6.6.1p1-16 + 0.9.3-3

Privilege separation weakness related to PAM support (#1252844)
		https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
	Use-after-free bug related to PAM support (#1252852)
		https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7

openssh-5.1p1-scp-manpage.patch

@@ -1,18 +0,0 @@
-diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
---- openssh-5.1p1/scp.1.manpage	2008-07-12 09:12:49.000000000 +0200
-+++ openssh-5.1p1/scp.1	2008-07-23 19:18:15.000000000 +0200
-@@ -66,6 +66,14 @@ treating file names containing
- as host specifiers.
- Copies between two remote hosts are also permitted.
- .Pp
-+When copying a source file to a target file which already exists,
-+.Nm 
-+will replace the contents of the target file (keeping the inode).
-+.Pp
-+If the target file does not yet exist, an empty file with the target
-+file name is created, then filled with the source file contents.
-+No attempt is made at "near-atomic" transfer using temporary files.
-+.Pp
- The options are as follows:
- .Bl -tag -width Ds
- .It Fl 1

openssh-6.6.1p1-audit-pfs.patch

@@ -121,7 +121,7 @@ index ede7b67..eb5f333 100644
  		dh_need = MAX(dh_need, newkeys->mac.key_len);
 +		debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need);
 +#ifdef SSH_AUDIT_EVENTS
-+		audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
++		audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
 +#endif
  	}
  	/* XXX need runden? */

openssh-6.6.1p1-coverity.patch

@@ -168,15 +168,6 @@ diff --git a/progressmeter.c b/progressmeter.c
 index bbbc706..ae6d1aa 100644
 --- a/progressmeter.c
 +++ b/progressmeter.c
-@@ -65,7 +65,7 @@ static void update_progress_meter(int);
- 
- static time_t start;		/* start progress */
- static time_t last_update;	/* last progress update */
--static char *file;		/* name of the file being transferred */
-+static const char *file;	/* name of the file being transferred */
- static off_t start_pos;		/* initial position of transfer */
- static off_t end_pos;		/* ending position of transfer */
- static off_t cur_pos;		/* transfer position as of last refresh */
 @@ -248,7 +248,7 @@ update_progress_meter(int ignore)
  }
  
@@ -185,7 +176,7 @@ index bbbc706..ae6d1aa 100644
 +start_progress_meter(const char *f, off_t filesize, off_t *ctr)
  {
  	start = last_update = monotime();
- 	file = f;
+ 	if (strlen(f) > file_len) {
 diff --git a/progressmeter.h b/progressmeter.h
 index 10bab99..e9ca8f0 100644
 --- a/progressmeter.h

openssh-6.6.1p1-utf8-banner.patch

@@ -15,78 +15,24 @@ diff --git a/misc.h b/misc.h
 index d4df619..d98b83d 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -106,4 +106,7 @@ char	*read_passphrase(const char *, int);
+@@ -135,4 +135,8 @@ char	*read_passphrase(const char *, int)
  int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
  int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
  
