1848,7 @@ index a51c1f2..faa3a85 100644
  }
  
  /*
-@@ -2006,9 +2059,7 @@ packet_restore_state(void)
+@@ -2010,9 +2063,7 @@ packet_restore_state(void)
  	backup_state = active_state;
  	active_state = tmp;
  	active_state->connection_in = backup_state->connection_in;
@@ -1858,7 +1858,7 @@ index a51c1f2..faa3a85 100644
  	len = buffer_len(&backup_state->input);
  	if (len > 0) {
  		buf = buffer_ptr(&backup_state->input);
-@@ -2016,4 +2067,10 @@ packet_restore_state(void)
+@@ -2020,4 +2071,10 @@ packet_restore_state(void)
  		buffer_clear(&backup_state->input);
  		add_recv_bytes(len);
  	}
@@ -2063,7 +2063,7 @@ index cbb8e3a..fc6a7d3 100644
  void	 session_close(Session *);
  void	 do_setusercontext(struct passwd *);
 diff --git a/sshd.c b/sshd.c
-index 740ef4b..9aff64c 100644
+index 740ef4b..61ab3f5 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -118,6 +118,7 @@
@@ -2187,6 +2187,15 @@ index 740ef4b..9aff64c 100644
  		}
  		/* Certs do not need demotion */
  	}
+@@ -646,7 +697,7 @@ privsep_preauth(Authctxt *authctxt)
+ 
+ 	if (use_privsep == PRIVSEP_ON)
+ 		box = ssh_sandbox_init();
+-	pid = fork();
++	pmonitor->m_pid = pid = fork();
+ 	if (pid == -1) {
+ 		fatal("fork of unprivileged child failed");
+ 	} else if (pid != 0) {
 @@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
  	}
  }
@@ -2283,7 +2292,7 @@ index 740ef4b..9aff64c 100644
  				    pmonitor->m_pid, strerror(errno));
  		}
  	}
-+	is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
++	is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
 +	if (sensitive_data.host_keys != NULL)
 +		destroy_sensitive_data(is_privsep_child);
 +	packet_destroy_all(1, is_privsep_child);

openssh-6.2p1-keycat.patch

@@ -26,7 +26,7 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
 +
 +To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
 +        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
-+        AuthorizedKeysCommandRunAs root
++        AuthorizedKeysCommandUser root
 +
 +Do not forget to enable public key authentication:
 +        PubkeyAuthentication yes

openssh-6.2p1-ldap.patch

@@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+--- openssh-6.4p1/ldapconf.c.ldap	2013-11-26 10:31:03.513794385 +0100
---- openssh-6.2p2/ldapconf.c.ldap	2013-06-07 15:10:05.601942693 +0200
++++ openssh-6.4p1/ldapconf.c	2013-11-26 10:38:15.474635149 +0100
-+++ openssh-6.2p2/ldapconf.c	2013-06-07 15:10:24.928857566 +0200
+@@ -0,0 +1,720 @@
-@@ -0,0 +1,691 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	return lBadOption;
 +}
 +
++/* Characters considered whitespace in strsep calls. */
++#define WHITESPACE " \t\r\n"
++
++/* return next token in configuration line */
++static char *
++ldap_strdelim(char **s)
++{
++      char *old;
++      int wspace = 0;
++
++      if (*s == NULL)
++              return NULL;
++
++      old = *s;
++
++      *s = strpbrk(*s, WHITESPACE);
++      if (*s == NULL)
++              return (old);
++
++      *s[0] = '\0';
++
++      /* Skip any extra whitespace after first token */
++      *s += strspn(*s + 1, WHITESPACE) + 1;
++      if (*s[0] == '=' && !wspace)
++              *s += strspn(*s + 1, WHITESPACE) + 1;
++
++      return (old);
++}
++
 +/*
 + * Processes a single option line as used in the configuration files. This
 + * only sets those values that have not already been set.
@@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	s = line;
 +	/* Get the keyword. (Each line is supposed to begin with a keyword). */
-+	if ((keyword = strdelim(&s)) == NULL)
++	if ((keyword = ldap_strdelim(&s)) == NULL)
 +		return 0;
 +	/* Ignore leading whitespace. */
 +	if (*keyword == '\0')
-+		keyword = strdelim(&s);
++		keyword = ldap_strdelim(&s);
 +	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
 +		return 0;
 +
@@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	case lBindPW:
 +		charptr = &options.bindpw;
 +parse_string:
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.", filename, linenum);
 +		if (*charptr == NULL)
@@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	case lScope:
 +		intptr = &options.scope;
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	case lDeref:
 +		intptr = &options.scope;
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	case lPort:
 +		intptr = &options.port;
 +parse_int:
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.", filename, linenum);
 +		if (arg[0] < '0' || arg[0] > '9')
@@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	case lTimeLimit:
 +		intptr = &options.timelimit;
 +parse_time:
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%s line %d: missing time value.",
 +			    filename, linenum);
@@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	case lBind_Policy:
 +		intptr = &options.bind_policy;
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	case lSSL:
 +		intptr = &options.ssl;
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	case lReferrals:
 +		intptr = &options.referrals;
 +parse_flag:
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +
 +	case lTLS_CheckPeer:
 +		intptr = &options.tls_checkpeer;
-+		arg = strdelim(&s);
++		arg = ldap_strdelim(&s);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
 +		value = 0;	/* To avoid compiler warning... */
@@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	}
 +
 +	/* Check that there is no garbage at end of line. */
-+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
++	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
 +		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
 +		    filename, linenum, arg);
 +	}

