import openssh-8.7p1-4.el9

.gitignore

@@ -1,3 +1,3 @@
 SOURCES/gpgkey-736060BA.gpg
-SOURCES/openssh-8.6p1.tar.gz
+SOURCES/openssh-8.7p1.tar.gz
 SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz

.openssh.metadata

@@ -1,3 +1,3 @@
 dbb35b4e9ae3f72b930a82c6fd5e83e9dcd7b193 SOURCES/gpgkey-736060BA.gpg
-8f9f0c94317baeb97747d6258f3997b4542762c0 SOURCES/openssh-8.6p1.tar.gz
+8719032c1e47732c8fdb14adfb24b5e9e71de802 SOURCES/openssh-8.7p1.tar.gz
 66dd8274346fd006ff40f525c082cfb701085b5f SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz

SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch

@@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +	options->enable_k5users = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
 @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
  #endif
  	if (options->use_kuserok == -1)
@@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +		intptr = &options->enable_k5users;
 +		goto parse_flag;
 +
- 	case sPermitListen:
+	case sMatch:
- 	case sPermitOpen:
+		if (cmdline)
- 		if (opcode == sPermitListen) {
+			fatal("Match directive not supported as a command-line "
 @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
  	M_CP_INTOPT(ip_qos_interactive);
  	M_CP_INTOPT(ip_qos_bulk);

SOURCES/openssh-6.6p1-kuserok.patch

@@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 +	options->use_kuserok = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
 @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
  	if (options->gss_kex_algorithms == NULL)
  		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
 @@ -399,7 +402,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+	sPort, sHostKeyFile, sLoginGraceTime,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sKerberosUniqueCCache,
 +	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
  	sChallengeResponseAuthentication,
@@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
- 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
+		}
- 		break;
+		break;
- 
+
 +	case sKerberosUseKuserok:
 +		intptr = &options->use_kuserok;
 +		goto parse_flag;
 +
- 	case sPermitListen:
+	case sMatch:
- 	case sPermitOpen:
+		if (cmdline)
- 		if (opcode == sPermitListen) {
+			fatal("Match directive not supported as a command-line "
 @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
  	M_CP_INTOPT(client_alive_interval);
  	M_CP_INTOPT(ip_qos_interactive);

SOURCES/openssh-6.7p1-coverity.patch

@@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 --- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
-@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
- 				errstr = "invalid environment string";
- 				goto fail;
- 			}
--			if ((cp = strdup(opt)) == NULL)
-+			if ((cp = strdup(opt)) == NULL) {
-+				free(opt);
- 				goto alloc_fail;
-+			}
- 			cp[tmp - opt] = '\0'; /* truncate at '=' */
- 			if (!valid_env_name(cp)) {
- 				free(cp);
 @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
  		return r;
  	}
@@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
 --- openssh-8.5p1/dns.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/dns.c	2021-03-24 12:03:33.783968166 +0100
 @@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
- 			    &hostkey_digest_len, hostkey)) {
+		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
- 				error("Error calculating key fingerprint.");
+			error("Error calculating key fingerprint.");
- 				freerrset(fingerprints);
+			freerrset(fingerprints);
 +				free(dnskey_digest);
- 				return -1;
+			return -1;
- 			}
+		}
- 		}
+
 diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 --- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
 +++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
@@ -301,6 +289,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
  	int i;
  
  	if (sa == NULL) {
+diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
+--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity	2021-08-30 16:36:11.357288009 +0200
++++ openssh-8.7p1/openbsd-compat/bsd-pselect.c	2021-08-30 16:37:21.791897976 +0200
+@@ -113,13 +113,13 @@ pselect_notify_setup(void)
+ static void
+ pselect_notify_parent(void)
+ {
+-	if (notify_pipe[1] != -1)
++	if (notify_pipe[1] >= 0)
+ 		(void)write(notify_pipe[1], "", 1);
+ }
+ static void
+ pselect_notify_prepare(fd_set *readset)
+ {
+-	if (notify_pipe[0] != -1)
++	if (notify_pipe[0] >= 0)
+ 		FD_SET(notify_pipe[0], readset);
+ }
+ static void
+@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
+ {
+ 	char c;
+ 
+-	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
+-		while (read(notify_pipe[0], &c, 1) != -1)
++	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
++		while (read(notify_pipe[0], &c, 1) >= 0)
+ 			debug2_f("reading");
+ 		FD_CLR(notify_pipe[0], readset);
+ 	}
 diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
 --- openssh-8.5p1/readconf.c.coverity	2021-03-24 12:03:33.778968131 +0100
 +++ openssh-8.5p1/readconf.c	2021-03-24 12:03:33.785968180 +0100
@@ -309,33 +327,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
  				error("%.200s line %d: glob failed for %s.",
  				    filename, linenum, arg2);
 +				free(arg2);
- 				return -1;
+ 				goto out;
  			}
  			free(arg2);
-diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
+diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
---- openssh-7.4p1/scp.c.coverity	2016-12-23 16:40:26.856788681 +0100
+--- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
-+++ openssh-7.4p1/scp.c	2016-12-23 16:40:26.901788691 +0100
++++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
-@@ -157,7 +157,7 @@ killchild(int signo)
+@@ -186,11 +186,11 @@ killchild(int signo)
  {
  	if (do_cmd_pid > 1) {
  		kill(do_cmd_pid, signo ? signo : SIGTERM);
 -		waitpid(do_cmd_pid, NULL, 0);
 +		(void) waitpid(do_cmd_pid, NULL, 0);
  	}
+ 	if (do_cmd_pid2 > 1) {
+ 		kill(do_cmd_pid2, signo ? signo : SIGTERM);
+-		waitpid(do_cmd_pid2, NULL, 0);
++		(void) waitpid(do_cmd_pid2, NULL, 0);
+ 	}
  
  	if (signo)
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
-@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
- 			fatal("%s line %d: Missing subsystem name.",
- 			    filename, linenum);
- 		if (!*activep) {
--			arg = strdelim(&cp);
-+			/*arg =*/ (void) strdelim(&cp);
- 			break;
- 		}
- 		for (i = 0; i < options->num_subsystems; i++)
 @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
  		if (*activep && *charptr == NULL) {
  			*charptr = tilde_expand_filename(arg, getuid());
@@ -348,37 +362,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
  		}
  		break;
  
-diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
+diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
---- openssh-7.4p1/serverloop.c.coverity	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.7p1/serverloop.c.coverity	2021-08-20 06:03:49.000000000 +0200
-+++ openssh-7.4p1/serverloop.c	2016-12-23 16:40:26.902788691 +0100
++++ openssh-8.7p1/serverloop.c	2021-08-30 16:28:22.416226981 +0200
-@@ -125,13 +125,13 @@ notify_setup(void)
+@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
- static void
- notify_parent(void)
- {
--	if (notify_pipe[1] != -1)
-+	if (notify_pipe[1] >= 0)
- 		(void)write(notify_pipe[1], "", 1);
- }
- static void
- notify_prepare(fd_set *readset)
- {
--	if (notify_pipe[0] != -1)
-+	if (notify_pipe[0] >= 0)
- 		FD_SET(notify_pipe[0], readset);
- }
- static void
-@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
- {
- 	char c;
- 
--	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
--		while (read(notify_pipe[0], &c, 1) != -1)
-+	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
-+		while (read(notify_pipe[0], &c, 1) >= 0)
- 			debug2_f("reading");
- }
- 
-@@ -518,7 +518,7 @@ server_request_tun(void)
  		debug_f("invalid tun");
  		goto done;
  	}
@@ -434,6 +421,30 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
  				continue;
  			}
  			lname = ls_file(fname, g.gl_statv[i], 1,
+diff --git a/sftp-client.c b/sftp-client.c
+index 9de9afa20f..ea98d9f8d0 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
+ 		(*nreqsp)--;
+ 	}
+ 	debug3_f("done: %u outstanding replies", *nreqsp);
++	sshbuf_free(msg);
+ }
+ 
+ int
+diff --git a/sftp-server.c b/sftp-server.c
+index 18d1949112..6380c4dd23 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id)
+ 			npath = xstrdup(path + 2);
+ 			free(path);
+ 			xasprintf(&path, "%s/%s", cwd, npath);
++			free(npath);
+ 		} else {
+ 			/* ~user expansions */
+ 			if (tilde_expand(path, pw->pw_uid, &npath) != 0) {
 diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
 --- openssh-8.5p1/sk-usbhid.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/sk-usbhid.c	2021-03-24 12:03:33.786968187 +0100

SOURCES/openssh-7.6p1-audit.patch

@@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
 diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
 --- openssh-8.6p1/auth.c.audit	2021-05-06 12:05:27.304463967 +0200
 +++ openssh-8.6p1/auth.c	2021-05-06 12:05:27.378464540 +0200
-@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
- # endif
- #endif
- #ifdef SSH_AUDIT_EVENTS
--	if (authenticated == 0 && !authctxt->postponed)
-+	if (authenticated == 0 && !authctxt->postponed && !partial)
- 		audit_event(ssh, audit_classify_auth(method));
- #endif
- }
 @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
  		record_failed_login(ssh, user,
  		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
@@ -1204,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
  
 -	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
 -	    sigalg, ssh->compat, &sig_details);
- 	debug3_f("%s %p signature %s%s%s", auth_method, key,
+	debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
- 	    (ret == 0) ? "verified" : "unverified",
+	    (ret == 0) ? "verified" : "unverified",
- 	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
+	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
 @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
  }
  
@@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
  close_startup_pipes(void)
  {
 @@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
- 	    ssh_remote_port(the_active_state));
+ 	}
  }
  
 -/* Destroy the host and server keys.  They will no longer be needed. */

SOURCES/openssh-7.7p1-gssapi-new-unique.patch

@@ -504,15 +504,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
  		options->gss_authentication = 0;
  	if (options->gss_keyex == -1)
 @@ -506,7 +509,8 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+	sPort, sHostKeyFile, sLoginGraceTime,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sChallengeResponseAuthentication,
 +	sKerberosGetAFSToken, sKerberosUniqueCCache,
 +	sChallengeResponseAuthentication,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+	sPasswordAuthentication, sKbdInteractiveAuthentication,
- 	sListenAddress, sAddressFamily,
+	sListenAddress, sAddressFamily,
- 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 @@ -593,11 +597,13 @@ static struct {
  #else
  	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },

SOURCES/openssh-7.7p1-redhat.patch

@@ -15,7 +15,7 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
 diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
 --- openssh/ssh_config_redhat.redhat	2020-02-13 18:13:39.180641839 +0100
 +++ openssh/ssh_config_redhat	2020-02-13 18:13:39.180641839 +0100
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,15 @@
 +# The options here are in the "Match final block" to be applied as the last
 +# options and could be potentially overwritten by the user configuration
 +Match final all
@@ -29,12 +29,6 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
 +# mode correctly we set this to yes.
 +	ForwardX11Trusted yes
 +
-+# Send locale-related environment variables
-+	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-+	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-+	SendEnv XMODIFIERS
-+
 +# Uncomment this if you want to use .local domain
 +# Host *.local
 diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
@@ -86,7 +80,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
 diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 --- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
 +++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,22 @@
 +# This system is following system-wide crypto policy. The changes to
 +# crypto properties (Ciphers, MACs, ...) will not have any effect in
 +# this or following included files. To override some configuration option,
@@ -109,9 +103,3 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 +# as it is more configurable and versatile than the built-in version.
 +PrintMotd no
 +
-+# Accept locale-related environment variables
-+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-+AcceptEnv XMODIFIERS
-+

SOURCES/openssh-7.8p1-UsePAM-warning.patch

@@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
 @@ -87,6 +87,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 +# problems.
  #UsePAM no

SOURCES/openssh-7.8p1-role-mls.patch

@@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
 --- openssh/openbsd-compat/Makefile.in.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/openbsd-compat/Makefile.in	2018-08-22 11:14:56.819430949 +0200
 @@ -92,7 +92,8 @@ PORTS=	port-aix.o \
- 	port-linux.o \
+ 	port-prngd.o \
  	port-solaris.o \
  	port-net.o \
 -	port-uw.o