 +/* utf8_stringprep.c */
 +int utf8_stringprep(const char *, char *, size_t);
++void sanitize_utf8(char *, const char *, size_t);
 +
  #endif /* _MISC_H */
-diff --git a/sshconnect2.c b/sshconnect2.c
-index b00658b..08064f4 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -33,6 +33,8 @@
- 
- #include <errno.h>
- #include <fcntl.h>
-+#include <langinfo.h>
-+#include <locale.h>
- #include <netdb.h>
- #include <pwd.h>
- #include <signal.h>
-@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
- 	    "type %d", type);
- }
- 
-+/* Check whether we can display UTF-8 safely */
-+static int
-+utf8_ok(void)
-+{
-+	static int ret = -1;
-+	char *cp;
-+
-+	if (ret == -1) {
-+		setlocale(LC_CTYPE, "");
-+		cp = nl_langinfo(CODESET);
-+		ret = strcmp(cp, "UTF-8") == 0;
-+	}
-+	return ret;
-+}
-+
- /* ARGSUSED */
- void
- input_userauth_banner(int type, u_int32_t seq, void *ctxt)
- {
- 	char *msg, *raw, *lang;
--	u_int len;
-+	u_int done, len;
- 
- 	debug3("input_userauth_banner");
-+
- 	raw = packet_get_string(&len);
- 	lang = packet_get_string(NULL);
- 	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
+--- openssh-6.8p1/sshconnect2.c.utf8-banner	2015-03-18 12:41:28.161713220 +0100
++++ openssh-6.8p1/sshconnect2.c	2015-03-18 12:44:05.483317714 +0100
+@@ -532,7 +534,7 @@ input_userauth_error(int type, u_int32_t
  		if (len > 65536)
  			len = 65536;
  		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
 -		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
-+		done = 0;
-+		if (utf8_ok()) {
-+			if (utf8_stringprep(raw, msg, len * 4 + 1) == 0)
-+				done = 1;
-+			else
-+				debug2("%s: UTF8 stringprep failed", __func__);
-+		}
-+		/*
-+		 * Fallback to strnvis if UTF8 display not supported or
-+		 * conversion failed.
-+		 */
-+		if (!done) {
-+			strnvis(msg, raw, len * 4 + 1,
-+			    VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
-+		}
++		sanitize_utf8(msg, raw, len);
  		fprintf(stderr, "%s", msg);
  		free(msg);
  	}
@@ -757,12 +703,10 @@ index 0000000..49f4d9d
 +	{ 0xE0020, 0xE007F },
 +};
 +
-diff --git a/utf8_stringprep.c b/utf8_stringprep.c
-new file mode 100644
-index 0000000..bcafae7
---- /dev/null
-+++ b/utf8_stringprep.c
-@@ -0,0 +1,229 @@
+diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
+--- openssh-6.8p1/utf8_stringprep.c.utf8-banner	2015-03-18 12:41:28.175713185 +0100
++++ openssh-6.8p1/utf8_stringprep.c	2015-03-18 12:41:28.175713185 +0100
+@@ -0,0 +1,265 @@
 +/*
 + * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
 + *
@@ -803,8 +747,12 @@ index 0000000..bcafae7
 +#include <string.h>
 +#include <limits.h>
 +#include <ctype.h>
++#include <langinfo.h>
++#include <locale.h>
 +
++#include "includes.h"
 +#include "misc.h"
++#include "log.h"
 +
 +struct u32_range {
 +	u_int32_t lo, hi;  /* Inclusive */
@@ -992,3 +940,35 @@ index 0000000..bcafae7
 +	return 0;
 +}
 +
++/* Check whether we can display UTF-8 safely */
++int
++utf8_ok(void)
++{
++	static int ret = -1;
++	char *cp;
++
++	if (ret == -1) {
++		setlocale(LC_CTYPE, "");
++		cp = nl_langinfo(CODESET);
++		ret = strcmp(cp, "UTF-8") == 0;
++	}
++	return ret;
++}
++
++void
++sanitize_utf8(char *target, const char *source, size_t length)
++{
++	u_int done = 0;
++	if (utf8_ok()) {
++		if (utf8_stringprep(source, target, length * 4 + 1) == 0)
++			done = 1;
++		else
++			debug2("%s: UTF8 stringprep failed", __func__);
++	}
++	/*
++	 * Fallback to strnvis if UTF8 display not supported or
++	 * conversion failed.
++	 */
++	if (!done)
++		strnvis(target, source, length * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
++}

openssh-6.6p1-audit.patch

@@ -1934,7 +1934,7 @@ index df43592..b186ca1 100644
 -		PRIVSEP(audit_run_command(shell));
 +		s->command = xstrdup(shell);
  	}
-+	if (s->command != NULL)
++	if (s->command != NULL && s->ptyfd == -1)
 +		s->command_handle = PRIVSEP(audit_run_command(s->command));
  #endif
  	if (s->ttyfd != -1)
@@ -1979,7 +1979,7 @@ index df43592..b186ca1 100644
  session_by_tty(char *tty)
  {
  	int i;
-@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
+@@ -2532,6 +2561,32 @@ session_exit_message(Session *s, int sta
  		chan_write_failed(c);
  }
  