openssh-6.2p2-CVE-2014-2653.patch

@@ -0,0 +1,80 @@
+diff --git a/ChangeLog b/ChangeLog
+index 29d70ec..a0fb67e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++20140420
++   - djm@cvs.openbsd.org 2014/04/01 03:34:10
++     [sshconnect.c]
++     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
++     certificate keys to plain keys and attempt SSHFP resolution.
++     
++     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
++     dialog by offering only certificate keys.
++     
++     Reported by mcv21 AT cam.ac.uk
++
+ 20131010
+  - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
+    [dh.c dh.h]
+diff --git a/sshconnect.c b/sshconnect.c
+index f2ba1b2..f0fdc70 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1137,30 +1137,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ 	debug("Server host key: %s %s%s", key_type(host_key),
+ 	    key_fingerprint_prefix(), fp);
+ 	xfree(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,

openssh-6.2p2-fromto-remote.patch

@@ -0,0 +1,16 @@
+diff --git a/scp.c b/scp.c
+index d98fa67..25d347b 100644
+--- a/scp.c
++++ b/scp.c
+@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
+ 			addargs(&alist, "%s", ssh_program);
+ 			addargs(&alist, "-x");
+ 			addargs(&alist, "-oClearAllForwardings=yes");
+-			addargs(&alist, "-n");
++			if (isatty(fileno(stdin)))
++				addargs(&alist, "-t");
++			else
++				addargs(&alist, "-n");
+ 			for (j = 0; j < remote_remote_args.num; j++) {
+ 				addargs(&alist, "%s",
+ 				    remote_remote_args.list[j]);

openssh-6.2p2-ignore-bad-env-var.patch

@@ -0,0 +1,37 @@
+diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
+--- openssh-6.4p1/ChangeLog.bad-env-var	2014-03-19 21:37:36.270509907 +0100
++++ openssh-6.4p1/ChangeLog	2014-03-19 21:37:36.276509878 +0100
+@@ -0,0 +1,7 @@
++20140304
++ - OpenBSD CVS Sync
++   - djm@cvs.openbsd.org 2014/03/03 22:22:30
++     [session.c]
++     ignore enviornment variables with embedded '=' or '\0' characters;
++     spotted by Jann Horn; ok deraadt@
++
+diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
+--- openssh-6.4p1/session.c.bad-env-var	2014-03-19 21:37:36.233510090 +0100
++++ openssh-6.4p1/session.c	2014-03-19 21:37:36.277509873 +0100
+@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
+ 	u_int envsize;
+ 	u_int i, namelen;
+ 
++	if (strchr(name, '=') != NULL) {
++		error("Invalid environment variable \"%.100s\"", name);
++		return;
++	}
++
+ 	/*
+ 	 * If we're passed an uninitialized list, allocate a single null
+ 	 * entry before continuing.
+@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
+ 	char *name, *val;
+ 	u_int name_len, val_len, i;
+ 
+-	name = packet_get_string(&name_len);
+-	val = packet_get_string(&val_len);
++	name = packet_get_cstring(&name_len);
++	val = packet_get_cstring(&val_len);
+ 	packet_check_eom();
+ 
+ 	/* Don't set too many environment variables */