SOURCES/openssh-8.0p1-crypto-policies.patch

@@ -1,7 +1,7 @@
-diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
+diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
---- openssh-8.6p1/ssh_config.5.crypto-policies	2021-04-19 15:18:32.071920379 +0200
+--- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
-+++ openssh-8.6p1/ssh_config.5	2021-04-19 15:21:18.400179265 +0200
++++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
-@@ -368,15 +368,13 @@ or
+@@ -373,17 +373,13 @@ or
  .Qq *.c.example.com
  domains.
  .It Cm CASignatureAlgorithms
@@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
--ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ecdsa-sha2-nistp256,
--sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
- .Xr ssh 1
+ If the specified list begins with a
- will not accept host certificates signed using algorithms other than those
+ .Sq +
- specified.
+ character, then the specified algorithms will be appended to the default set
-@@ -436,20 +434,25 @@ If the option is set to
+@@ -445,20 +441,25 @@ If the option is set to
  (the default),
  the check will not be executed.
  .It Cm Ciphers
@@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  .Pp
  The supported ciphers are:
  .Bd -literal -offset indent
-@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
+@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
  chacha20-poly1305@openssh.com
  .Ed
  .Pp
@@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  The list of available ciphers may also be obtained using
  .Qq ssh -Q cipher .
  .It Cm ClearAllForwardings
-@@ -826,6 +822,11 @@ command line will be passed untouched to
+@@ -874,6 +868,11 @@ command line will be passed untouched to
  The default is
  .Dq no .
  .It Cm GSSAPIKexAlgorithms
@@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  The list of key exchange algorithms that are offered for GSSAPI
  key exchange. Possible values are
  .Bd -literal -offset 3n
-@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
+@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
  gss-curve25519-sha256-
  .Ed
  .Pp
@@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  .It Cm HashKnownHosts
  Indicates that
  .Xr ssh 1
-@@ -1169,29 +1168,25 @@ it may be zero or more of:
+@@ -1219,29 +1216,25 @@ it may be zero or more of:
  and
  .Cm pam .
  .It Cm KexAlgorithms
@@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  .Pp
  The list of available key exchange algorithms may also be obtained using
  .Qq ssh -Q kex .
-@@ -1301,37 +1296,33 @@ function, and all code in the
+@@ -1351,37 +1344,33 @@ function, and all code in the
  file.
  This option is intended for debugging and no overrides are enabled by default.
  .It Cm MACs
@@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  The list of available MAC algorithms may also be obtained using
  .Qq ssh -Q mac .
  .It Cm NoHostAuthenticationForLocalhost
-@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
+@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
  The default is
  .Cm no .
  .It Cm PubkeyAcceptedAlgorithms
@@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
  .Pp
  The list of available signature algorithms may also be obtained using
  .Qq ssh -Q PubkeyAcceptedAlgorithms .
-diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
+diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
---- openssh-8.6p1/sshd_config.5.crypto-policies	2021-04-19 15:18:32.062920311 +0200
+--- openssh-8.7p1/sshd_config.5.crypto-policies	2021-08-30 13:29:00.157292731 +0200
-+++ openssh-8.6p1/sshd_config.5	2021-04-19 15:20:42.591908243 +0200
++++ openssh-8.7p1/sshd_config.5	2021-08-30 13:32:16.263918533 +0200
-@@ -373,15 +373,13 @@ If the argument is
+@@ -373,17 +373,13 @@ If the argument is
  then no banner is displayed.
  By default, no banner is displayed.
  .It Cm CASignatureAlgorithms
@@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
--ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ecdsa-sha2-nistp256,
--sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
- Certificates signed using other algorithms will not be accepted for
+ If the specified list begins with a
- public key or host-based authentication.
+ .Sq +
- .It Cm ChallengeResponseAuthentication
+ character, then the specified algorithms will be appended to the default set
-@@ -445,20 +443,25 @@ The default is
+@@ -450,20 +446,25 @@ The default is
  indicating not to
  .Xr chroot 2 .
  .It Cm Ciphers
@@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  .Pp
  The supported ciphers are:
  .Pp
-@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
+@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
  chacha20-poly1305@openssh.com
  .El
  .Pp
@@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  The list of available ciphers may also be obtained using
  .Qq ssh -Q cipher .
  .It Cm ClientAliveCountMax
-@@ -680,21 +676,22 @@ For this to work
+@@ -685,21 +679,22 @@ For this to work
  .Cm GSSAPIKeyExchange
  needs to be enabled in the server and also used by the client.
  .It Cm GSSAPIKexAlgorithms
@@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  This option only applies to connections using GSSAPI.
  .It Cm HostbasedAcceptedAlgorithms
  Specifies the signature algorithms that will be accepted for hostbased
-@@ -794,26 +791,13 @@ is specified, the location of the socket
+@@ -799,26 +794,13 @@ is specified, the location of the socket
  .Ev SSH_AUTH_SOCK
  environment variable.
  .It Cm HostKeyAlgorithms
@@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  The list of available signature algorithms may also be obtained using
  .Qq ssh -Q HostKeyAlgorithms .
  .It Cm IgnoreRhosts
-@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
+@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
  The default is
  .Cm yes .
  .It Cm KexAlgorithms
@@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  The supported algorithms are:
  .Pp
  .Bl -item -compact -offset indent
-@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
+@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
  sntrup761x25519-sha512@openssh.com
  .El
  .Pp
@@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  The list of available key exchange algorithms may also be obtained using
  .Qq ssh -Q KexAlgorithms .
  .It Cm ListenAddress
-@@ -1097,21 +1077,26 @@ function, and all code in the
+@@ -1104,21 +1082,26 @@ function, and all code in the
  file.
  This option is intended for debugging and no overrides are enabled by default.
  .It Cm MACs
@@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  .Pp
  The algorithms that contain
  .Qq -etm
-@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
+@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
  umac-128-etm@openssh.com
  .El
  .Pp
@@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
  The list of available MAC algorithms may also be obtained using
  .Qq ssh -Q mac .
  .It Cm Match
-@@ -1541,37 +1517,25 @@ or equivalent.)
+@@ -1548,37 +1522,25 @@ or equivalent.)
  The default is
  .Cm yes .
  .It Cm PubkeyAcceptedAlgorithms

SOURCES/openssh-8.0p1-gssapi-keyex.patch

@@ -19,11 +19,10 @@ index e7549470..b68c1710 100644
  	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
  	srclimit.o sftp-server.o sftp-common.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff --git a/auth.c b/auth.c
+diff -up a/auth.c.gsskex b/auth.c
-index 086b8ebb..687c57b4 100644
+--- a/auth.c.gsskex	2021-08-20 06:03:49.000000000 +0200
---- a/auth.c
++++ b/auth.c	2021-08-27 12:41:51.262788953 +0200
-+++ b/auth.c
+@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
-@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
  	case PERMIT_NO_PASSWD:
  		if (strcmp(method, "publickey") == 0 ||
  		    strcmp(method, "hostbased") == 0 ||
@@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644
  			return 1;
  		break;
  	case PERMIT_FORCED_ONLY:
-@@ -724,99 +725,6 @@ fakepw(void)
+@@ -730,97 +731,6 @@ fakepw(void)
- 	return (&fake);
  }
  
--/*
+ /*
 - * Returns the remote DNS hostname as a string. The returned string must not
 - * be freed. NB. this will usually trigger a DNS query the first time it is
 - * called.
 - * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
+- * attacks on based on conflation of hostnames and IP addresses.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 - */
 -
 -static char *
@@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644
 -	return xstrdup(name);
 -}
 -
- /*
+-/*
   * Return the canonical name of the host in the other side of the current
   * connection.  The host name is cached, so it is efficient to call this
+  * several times.
 diff --git a/auth2-gss.c b/auth2-gss.c
 index 9351e042..d6446c0c 100644
 --- a/auth2-gss.c
@@ -2933,10 +2930,9 @@ index 23ab096a..485590c1 100644
  #endif
  
  #ifdef USE_PAM
-diff --git a/readconf.c b/readconf.c
+diff -up a/readconf.c.gsskex b/readconf.c
-index f3cac6b3..da8022dd 100644
+--- a/readconf.c.gsskex	2021-08-20 06:03:49.000000000 +0200
---- a/readconf.c
++++ b/readconf.c	2021-08-27 12:25:42.556421509 +0200
-+++ b/readconf.c
 @@ -67,6 +67,7 @@
  #include "uidswap.h"
  #include "myproposal.h"
@@ -2945,7 +2941,7 @@ index f3cac6b3..da8022dd 100644
  
  /* Format of the configuration file:
  