@@ -1988,7 +1988,8 @@ index df43592..b186ca1 100644
 +session_end_command2(Session *s)
 +{
 +	if (s->command != NULL) {
-+		audit_end_command(s->command_handle, s->command);
++		if (s->command_handle != -1)
++			audit_end_command(s->command_handle, s->command);
 +		free(s->command);
 +		s->command = NULL;
 +		s->command_handle = -1;
@@ -1999,7 +2000,8 @@ index df43592..b186ca1 100644
 +session_end_command(Session *s)
 +{
 +	if (s->command != NULL) {
-+		PRIVSEP(audit_end_command(s->command_handle, s->command));
++		if (s->command_handle != -1)
++			PRIVSEP(audit_end_command(s->command_handle, s->command));
 +		free(s->command);
 +		s->command = NULL;
 +		s->command_handle = -1;

openssh-6.6p1-authentication-limits-bypass.patch

@@ -0,0 +1,47 @@
+From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: upstream commit
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+---
+ auth2-chall.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ddabe1a..4aff09d 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+ 		if (len == 0)
+ 			break;
+ 		for (i = 0; devices[i]; i++) {
+-			if (!auth2_method_allowed(authctxt,
++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++			    !auth2_method_allowed(authctxt,
+ 			    "keyboard-interactive", devices[i]->name))
+ 				continue;
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
+ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+-- 
+cgit v0.11.2
+
+

openssh-6.6p1-fips.patch

@@ -13,8 +13,8 @@ index 3bb7f00..294bef5 100644
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
  
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
  ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

openssh-6.6p1-scp-progressmeter.patch

@@ -0,0 +1,38 @@
+diff -up openssh-6.6p1/Makefile.in.progressmeter openssh-6.6p1/Makefile.in
+--- openssh-6.6p1/Makefile.in.progressmeter	2015-07-28 14:22:08.740278100 +0200
++++ openssh-6.6p1/Makefile.in	2015-07-28 14:22:08.769278063 +0200
+@@ -158,8 +158,8 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+ 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ 
+-scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+-	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
++	$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+ 	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -up openssh-6.6p1/progressmeter.c.progressmeter openssh-6.6p1/progressmeter.c
+--- openssh-6.6p1/progressmeter.c.progressmeter	2015-07-28 14:22:08.768278064 +0200
++++ openssh-6.6p1/progressmeter.c	2015-07-28 14:23:51.464143827 +0200
+@@ -66,6 +66,7 @@ static void update_progress_meter(int);
+ static time_t start;		/* start progress */
+ static time_t last_update;	/* last progress update */
+ static char *file;		/* name of the file being transferred */
++static size_t file_len = 0;	/* allocated length of file */
+ static off_t start_pos;		/* initial position of transfer */
+ static off_t end_pos;		/* ending position of transfer */
+ static off_t cur_pos;		/* transfer position as of last refresh */
+@@ -251,7 +252,11 @@ void
+ start_progress_meter(char *f, off_t filesize, off_t *ctr)
+ {
+ 	start = last_update = monotime();
+-	file = f;
++	if (strlen(f) > file_len) {
++		file_len = strlen(f);
++		file = realloc(file, file_len * 4 + 1);
++	}
++	sanitize_utf8(file, f, file_len);
+ 	start_pos = *ctr;
+ 	end_pos = filesize;
+ 	cur_pos = 0;

openssh-6.6p1-security-7.0.patch

@@ -0,0 +1,44 @@
+diff --git a/monitor.c b/monitor.c
+index b410965..f1b873d 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++	sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive";
+ 	auth_submethod = "pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index e6217b3..eac421b 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