openssh-6.2p2-increase-size-of-DF-groups.patch

@@ -0,0 +1,59 @@
+diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
+--- openssh-6.2p2/ChangeLog.dh	2013-11-18 12:14:09.662240103 +0100
++++ openssh-6.2p2/ChangeLog	2013-11-18 12:14:09.665240089 +0100
+@@ -0,0 +1,8 @@
++20131010
++ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
++   [dh.c dh.h]
++   Increase the size of the Diffie-Hellman groups requested for a each
++   symmetric key size.  New values from NIST Special Publication 800-57 with
++   the upper limit specified by RFC4419.  Pointed out by Peter Backes, ok
++   djm@.
++
+diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
+--- openssh-6.2p2/dh.c.dh	2011-12-19 00:52:52.000000000 +0100
++++ openssh-6.2p2/dh.c	2013-11-18 12:14:09.665240089 +0100
+@@ -332,17 +332,20 @@ dh_new_group14(void)
+ 
+ /*
+  * Estimates the group order for a Diffie-Hellman group that has an
+- * attack complexity approximately the same as O(2**bits).  Estimate
+- * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
++ * attack complexity approximately the same as O(2**bits).
++ * Values from NIST Special Publication 800-57: Recommendation for Key
++ * Management Part 1 (rev 3) limited by the recommended maximum value
++ * from RFC4419 section 3.
+  */
+ 
+ int
+ dh_estimate(int bits)
+ {
+-
++	if (bits <= 112)
++		return 2048;
+ 	if (bits <= 128)
+-		return (1024);	/* O(2**86) */
++		return 3072;
+ 	if (bits <= 192)
+-		return (2048);	/* O(2**116) */
+-	return (4096);		/* O(2**156) */
++		return 7680;
++	return 8192;
+ }
+diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
+--- openssh-6.2p2/dh.h.dh	2008-06-29 14:47:04.000000000 +0200
++++ openssh-6.2p2/dh.h	2013-11-18 12:14:09.665240089 +0100
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
++/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
+ 
+ /*
+  * Copyright (c) 2000 Niels Provos.  All rights reserved.
+@@ -43,6 +43,7 @@ int	 dh_pub_is_valid(DH *, BIGNUM *);
+ 
+ int	 dh_estimate(int);
+ 
++/* Min and max values from RFC4419. */
+ #define DH_GRP_MIN	1024
+ #define DH_GRP_MAX	8192
+ 

openssh-6.2p2-legacy-ssh-copy-id.patch

@@ -0,0 +1,59 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 9f2817b..1530f6f 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -77,7 +77,7 @@ use_id_file() {
+     PUB_ID_FILE="$L_ID_FILE.pub"
+   fi
+ 
+-  PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
++  [ "x$SSH_COPY_ID_LEGACY" != "x" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+ 
+   # check that the files are readable
+   for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
+@@ -243,7 +243,7 @@ populate_new_ids() {
+   printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
+ }
+ 
+-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
++[ "x$SSH_COPY_ID_LEGACY" != "x" ] || REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
+                  sed -ne 's/.*remote software version //p')
+ 
+ case "$REMOTE_VERSION" in
+@@ -268,7 +268,11 @@ case "$REMOTE_VERSION" in
+     ;;
+   *)
+     # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
+-    populate_new_ids 0
++    if [ "x$SSH_COPY_ID_LEGACY" != "x" ]; then
++      NEW_IDS=`eval "$GET_ID"`
++    else
++      populate_new_ids 0
++    fi
+     [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
+ 		umask 077 ;
+ 		mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
+diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
+index 67a59e4..edbf56f 100644
+--- a/contrib/ssh-copy-id.1
++++ b/contrib/ssh-copy-id.1
+@@ -180,6 +180,19 @@ should prove enlightening (N.B. the modern approach is to use the
+ .Fl W
+ option, rather than
+ .Xr nc 1 ) .
++.Sh ENVIRONMENT
++.Bl -tag -width Ds
++.Pp
++.It Pa SSH_COPY_ID_LEGACY
++If the 
++.Cm SSH_COPY_ID_LEGACY
++environment variable is set, the
++.Nm
++is run in a legacy mode. In this mode, the 
++.Nm
++doesn't check an existence of a private key and doesn't do remote checks
++of the remote server versions or if public keys are already installed.
++.El
+ .Sh "SEE ALSO"
+ .Xr ssh 1 ,
+ .Xr ssh-agent 1 ,