-@@ -160,6 +161,8 @@ typedef enum {
+@@ -161,6 +162,8 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2954,7 +2950,7 @@ index f3cac6b3..da8022dd 100644
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
-@@ -204,10 +207,22 @@ static struct {
+@@ -206,10 +209,22 @@ static struct {
  	/* Sometimes-unsupported options */
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
@@ -2977,7 +2973,7 @@ index f3cac6b3..da8022dd 100644
  #endif
  #ifdef ENABLE_PKCS11
  	{ "pkcs11provider", oPKCS11Provider },
-@@ -1029,10 +1044,42 @@ parse_time:
+@@ -1113,10 +1128,42 @@ parse_time:
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -3006,7 +3002,7 @@ index f3cac6b3..da8022dd 100644
 +		goto parse_flag;
 +
 +	case oGssKexAlgorithms:
-+		arg = strdelim(&s);
++		arg = argv_next(&ac, &av);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
@@ -3020,9 +3016,9 @@ index f3cac6b3..da8022dd 100644
  	case oBatchMode:
  		intptr = &options->batch_mode;
  		goto parse_flag;
-@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
+@@ -2306,7 +2353,13 @@ initialize_options(Options * options)
+ 	options->fwd_opts.streamlocal_bind_unlink = -1;
  	options->pubkey_authentication = -1;
- 	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
 +	options->gss_keyex = -1;
  	options->gss_deleg_creds = -1;
@@ -3034,8 +3030,8 @@ index f3cac6b3..da8022dd 100644
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
+@@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
- 		options->challenge_response_authentication = 1;
+ 		options->pubkey_authentication = 1;
  	if (options->gss_authentication == -1)
  		options->gss_authentication = 0;
 +	if (options->gss_keyex == -1)
@@ -3053,7 +3049,7 @@ index f3cac6b3..da8022dd 100644
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
+@@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha
  	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
  #ifdef GSSAPI
  	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3068,13 +3064,12 @@ index f3cac6b3..da8022dd 100644
  #endif /* GSSAPI */
  	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
  	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
-diff --git a/readconf.h b/readconf.h
+diff -up a/readconf.h.gsskex b/readconf.h
-index feedb3d2..a8a8870d 100644
+--- a/readconf.h.gsskex	2021-08-27 12:05:29.248142431 +0200
---- a/readconf.h
++++ b/readconf.h	2021-08-27 12:22:19.270679852 +0200
-+++ b/readconf.h
+@@ -39,7 +39,13 @@ typedef struct {
-@@ -41,7 +41,13 @@ typedef struct {
+ 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
- 	int     challenge_response_authentication;
+ 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
- 					/* Try S/Key or TIS, authentication. */
  	int     gss_authentication;	/* Try GSS authentication */
 +	int     gss_keyex;		/* Try GSS key exchange */
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
@@ -3086,11 +3081,10 @@ index feedb3d2..a8a8870d 100644
  	int     password_authentication;	/* Try password
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/servconf.c b/servconf.c
+diff -up a/servconf.c.gsskex b/servconf.c
-index 70f5f73f..191575a1 100644
+--- a/servconf.c.gsskex	2021-08-20 06:03:49.000000000 +0200
---- a/servconf.c
++++ b/servconf.c	2021-08-27 12:28:15.887735189 +0200
-+++ b/servconf.c
+@@ -70,6 +70,7 @@
-@@ -69,6 +69,7 @@
  #include "auth.h"
  #include "myproposal.h"
  #include "digest.h"
@@ -3098,7 +3092,7 @@ index 70f5f73f..191575a1 100644
  
  static void add_listen_addr(ServerOptions *, const char *,
      const char *, int);
-@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
+@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
  	options->kerberos_ticket_cleanup = -1;
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
@@ -3109,8 +3103,8 @@ index 70f5f73f..191575a1 100644
 +	options->gss_kex_algorithms = NULL;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+ 	options->permit_empty_passwd = -1;
-@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
+@@ -356,10 +360,18 @@ fill_default_server_options(ServerOption
  		options->kerberos_get_afs_token = 0;
  	if (options->gss_authentication == -1)
  		options->gss_authentication = 0;
@@ -3129,7 +3123,7 @@ index 70f5f73f..191575a1 100644
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -531,6 +543,7 @@ typedef enum {
+@@ -506,6 +518,7 @@ typedef enum {
  	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
  	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
  	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -3137,7 +3131,7 @@ index 70f5f73f..191575a1 100644
  	sAcceptEnv, sSetEnv, sPermitTunnel,
  	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -607,12 +620,22 @@ static struct {
+@@ -587,12 +600,22 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -3159,8 +3153,8 @@ index 70f5f73f..191575a1 100644
 +	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
- 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+ 	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -3171,7 +3165,7 @@ index 70f5f73f..191575a1 100644
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
-@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO
  		intptr = &options->gss_strict_acceptor;
  		goto parse_flag;
  
@@ -3180,7 +3174,7 @@ index 70f5f73f..191575a1 100644
 +		goto parse_flag;
 +
 +	case sGssKexAlgorithms:
-+		arg = strdelim(&cp);
++		arg = argv_next(&ac, &av);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
@@ -3194,7 +3188,7 @@ index 70f5f73f..191575a1 100644
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
  		goto parse_flag;
-@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
+@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
  #ifdef GSSAPI
  	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
  	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);

SOURCES/openssh-8.0p1-pkcs11-uri.patch

@@ -120,10 +120,12 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
  # These all need to be compiled -fPIC, so they are treated differently.
  SK_DUMMY_OBJS=\
  	regress/misc/sk-dummy/sk-dummy.lo \
-@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE
+@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE
+ 	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
  	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
  	regress/unittests/sshsig/test_sshsig$(EXEEXT) \
- 	regress/unittests/utf8/test_utf8$(EXEEXT) \
+-	regress/unittests/utf8/test_utf8$(EXEEXT)
++	regress/unittests/utf8/test_utf8$(EXEEXT) \
 +	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
  
  tests:	file-tests t-exec interop-tests unit
@@ -1379,8 +1381,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
  	CK_RV rv;
  	CK_ULONG i;
  
--	debug("pkcs11_provider_finalize: %p refcount %d valid %d",
+-	debug_f("provider \"%s\" refcount %d valid %d",
--	    p, p->refcount, p->valid);
+-	    p->name, p->refcount, p->valid);
 -	if (!p->valid)
 +	debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
 +	if (!m->valid)
@@ -1423,9 +1425,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
 +}
 +
 +/*
-+ * finalize a provider shared libarary, it's no longer usable.
++ * finalize a provider shared library, it's no longer usable.
 + * however, there might still be keys referencing this provider,
-+ * so the actuall freeing of memory is handled by pkcs11_provider_unref().
++ * so the actual freeing of memory is handled by pkcs11_provider_unref().
 + * this is called when a provider gets unregistered.
 + */
 +static void
@@ -1442,15 +1444,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
  }
  