openssh-6.6p1-security-from-6.9.patch

@@ -0,0 +1,214 @@
+diff -up openssh-6.6p1/channels.c.security openssh-6.6p1/channels.c
+--- openssh-6.6p1/channels.c.security	2015-07-01 19:27:08.521162690 +0200
++++ openssh-6.6p1/channels.c	2015-07-01 19:27:08.597162521 +0200
+@@ -151,6 +151,9 @@ static char *x11_saved_proto = NULL;
+ static char *x11_saved_data = NULL;
+ static u_int x11_saved_data_len = 0;
+ 
++/* Deadline after which all X11 connections are refused */
++static u_int x11_refuse_time;
++
+ /*
+  * Fake X11 authentication data.  This is what the server will be sending us;
+  * we should replace any occurrences of this by the real data.
+@@ -894,6 +897,13 @@ x11_open_helper(Buffer *b)
+ 	u_char *ucp;
+ 	u_int proto_len, data_len;
+ 
++	/* Is this being called after the refusal deadline? */
++	if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
++		verbose("Rejected X11 connection after ForwardX11Timeout "
++		    "expired");
++		return -1;
++	}
++
+ 	/* Check if the fixed size part of the packet is in buffer. */
+ 	if (buffer_len(b) < 12)
+ 		return 0;
+@@ -1457,6 +1467,12 @@ channel_set_reuseaddr(int fd)
+ 		error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+ }
+ 
++void
++channel_set_x11_refuse_time(u_int refuse_time)
++{
++	x11_refuse_time = refuse_time;
++}
++
+ /*
+  * This socket is listening for connections to a forwarded TCP/IP port.
+  */
+diff -up openssh-6.6p1/channels.h.security openssh-6.6p1/channels.h
+--- openssh-6.6p1/channels.h.security	2015-07-01 19:27:08.597162521 +0200
++++ openssh-6.6p1/channels.h	2015-07-01 19:43:32.900950560 +0200
+@@ -279,6 +279,7 @@ int	 permitopen_port(const char *);
+ 
+ /* x11 forwarding */
+ 
++void	 channel_set_x11_refuse_time(u_int);
+ int	 x11_connect_display(void);
+ int	 x11_create_display_inet(int, int, int, u_int *, int **);
+ void     x11_input_open(int, u_int32_t, void *);
+diff -up openssh-6.6p1/clientloop.c.security openssh-6.6p1/clientloop.c
+--- openssh-6.6p1/clientloop.c.security	2015-07-01 19:27:08.540162648 +0200
++++ openssh-6.6p1/clientloop.c	2015-07-01 19:44:51.139761508 +0200
+@@ -164,7 +164,7 @@ static int connection_in;	/* Connection
+ static int connection_out;	/* Connection to server (output). */
+ static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
+ static int session_closed;	/* In SSH2: login session closed. */
+-static int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
++static u_int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
+ 
+ static void client_init_dispatch(void);
+ int	session_ident = -1;
+@@ -302,7 +302,8 @@ client_x11_display_valid(const char *dis
+ 	return 1;
+ }
+ 
+-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
++#define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
++#define X11_TIMEOUT_SLACK	60
+ void
+ client_x11_get_proto(const char *display, const char *xauth_path,
+     u_int trusted, u_int timeout, char **_proto, char **_data)
+@@ -315,7 +316,7 @@ client_x11_get_proto(const char *display
+ 	int got_data = 0, generated = 0, do_unlink = 0, i;
+ 	char *xauthdir, *xauthfile;
+ 	struct stat st;
+-	u_int now;
++	u_int now, x11_timeout_real;
+ 
+ 	xauthdir = xauthfile = NULL;
+ 	*_proto = proto;
+@@ -348,6 +349,15 @@ client_x11_get_proto(const char *display
+ 			xauthdir = xmalloc(MAXPATHLEN);
+ 			xauthfile = xmalloc(MAXPATHLEN);
+ 			mktemp_proto(xauthdir, MAXPATHLEN);
++			/*
++			 * The authentication cookie should briefly outlive
++			 * ssh's willingness to forward X11 connections to
++			 * avoid nasty fail-open behaviour in the X server.
++			 */
++			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
++				x11_timeout_real = UINT_MAX;
++			else