openssh.spec

@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.2p2
-%define openssh_rel 5
+%define openssh_rel 8
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 5
 
@@ -186,6 +186,18 @@ Patch907: openssh-6.2p1-aarch64.patch
 Patch908: openssh-6.2p2-sftp-multibyte.patch
 # don't show Success for EAI_SYSTEM (#985964)
 Patch909: openssh-6.2p2-ssh_gai_strerror.patch
+# increase the size of the Diffie-Hellman groups (#1010607)
+Patch910: openssh-6.2p2-increase-size-of-DF-groups.patch
+# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set
+# http://bugzilla.mindrot.org/show_bug.cgi?id=2110
+Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
+# Use tty allocation for a remote scp (#985650)
+Patch912: openssh-6.2p2-fromto-remote.patch
+# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+# dialog by offering only certificate keys. (#1081338)
+Patch913: openssh-6.2p2-CVE-2014-2653.patch
+# ignore environment variables with embedded '=' or '\0' characters (#1077843)
+Patch914: openssh-6.2p2-ignore-bad-env-var.patch
 
 
 License: BSD
@@ -408,6 +420,11 @@ popd
 %patch907 -p1 -b .aarch64
 %patch908 -p1 -b .sftp-multibyte
 %patch909 -p1 -b .ssh_gai_strerror
+%patch910 -p1 -b .dh
+%patch911 -p1 -b .legacy-ssh-copy-id
+%patch912 -p1 -b .fromto-remote
+%patch913 -p1 -b .CVE-2014-2653
+%patch914 -p1 -b .bad-env-var
 
 %if 0
 # Nothing here yet
@@ -628,7 +645,7 @@ getent passwd sshd >/dev/null || \
 %defattr(-,root,root)
 %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
 %if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
@@ -722,6 +739,22 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Mon May 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5
+- fix fatal() cleanup in the audit patch (#1029074)
+- fix parsing logic of ldap.conf file (#1033662)
+- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
+- make /etc/ssh/moduli file public (#1043661)
+- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
+- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
+  (#1077843)
+
+* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5
+- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
+
+* Mon Nov 18 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6 + 0.9.3-5
+- increase the size of the Diffie-Hellman groups (#1010607)
+- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
+
 * Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
 - gssapi credentials need to be stored before a pam session opened (#987792)
 

sshd-keygen

@@ -13,6 +13,7 @@ KEYGEN=/usr/bin/ssh-keygen
 RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
 
 # pull in sysconfig settings
 [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
@@ -88,11 +89,33 @@ do_dsa_keygen() {
 	fi
 }
 
+do_ecdsa_keygen() {
+	if [ ! -s $ECDSA_KEY ]; then
+		echo -n $"Generating SSH2 ECDSA host key: "
+		rm -f $ECDSA_KEY
+		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
+			chgrp ssh_keys $ECDSA_KEY
+			chmod 640 $ECDSA_KEY
+			chmod 644 $ECDSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $ECDSA_KEY.pub
+			fi
+			success $"ECDSA key generation"
+			echo
+		else
+			failure $"ECDSA key generation"
+			echo
+			exit 1
+		fi
+	fi
+}
+
 # Create keys if necessary
 if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
 	do_rsa_keygen
 	if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
 		do_rsa1_keygen
 		do_dsa_keygen
+		do_ecdsa_keygen
 	fi
 fi