  /*
-@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p
+@@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov
- static void
- pkcs11_provider_unref(struct pkcs11_provider *p)
  {
--	debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
+ 	debug_f("provider \"%s\" refcount %d", p->name, p->refcount);
-+	debug_f("%p refcount %d", p, p->refcount);
  	if (--p->refcount <= 0) {
 -		if (p->valid)
--			error("pkcs11_provider_unref: %p still valid", p);
+-			error_f("provider \"%s\" still valid", p->name);
  		free(p->name);
 -		free(p->slotlist);
 -		free(p->slotinfo);
@@ -2123,16 +2122,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
 +		key_attr[nattr].ulValueLen = strlen(uri->object);
 +		nattr++;
 +	}
-+
-+	session = p->module->slotinfo[slotidx].session;
-+	f = p->module->function_list;
  
 -	rv = f->C_FindObjectsInit(session, key_attr, 1);
++	session = p->module->slotinfo[slotidx].session;
++	f = p->module->function_list;
++
 +	rv = f->C_FindObjectsInit(session, key_attr, nattr);
  	if (rv != CKR_OK) {
  		error("C_FindObjectsInit failed: %lu", rv);
  		goto fail;
-@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct
+@@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct
  }
  #endif /* WITH_PKCS11_KEYGEN */
  
@@ -2237,17 +2236,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
  		error("C_GetInfo for provider %s failed: %lu",
 -		    provider_id, rv);
 +		    provider_module, rv);
- 		goto fail;
++		goto fail;
- 	}
++	}
--	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
--	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
 +	rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
 +	if (uri->lib_manuf != NULL &&
 +	    strcmp(uri->lib_manuf, m->info.manufacturerID)) {
 +		debug_f("Skipping provider %s not matching library_manufacturer",
 +		    m->info.manufacturerID);
-+		goto fail;
+ 		goto fail;
-+	}
+ 	}
+-	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
+-	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
 +	rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
  	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
  	    " libraryDescription <%s> libraryVersion %d.%d",