++				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+ 			if (mkdtemp(xauthdir) != NULL) {
+ 				do_unlink = 1;
+ 				snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
+@@ -355,17 +365,20 @@ client_x11_get_proto(const char *display
+ 				snprintf(cmd, sizeof(cmd),
+ 				    "%s -f %s generate %s " SSH_X11_PROTO
+ 				    " untrusted timeout %u 2>" _PATH_DEVNULL,
+-				    xauth_path, xauthfile, display, timeout);
++				    xauth_path, xauthfile, display,
++				    x11_timeout_real);
+ 				debug2("x11_get_proto: %s", cmd);
+-				if (system(cmd) == 0)
+-					generated = 1;
+ 				if (x11_refuse_time == 0) {
+ 					now = monotime() + 1;
+ 					if (UINT_MAX - timeout < now)
+ 						x11_refuse_time = UINT_MAX;
+ 					else
+ 						x11_refuse_time = now + timeout;
++					channel_set_x11_refuse_time(
++					    x11_refuse_time);
+ 				}
++				if (system(cmd) == 0)
++					generated = 1;
+ 			}
+ 		}
+ 
+@@ -1884,7 +1897,7 @@ client_request_x11(const char *request_t
+ 		    "malicious server.");
+ 		return NULL;
+ 	}
+-	if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
++	if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ 		verbose("Rejected X11 connection after ForwardX11Timeout "
+ 		    "expired");
+ 		return NULL;
+diff -up openssh-6.6p1/ssh-agent.c.security openssh-6.6p1/ssh-agent.c
+--- openssh-6.6p1/ssh-agent.c.security	2015-07-01 19:27:08.597162521 +0200
++++ openssh-6.6p1/ssh-agent.c	2015-07-01 19:42:35.691088800 +0200
+@@ -64,6 +64,9 @@
+ #include <time.h>
+ #include <string.h>
+ #include <unistd.h>
++#ifdef HAVE_UTIL_H
++#include <util.h>
++#endif
+ 
+ #include "xmalloc.h"
+ #include "ssh.h"
+@@ -129,8 +130,12 @@ char socket_name[MAXPATHLEN];
+ char socket_dir[MAXPATHLEN];
+ 
+ /* locking */
++#define LOCK_SIZE	32
++#define LOCK_SALT_SIZE	16
++#define LOCK_ROUNDS	1
+ int locked = 0;
+-char *lock_passwd = NULL;
++char lock_passwd[LOCK_SIZE];
++char lock_salt[LOCK_SALT_SIZE];
+ 
+ extern char *__progname;
+ 
+@@ -548,22 +553,45 @@ send:
+ static void
+ process_lock_agent(SocketEntry *e, int lock)
+ {
+-	int success = 0;
+-	char *passwd;
++	int success = 0, delay;
++	char *passwd, passwdhash[LOCK_SIZE];
++	static u_int fail_count = 0;
++	size_t pwlen;
+ 
+ 	passwd = buffer_get_string(&e->request, NULL);
+-	if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
+-		locked = 0;
+-		explicit_bzero(lock_passwd, strlen(lock_passwd));
+-		free(lock_passwd);
+-		lock_passwd = NULL;
+-		success = 1;
++	pwlen = strlen(passwd);
++	if (pwlen == 0) {
++		debug("empty password not supported");
++	} else if (locked && !lock) {
++		if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
++		    passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0)
++			fatal("bcrypt_pbkdf");
++		if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) {
++			debug("agent unlocked");
++			locked = 0;
++			fail_count = 0;
++			explicit_bzero(lock_passwd, sizeof(lock_passwd));
++			success = 1;
++		} else {
++			/* delay in 0.1s increments up to 10s */
++			if (fail_count < 100)
++				fail_count++;
++			delay = 100000 * fail_count;
++			debug("unlock failed, delaying %0.1lf seconds",
++			    (double)delay/1000000);
++			usleep(delay);
++		}
++		explicit_bzero(passwdhash, sizeof(passwdhash));
+ 	} else if (!locked && lock) {
++		debug("agent locked");
+ 		locked = 1;
+-		lock_passwd = xstrdup(passwd);
++		arc4random_buf(lock_salt, sizeof(lock_salt));
++		if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
++		    lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0)
++			fatal("bcrypt_pbkdf");
+ 		success = 1;
+ 	}
+-	explicit_bzero(passwd, strlen(passwd));
++	explicit_bzero(passwd, pwlen);
+ 	free(passwd);
+ 
+ 	buffer_put_int(&e->output, 1);