SOURCES/openssh-8.0p1-restore-nonblock.patch

@@ -1,320 +0,0 @@
-diff --git a/channels.c b/channels.c
-index 32d1f617..0024f751 100644
---- a/channels.c
-+++ b/channels.c
-@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
- #endif
- 
- 	/* enable nonblocking mode */
--	if (nonblock) {
-+	c->restore_block = 0;
-+	if (nonblock == CHANNEL_NONBLOCK_STDIO) {
-+		/*
-+		 * Special handling for stdio file descriptors: do not set
-+		 * non-blocking mode if they are TTYs. Otherwise prepare to
-+		 * restore their blocking state on exit to avoid interfering
-+		 * with other programs that follow.
-+		 */
-+		if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
-+			c->restore_block |= CHANNEL_RESTORE_RFD;
-+			set_nonblock(rfd);
-+		}
-+		if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
-+			c->restore_block |= CHANNEL_RESTORE_WFD;
-+			set_nonblock(wfd);
-+		}
-+		if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
-+			c->restore_block |= CHANNEL_RESTORE_EFD;
-+			set_nonblock(efd);
-+		}
-+	} else if (nonblock) {
- 		if (rfd != -1)
- 			set_nonblock(rfd);
- 		if (wfd != -1)
-@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc)
- }
- 
- int
--channel_close_fd(struct ssh *ssh, int *fdp)
-+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
- {
- 	struct ssh_channels *sc = ssh->chanctxt;
--	int ret = 0, fd = *fdp;
-+	int ret, fd = *fdp;
- 
--	if (fd != -1) {
--		ret = close(fd);
--		*fdp = -1;
--		if (fd == sc->channel_max_fd)
--			channel_find_maxfd(sc);
--	}
-+	if (fd == -1)
-+		return 0;
-+
-+	if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
-+	   (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
-+	   (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
-+		(void)fcntl(*fdp, F_SETFL, 0);	/* restore blocking */
-+
-+	ret = close(fd);
-+	*fdp = -1;
-+	if (fd == sc->channel_max_fd)
-+		channel_find_maxfd(sc);
- 	return ret;
- }
- 
-@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c)
- {
- 	int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
- 
--	channel_close_fd(ssh, &c->sock);
-+	channel_close_fd(ssh, c, &c->sock);
- 	if (rfd != sock)
--		channel_close_fd(ssh, &c->rfd);
-+		channel_close_fd(ssh, c, &c->rfd);
- 	if (wfd != sock && wfd != rfd)
--		channel_close_fd(ssh, &c->wfd);
-+		channel_close_fd(ssh, c, &c->wfd);
- 	if (efd != sock && efd != rfd && efd != wfd)
--		channel_close_fd(ssh, &c->efd);
-+		channel_close_fd(ssh, c, &c->efd);
- }
- 
- static void
-@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh)
- 			case SSH_CHANNEL_X11_LISTENER:
- 			case SSH_CHANNEL_UNIX_LISTENER:
- 			case SSH_CHANNEL_RUNIX_LISTENER:
--				channel_close_fd(ssh, &c->sock);
-+				channel_close_fd(ssh, c, &c->sock);
- 				channel_free(ssh, c);
- 				break;
- 			}
-@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
- 
- Channel *
- channel_connect_stdio_fwd(struct ssh *ssh,
--    const char *host_to_connect, u_short port_to_connect, int in, int out)
-+    const char *host_to_connect, u_short port_to_connect,
-+    int in, int out, int nonblock)
- {
- 	Channel *c;
- 
-@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh,
- 
- 	c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
- 	    -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
--	    0, "stdio-forward", /*nonblock*/0);
-+	    0, "stdio-forward", nonblock);
- 
- 	c->path = xstrdup(host_to_connect);
- 	c->host_port = port_to_connect;
-@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c,
- 	if (c->single_connection) {
- 		oerrno = errno;
- 		debug2("single_connection: closing X11 listener.");
--		channel_close_fd(ssh, &c->sock);
-+		channel_close_fd(ssh, c, &c->sock);
- 		chan_mark_dead(ssh, c);
- 		errno = oerrno;
- 	}
-@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c,
- 		return 1;
- 	if (len <= 0) {
- 		debug2("channel %d: closing write-efd %d", c->self, c->efd);
--		channel_close_fd(ssh, &c->efd);
-+		channel_close_fd(ssh, c, &c->efd);
- 	} else {
- 		if ((r = sshbuf_consume(c->extended, len)) != 0)
- 			fatal_fr(r, "channel %i: consume", c->self);
-@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c,
- 		return 1;
- 	if (len <= 0) {
- 		debug2("channel %d: closing read-efd %d", c->self, c->efd);
--		channel_close_fd(ssh, &c->efd);
-+		channel_close_fd(ssh, c, &c->efd);
- 	} else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
- 		debug3("channel %d: discard efd", c->self);
- 	else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
-diff --git a/channels.h b/channels.h
-index 378d987c..6bf86b00 100644
---- a/channels.h
-+++ b/channels.h
-@@ -63,6 +63,16 @@
- 
- #define CHANNEL_CANCEL_PORT_STATIC	-1
- 
-+/* nonblocking flags for channel_new */
-+#define CHANNEL_NONBLOCK_LEAVE	0 /* don't modify non-blocking state */
-+#define CHANNEL_NONBLOCK_SET	1 /* set non-blocking state */
-+#define CHANNEL_NONBLOCK_STDIO	2 /* set non-blocking and restore on close */
-+
-+/* c->restore_block mask flags */
-+#define CHANNEL_RESTORE_RFD	0x01
-+#define CHANNEL_RESTORE_WFD	0x02
-+#define CHANNEL_RESTORE_EFD	0x04
-+
- /* TCP forwarding */
- #define FORWARD_DENY		0
- #define FORWARD_REMOTE		(1)
-@@ -139,6 +149,7 @@ struct Channel {
- 				 * to a matching pre-select handler.
- 				 * this way post-select handlers are not
- 				 * accidentally called if a FD gets reused */
-+	int	restore_block;	/* fd mask to restore blocking status */
- 	struct sshbuf *input;	/* data read from socket, to be sent over
- 				 * encrypted connection */
- 	struct sshbuf *output;	/* data received over encrypted connection for
-@@ -266,7 +277,7 @@ void	 channel_register_filter(struct ssh *, int, channel_infilter_fn *,
- void	 channel_register_status_confirm(struct ssh *, int,
- 	    channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
- void	 channel_cancel_cleanup(struct ssh *, int);
--int	 channel_close_fd(struct ssh *, int *);
-+int	 channel_close_fd(struct ssh *, Channel *, int *);
- void	 channel_send_window_changes(struct ssh *);
- 
- /* mux proxy support */
-@@ -313,7 +324,7 @@ Channel	*channel_connect_to_port(struct ssh *, const char *, u_short,
- 	    char *, char *, int *, const char **);
- Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
- Channel	*channel_connect_stdio_fwd(struct ssh *, const char*,
--	    u_short, int, int);
-+	    u_short, int, int, int);
- Channel	*channel_connect_by_listen_address(struct ssh *, const char *,
- 	    u_short, char *, char *);
- Channel	*channel_connect_by_listen_path(struct ssh *, const char *,
-diff --git a/clientloop.c b/clientloop.c
-index 219f0e90..bdd67686 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
- 	if (have_pty)
- 		leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
- 
--	/* restore blocking io */
--	if (!isatty(fileno(stdin)))
--		unset_nonblock(fileno(stdin));
--	if (!isatty(fileno(stdout)))
--		unset_nonblock(fileno(stdout));
--	if (!isatty(fileno(stderr)))
--		unset_nonblock(fileno(stderr));
--
- 	/*
- 	 * If there was no shell or command requested, there will be no remote
- 	 * exit status to be returned.  In that case, clear error code if the
-diff --git a/mux.c b/mux.c
-index faf4ef1e..9454bfed 100644
---- a/mux.c
-+++ b/mux.c
-@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
- 	if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
- 		error_f("tcgetattr: %s", strerror(errno));
- 
--	/* enable nonblocking unless tty */
--	if (!isatty(new_fd[0]))
--		set_nonblock(new_fd[0]);
--	if (!isatty(new_fd[1]))
--		set_nonblock(new_fd[1]);
--	if (!isatty(new_fd[2]))
--		set_nonblock(new_fd[2]);
--
- 	window = CHAN_SES_WINDOW_DEFAULT;
- 	packetmax = CHAN_SES_PACKET_DEFAULT;
- 	if (cctx->want_tty) {
-@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
- 
- 	nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
- 	    new_fd[0], new_fd[1], new_fd[2], window, packetmax,
--	    CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
-+	    CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
- 
- 	nc->ctl_chan = c->self;		/* link session -> control channel */
- 	c->remote_id = nc->self;	/* link control -> session channel */
-@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
- 		}
- 	}
- 
--	/* enable nonblocking unless tty */
--	if (!isatty(new_fd[0]))
--		set_nonblock(new_fd[0]);
--	if (!isatty(new_fd[1]))
--		set_nonblock(new_fd[1]);
--
--	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
-+	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
-+	    CHANNEL_NONBLOCK_STDIO);
- 	free(chost);
- 
- 	nc->ctl_chan = c->self;		/* link session -> control channel */
-diff --git a/nchan.c b/nchan.c
-index 4a4494b8..7ef3a350 100644
---- a/nchan.c
-+++ b/nchan.c
-@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c)
- 			    c->istate, c->ostate, strerror(errno));
- 		}
- 	} else {
--		if (channel_close_fd(ssh, &c->wfd) < 0) {
-+		if (channel_close_fd(ssh, c, &c->wfd) < 0) {
- 			logit_f("channel %d: close() failed for "
- 			    "fd %d [i%d o%d]: %.100s", c->self, c->wfd,
- 			    c->istate, c->ostate, strerror(errno));
-@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c)
- 			    c->istate, c->ostate, strerror(errno));
- 		}
- 	} else {
--		if (channel_close_fd(ssh, &c->rfd) < 0) {
-+		if (channel_close_fd(ssh, c, &c->rfd) < 0) {
- 			logit_f("channel %d: close() failed for "
- 			    "fd %d [i%d o%d]: %.100s", c->self, c->rfd,
- 			    c->istate, c->ostate, strerror(errno));
-@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c)
- 	debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])",
- 	    c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd,
- 	    channel_format_extended_usage(c));
--	if (channel_close_fd(ssh, &c->efd) < 0) {
-+	if (channel_close_fd(ssh, c, &c->efd) < 0) {
- 		logit_f("channel %d: close() failed for "
- 		    "extended fd %d [i%d o%d]: %.100s", c->self, c->efd,
- 		    c->istate, c->ostate, strerror(errno));
-diff --git a/ssh.c b/ssh.c
-index 696dc3bc..6243db76 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh)
- 
- 	if ((in = dup(STDIN_FILENO)) == -1 ||
- 	    (out = dup(STDOUT_FILENO)) == -1)
--		fatal("channel_connect_stdio_fwd: dup() in/out failed");
-+		fatal_f("dup() in/out failed");
- 	if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
--	    options.stdio_forward_port, in, out)) == NULL)
-+	    options.stdio_forward_port, in, out,
-+	    CHANNEL_NONBLOCK_STDIO)) == NULL)
- 		fatal_f("channel_connect_stdio_fwd failed");
- 	channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
- 	channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
-@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh)
- 	if (in == -1 || out == -1 || err == -1)
- 		fatal("dup() in/out/err failed");
- 
--	/* enable nonblocking unless tty */
--	if (!isatty(in))
--		set_nonblock(in);
--	if (!isatty(out))
--		set_nonblock(out);
--	if (!isatty(err))
--		set_nonblock(err);
--
- 	window = CHAN_SES_WINDOW_DEFAULT;
- 	packetmax = CHAN_SES_PACKET_DEFAULT;
- 	if (tty_flag) {
-@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh)
- 	c = channel_new(ssh,
- 	    "session", SSH_CHANNEL_OPENING, in, out, err,
- 	    window, packetmax, CHAN_EXTENDED_WRITE,
--	    "client-session", /*nonblock*/0);
-+	    "client-session", CHANNEL_NONBLOCK_STDIO);
- 
- 	debug3_f("channel_new: %d", c->self);
- 

SOURCES/openssh-8.4p1-debian-compat.patch

@@ -1,57 +0,0 @@
---- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
-+++ compat.h	2020-10-05 10:10:17.587733113 -0700
-@@ -34,7 +34,7 @@
- 
- #define SSH_BUG_UTF8TTYMODE	0x00000001
- #define SSH_BUG_SIGTYPE		0x00000002
--/* #define unused		0x00000004 */
-+#define SSH_BUG_SIGTYPE74	0x00000004
- /* #define unused		0x00000008 */
- #define SSH_OLD_SESSIONID	0x00000010
- /* #define unused		0x00000020 */
---- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
-+++ compat.c	2020-10-05 10:13:11.637282492 -0700
-@@ -65,11 +65,12 @@
- 		{ "OpenSSH_6.5*,"
- 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
- 					SSH_BUG_SIGTYPE},
-+		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
-+		  			SSH_BUG_SIGTYPE74},
- 		{ "OpenSSH_7.0*,"
- 		  "OpenSSH_7.1*,"
- 		  "OpenSSH_7.2*,"
- 		  "OpenSSH_7.3*,"
--		  "OpenSSH_7.4*,"
- 		  "OpenSSH_7.5*,"
- 		  "OpenSSH_7.6*,"
- 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
---- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
-+++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
-@@ -1305,6 +1305,26 @@
- 			break;
- 	}
- 	free(oallowed);
-+	/*
-+	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
-+	 * support.  For that release, check the local policy against the
-+	 * SHA2 signature types.
-+	 */
-+	if (alg == NULL &&
-+	    (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
-+		oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
-+		while ((cp = strsep(&allowed, ",")) != NULL) {
-+			if (sshkey_type_from_name(cp) != key->type)
-+				continue;
-+			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
-+			if (tmp != NULL)
-+				alg = xstrdup(cp);
-+			free(tmp);
-+			if (alg != NULL)
-+				break;
-+		}
-+		free(oallowed);
-+	}
- 	return alg;
- }
- 
-

SOURCES/openssh-8.6p1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmB5CwgACgkQKj9BTnNg
-YLp01RAArXrAALtwTnWDysxBKTxGAUmXsPQOeaBCPd3zND3n0si6iinwwatSbu4d
-eYj/EOlzXydJkgMImoq6ErZrP2LyApe9RQDHfn/zEr+k5iflOK4su59TK6Dwuy86
-SPYsSNSBhABiVyH9HQelRyVLJfHwVU+DP/SaUemHGbeDLcczp5wh+mtXQPG7hMLi
-yuZ1e9W4pO5HOXwoccS69amO0nhqpLb2qBYhenFjY4lZPmIf7UFkGsqIkYeAqHU4
-/uhM0anxo7y+ezc2YD6eZHLrOZcRj1eYxh9IHGZnDcW2+6twks4aVK1kU+HI7xqt
-m9bhB+RTVKit0hvNjyhZP3XrDksgCQyyiWuXOe323ane42noH1NP6W075lmnC11Q
-JGueXJ+/vGPq3aYiad2mSZoHS82VfK43cCwXY9psCmZOMuWgARy/rxOWUZa3FBV7
-bIS59Mr4hzjyODXArXc+z98Q3Y0qV8jT7xDHCfmsmivBjNcEWH2fX4KvyPHNogJP
-C+4bA4WbOy9X6s3mKfQFgeLKA4MbeIhGTNFKl3Utyt7bl8dBzPU4nzBx5754e6Q2
-2vRuLsTfAAGWTNwu+XfS5wvhjPMLkXBH4IUxY8acUTxLYY4uPnPFS2ZqCC94Ysrr
-Af4DzNuqm8lkiglggwRwRLopVCuAHfScyqETdTOA1kLsILWdn8Q=
-=Jsrn
------END PGP SIGNATURE-----

SOURCES/openssh-8.7p1-scp-kill-switch.patch

@@ -0,0 +1,46 @@
+diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
+--- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
++++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
+@@ -42,6 +42,7 @@
+ #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
+ #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_MODULI			SSHDIR "/moduli"
++#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
+ 
+ #ifndef _PATH_SSH_PROGRAM
+ #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
+diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
+--- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
++++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
+@@ -278,6 +278,13 @@ to print debugging messages about their
+ This is helpful in
+ debugging connection, authentication, and configuration problems.
+ .El
++.Pp
++Usage of SCP protocol can be blocked by creating a world-readable
++.Ar /etc/ssh/disable_scp
++file. If this file exists, when SCP protocol is in use (either remotely or 
++via the
++.Fl O
++option), the program will exit.
+ .Sh EXIT STATUS
+ .Ex -std scp
+ .Sh SEE ALSO
+diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
+--- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
++++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
+@@ -596,6 +596,14 @@ main(int argc, char **argv)
+ 	if (iamremote)
+ 		mode = MODE_SCP;
+ 
++	if (mode == MODE_SCP) {
++		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
++		if (f != NULL) {
++			fclose(f);
++			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
++		}
++	}
++
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
+ 		fatal("unknown user %u", (u_int) userid);
+ 