openssh-6.7p1-fix-ssh-copy-id-on-non-sh-shell.patch

@@ -0,0 +1,15 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 8e1091c..4bba5d6 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -274,9 +274,7 @@ case "$REMOTE_VERSION" in
+       populate_new_ids 0
+     fi
+     [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
+-		umask 077 ;
++		exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \
+-		mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
+-		if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
+       || exit 1
+     ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
+     ;;

openssh-6.7p1-ssh-copy-id-truncated-keys.patch

@@ -0,0 +1,13 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 4bba5d6..ed1208e 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -207,7 +207,7 @@ populate_new_ids() {
+   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
+   NEW_IDS=$(
+     eval $GET_ID | {
+-      while read ID ; do
++      while read ID || [[ -n $ID ]]; do
+         printf '%s\n' "$ID" > $L_TMP_ID_FILE
+ 
+         # the next line assumes $PRIV_ID_FILE only set if using a single id file - this

openssh.spec

@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.6.1p1
-%define openssh_rel 11.1
+%define openssh_rel 16
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 3
 
@@ -88,6 +88,7 @@ Source10: sshd.socket
 Source11: sshd.service
 Source12: sshd-keygen.service
 Source13: sshd-keygen
+Source14: sshd.tmpfiles
 
 # Internal debug
 Patch0: openssh-5.9p1-wIm.patch
@@ -153,8 +154,6 @@ Patch703: openssh-4.3p2-askpass-grab-info.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=205842
 # drop? Patch704: openssh-5.9p1-edns.patch
 #?
-Patch705: openssh-5.1p1-scp-manpage.patch
-#?
 Patch706: openssh-6.6.1p1-localdomain.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
 Patch707: openssh-6.6p1-redhat.patch
@@ -223,6 +222,22 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch
 Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
 # Config parser shouldn't accept ip/port syntax (#1130733)
 Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
+# fix ssh-copy-id on non-sh shells (#1045191)
+Patch921: openssh-6.7p1-fix-ssh-copy-id-on-non-sh-shell.patch
+# Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
+Patch922: openssh-6.7p1-ssh-copy-id-truncated-keys.patch
+# Security fixes backported from openssh-6.9
+# XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
+# weakness of agent locking (ssh-add -x) to password guessing (#1238238)
+Patch923: openssh-6.6p1-security-from-6.9.patch
+# authentication limits (MaxAuthTries) bypass [security] (#1245971)
+Patch924: openssh-6.6p1-authentication-limits-bypass.patch
+# Handle terminal control characters in scp progressmeter (#1247204)
+Patch925: openssh-6.6p1-scp-progressmeter.patch
+# Vulnerabilities published with openssh-7.0:
+#  Privilege separation weakness related to PAM support (#1252844)
+#  Use-after-free bug related to PAM support (#1252852)
+Patch926: openssh-6.6p1-security-7.0.patch
 
 License: BSD
 Group: Applications/Internet
@@ -405,7 +420,6 @@ popd
 %patch703 -p1 -b .grab-info
 # investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
 # probably not needed anymore %patch704 -p1 -b .edns
-# drop it %patch705 -p1 -b .manpage
 %patch706 -p1 -b .localdomain
 %patch707 -p1 -b .redhat
 %patch708 -p1 -b .entropy
@@ -437,6 +451,12 @@ popd
 %patch919 -p1 -b .scp
 %patch920 -p1 -b .config
 %patch802 -p1 -b .GSSAPIEnablek5users
+%patch921 -p1 -b .ssh-copy-id
+%patch922 -p1 -b .newline
+%patch923 -p1 -b .security
+%patch924 -p1 -b .kbd
+%patch925 -p1 -b .progressmeter
+%patch926 -p1 -b .security7
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-fps
@@ -601,6 +621,7 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
 install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
+install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
 
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@@ -715,6 +736,7 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/sshd@.service
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
+%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
 %endif
 
 %if %{ldap}
@@ -751,6 +773,31 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Fri Aug 14 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-16 + 0.9.3-3
+- Fix vulnerabilities published with openssh-7.0:
+ - Privilege separation weakness related to PAM support (#1252844)
+ - Use-after-free bug related to PAM support (#1252852)
+
+* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-15 + 0.9.3-3
+- Handle terminal control characters in scp progressmeter (#1247204)
+
+* Thu Jul 23 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-14 + 0.9.3-3
+- CVE-2015-5600: only query each keyboard-interactive device once (#1245971)
+
+* Wed Jul 01 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-13 + 0.9.3.3
+- Security fixes released with openssh-6.9
+ - XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
+ - weakness of agent locking (ssh-add -x) to password guessing (#1238238)
+- ssh-copy-id: tcsh doesnt work with multiline strings so we will make it uggly one-line
+- Fix auditing when using combination of ForceCommand and PTY (#1203900)
+- fix direction in CRYPTO_SESSION audit message
+
+* Mon Mar 30 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-12 + 0.9.3-3
+- Fix ssh-copy-id on non-sh shells (#1045191)
+- Add tmpfiles.d entris (#1196807)
+- Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
+- Remove unused patch
+
 * Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
 - error message if scp when directory doesn't exist (#1142223)
 - parsing configuration file values (#1130733)

sshd.tmpfiles

@@ -0,0 +1 @@
+d /var/empty/sshd 711 root root -