SOURCES/openssh-8.7p1-sftp-default-protocol.patch

@@ -0,0 +1,129 @@
+diff --git a/scp.1 b/scp.1
+index 68aac04b..a96e95ad 100644
+--- a/scp.1
++++ b/scp.1
+@@ -8,9 +8,9 @@
+ .\"
+ .\" Created: Sun May  7 00:14:37 1995 ylo
+ .\"
+-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
++.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
+ .\"
+-.Dd $Mdocdate: August 11 2021 $
++.Dd $Mdocdate: September 8 2021 $
+ .Dt SCP 1
+ .Os
+ .Sh NAME
+@@ -18,7 +18,7 @@
+ .Nd OpenSSH secure file copy
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346ABCOpqRrsTv
++.Op Fl 346ABCOpqRrTv
+ .Op Fl c Ar cipher
+ .Op Fl D Ar sftp_server_path
+ .Op Fl F Ar ssh_config
+@@ -37,9 +37,6 @@ It uses
+ .Xr ssh 1
+ for data transfer, and uses the same authentication and provides the
+ same security as a login session.
+-The scp protocol requires execution of the remote user's shell to perform
+-.Xr glob 3
+-pattern matching.
+ .Pp
+ .Nm
+ will ask for passwords or passphrases if they are needed for
+@@ -79,7 +76,9 @@ The options are as follows:
+ Copies between two remote hosts are transferred through the local host.
+ Without this option the data is copied directly between the two remote
+ hosts.
+-Note that, when using the legacy SCP protocol (the default), this option
++Note that, when using the legacy SCP protocol (via the
++.Fl O
++flag), this option
+ selects batch mode for the second host as
+ .Nm
+ cannot ask for passwords or passphrases for both hosts.
+@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
+ .It Fl O
+ Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
+ Forcing the use of the SCP protocol may be necessary for servers that do
+-not implement SFTP or for backwards-compatibility for particular filename
+-wildcard patterns.
+-This mode is the default.
++not implement SFTP, for backwards-compatibility for particular filename
++wildcard patterns and for expanding paths with a
++.Sq ~
++prefix for older SFTP servers.
+ .It Fl o Ar ssh_option
+ Can be used to pass options to
+ .Nm ssh
+@@ -258,16 +258,6 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
+-.It Fl s
+-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
+-Using SFTP avoids invoking a shell on the remote side and provides
+-more predictable filename handling, as the SCP protocol
+-relied on the remote shell for expanding
+-.Xr glob 3
+-wildcards.
+-.Pp
+-A near-future release of OpenSSH will make the SFTP protocol the default.
+-This option will be deleted before the end of 2022.
+ .It Fl T
+ Disable strict filename checking.
+ By default when copying files from a remote host to a local directory
+@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
+ .Xr ssh_config 5 ,
+ .Xr sftp-server 8 ,
+ .Xr sshd 8
++.Sh CAVEATS
++The original scp protocol (selected by the
++.Fl O
++flag) requires execution of the remote user's shell to perform
++.Xr glob 3
++pattern matching.
++This requires careful quoting of any characters that have special meaning to
++the remote shell, such as quote characters.
+ .Sh HISTORY
+ .Nm
+ is based on the rcp program in
+ .Bx
+ source code from the Regents of the University of California.
++.Pp
++Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
++.Nm
++has use the SFTP protocol for transfers by default.
+ .Sh AUTHORS
+ .An Timo Rinne Aq Mt tri@iki.fi
+ .An Tatu Ylonen Aq Mt ylo@cs.hut.fi
+diff --git a/scp.c b/scp.c
+index e039350c..c7cf7529 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
++/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
+ /*
+  * scp - secure remote copy.  This is basically patched BSD rcp which
+  * uses ssh to do the data transfer (instead of using rcmd).
+@@ -448,7 +448,7 @@ main(int argc, char **argv)
+ 	const char *errstr;
+ 	extern char *optarg;
+ 	extern int optind;
+-	enum scp_mode_e mode = MODE_SCP;
++	enum scp_mode_e mode = MODE_SFTP;
+ 	char *sftp_direct = NULL;
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+@@ -1983,7 +1983,7 @@ void
+ usage(void)
+ {
+ 	(void) fprintf(stderr,
+-	    "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
++	    "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
+ 	    "           [-i identity_file] [-J destination] [-l limit]\n"
+ 	    "           [-o ssh_option] [-P port] [-S program] source ... target\n");
+ 	exit(1);

SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch

@@ -0,0 +1,25 @@
+diff --git a/misc.c b/misc.c
+index b8d1040d..0134d694 100644
+--- a/misc.c
++++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
++#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ 			    strerror(errno));

SOURCES/openssh-8.7p1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmEfKn8ACgkQKj9BTnNg
+YLo2qQ/9EHkk64DFIOZz9xmKdogiVvuYue9LE1ex52rgLhxkeAmXQ0Ta2VjK0S81
+9/oWJP5N+gcHLO01Og2bVuUPim/S1Op69a5hmFWaYvIlKCeCBONwE1O+n6IIhf+p
+HUXkY9cFXOoSEHhQ1D+/f8axv7WtZ4ZtHlxejqcsjyyIDqG+i4kReiZJP0D06dUk
+cv2U6YsQ9hTvXBTeUANCgLzH6DvEoyQyy7LOpaHsO1VKMlctslrVWdWRiAn7V934
+8TuhZB0NoHAGZIgFFCINSfFAxnqxPyZtLdTxSF5EwPXqdnwFfGk4nprLZA1vT2yT
+HeZiXhx919L+trDVmCycqcSCj8vOlNWl9A8VaodTW01SG75D7b1f5XqLGmSP4ujf
++9UnYKVm0OAU8jpbGXd1D2REuXRspRU6NPNW/3MkO2I46sG+KHhD6OMipOaiY8p2
+WrCsryadBThUqSKAo/zdIAJgVVt23Y7ykIIkhxebaRBIS4v6fdXg4aIjHfOjlsDX
+Mh2JFEbP93bKC0wCJWcR7NXFR4nN2ddTen1jLC+m+ABMae0AoMCFy7VW4FK33ZAJ
++Plovu62bBUXeVhXhLC76vdQo7geRpBs0RQV0gtj6HlZL5BReEKwApPEVce8K9F5
++ZYbmF5ZQNMcdR9zZ+QV+ykv6y4SG1+rPI9/Ufo/ZZp5jRnsq+M=
+=xI/+
+-----END PGP SIGNATURE-----

SPECS/openssh.spec

@@ -50,15 +50,15 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.6p1
+%global openssh_ver 8.7p1
-%global openssh_rel 7
+%global openssh_rel 4
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 3
+%global pam_ssh_agent_rel 4
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.1
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -189,14 +189,16 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
 Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
-# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
-Patch969: openssh-8.4p1-debian-compat.patch
 # ssh-keygen printing fingerprint issue with Windows keys (#1901518)
 Patch974: openssh-8.0p1-keygen-strip-doseol.patch
 # sshd provides PAM an incorrect error code (#1879503)
 Patch975: openssh-8.0p1-preserve-pam-errors.patch
-# ssh incorrectly restores the blocking mode on standard output (#1942901)
+# Use SFTP protocol by default for scp command
-Patch976: openssh-8.0p1-restore-nonblock.patch
+Patch976: openssh-8.7p1-sftp-default-protocol.patch
+# Implement kill switch for SCP protocol
+Patch977: openssh-8.7p1-scp-kill-switch.patch
+# CVE-2021-41617
+Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -267,7 +269,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
 License: BSD
 
 %description
@@ -370,10 +372,11 @@ popd
 %patch964 -p1 -b .openssl-kdf
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
-%patch969 -p0 -b .debian
 %patch974 -p1 -b .keygen-strip-doseol
 %patch975 -p1 -b .preserve-pam-errors
-%patch976 -p1 -b .restore-nonblock
+%patch976 -p1 -b .sftp-by-default
+%patch977 -p1 -b .kill-scp
+%patch978 -p1 -b .cve-2021-41617
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -658,6 +661,24 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Oct 25 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-4
+- Fix memory leaks introduced in OpenSSH 8.7
+  Related: rhbz#2001002
+
+* Tue Oct 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
+- Disable locale forwarding in default configurations
+  Related: rhbz#2002734
+
+* Fri Oct 01 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-2
+- Upstream fix for CVE-2021-41617
+  Related: rhbz#2008886
+
+* Fri Sep 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-1 + 0.10.4-4
+- New upstream release
+- Switch to SFTP protocol in scp utility by default
+- Enable SCP protocol kill switch
+  Related: rhbz#2001002
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.6p1-7.1
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688