Pullup ticket #4262 - requested by taca

security/openssh: security update

Revisions pulled up:
- security/openssh/Makefile                                     1.214
- security/openssh/distinfo                                     1.85
- security/openssh/options.mk                                   1.26
- security/openssh/patches/patch-Makefile.in                    1.2
- security/openssh/patches/patch-auth.c                         1.2
- security/openssh/patches/patch-auth1.c                        1.2
- security/openssh/patches/patch-auth2.c                        1.2
- security/openssh/patches/patch-config.h.in                    1.2
- security/openssh/patches/patch-configure                      1.2
- security/openssh/patches/patch-configure.ac                   1.2
- security/openssh/patches/patch-includes.h                     1.2
- security/openssh/patches/patch-scp.c                          1.2
- security/openssh/patches/patch-session.c                      1.2
- security/openssh/patches/patch-sftp-common.c                  1.1
- security/openssh/patches/patch-ssh.c                          1.2
- security/openssh/patches/patch-sshd.c                         1.2
- security/openssh/patches/patch-uidswap.c                      1.2

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Dec  1 06:11:41 UTC 2013

   Modified Files:
   	pkgsrc/security/openssh: Makefile distinfo options.mk
   	pkgsrc/security/openssh/patches: patch-Makefile.in patch-auth.c
   	    patch-auth1.c patch-auth2.c patch-config.h.in patch-configure
   	    patch-configure.ac patch-includes.h patch-scp.c patch-session.c
   	    patch-ssh.c patch-sshd.c patch-uidswap.c
   Added Files:
   	pkgsrc/security/openssh/patches: patch-sftp-common.c

   Log Message:
   Update openssh to 6.4.1 (OpenSSH 6.4p1).

   Changes since OpenSSH 6.3
   =========================

   This release fixes a security bug:

    * sshd(8): fix a memory corruption problem triggered during rekeying
      when an AES-GCM cipher is selected. Full details of the vulnerability
      are available at: http://www.openssh.com/txt/gcmrekey.adv

   Changes since OpenSSH 6.2 is too many to write here, please refer
   the release note: http://www.openssh.com/txt/release-6.3.

17 files changed, 112 insertions, 93 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index cec09e46f23..2fa5b2af318 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.213 2013/07/12 10:45:02 jperkin Exp $
+# $NetBSD: Makefile,v 1.213.2.1 2013/12/05 09:52:53 tron Exp $
 
-DISTNAME=		openssh-6.2p1
-PKGNAME=		openssh-6.2.1
-PKGREVISION=		2
+DISTNAME=		openssh-6.4p1
+PKGNAME=		openssh-6.4.1
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 8038986ef6e..c5b0bd952e0 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,31 +1,32 @@
-$NetBSD: distinfo,v 1.84 2013/05/01 19:58:25 imil Exp $
+$NetBSD: distinfo,v 1.84.4.1 2013/12/05 09:52:53 tron Exp $
 
-SHA1 (openssh-6.2p1-hpn13v14.diff) = 71bbd99961b8b7665a481cf0a4bc9604e55d75b3
-RMD160 (openssh-6.2p1-hpn13v14.diff) = b859fbdf4395534621cc5ffae0cce39621582927
-Size (openssh-6.2p1-hpn13v14.diff) = 61437 bytes
-SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d
-RMD160 (openssh-6.2p1.tar.gz) = 3651a43c8d466646e760cb1cbc9097dbba5151ca
-Size (openssh-6.2p1.tar.gz) = 1182181 bytes
-SHA1 (patch-Makefile.in) = 514edd12500e89059d3bda7f5ac8c651001fd7c6
+SHA1 (openssh-6.4p1-hpn14v2.diff.gz) = 2713d734d5f652c6dccd13d779c1e116ccca2e7e
+RMD160 (openssh-6.4p1-hpn14v2.diff.gz) = 45366b1f61241fc29a87918790182bd4f29a1f29
+Size (openssh-6.4p1-hpn14v2.diff.gz) = 23792 bytes
+SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d
+RMD160 (openssh-6.4p1.tar.gz) = d0e757c90350351bb92ebd4fa9f045586fb54f97
+Size (openssh-6.4p1.tar.gz) = 1201402 bytes
+SHA1 (patch-Makefile.in) = 1cf8bda061df1b76822be2886d9c231cc3cb39b9
 SHA1 (patch-atomicio.c) = 6bb3c3ca1491693918ce1ac7481e0852c90e0b4e
 SHA1 (patch-auth-passwd.c) = de9f5487fe1f5848cc702e549bce949fd75d70cd
 SHA1 (patch-auth-rhosts.c) = ab8dd3e375accc5bed3e15b158a85a1b1f9a2e3e
-SHA1 (patch-auth.c) = ee757e5c80a14398c4835a1c1502cdaa03ca8655
-SHA1 (patch-auth1.c) = 97693bbd970cf036892099493f0f64e59a252a35
-SHA1 (patch-auth2.c) = bb638fda90e80cd2f74702e01dc3320da01e4e80
-SHA1 (patch-config.h.in) = 805a5ba9be430a7123dc958d43c401d6f57d0bf5
-SHA1 (patch-configure) = d8977e444ffd2217229726161ebf0b5868d9f650
-SHA1 (patch-configure.ac) = b981b8b2e28edc4fa461c9c487f3f7e82412b826
+SHA1 (patch-auth.c) = 950b0380bcbb0fa1681014cfbb41528d09a10a18
+SHA1 (patch-auth1.c) = 7b0481f445bc85cce9d7539b00bf581b9aa09fea
+SHA1 (patch-auth2.c) = f4c5ab6ffb83f649e7d3566097e0dec8323f0d29
+SHA1 (patch-config.h.in) = c838507e83224d842e25170ea8faa63c8559ea37
+SHA1 (patch-configure) = 91bd541c6dc19aed54f20bb31bea958847dae738
+SHA1 (patch-configure.ac) = 896aac81d96fe09775ef5b7c6942c37309097b33
 SHA1 (patch-defines.h) = e2aebe7dcf0927d8afcca7a96c4001a6e0130cc2
-SHA1 (patch-includes.h) = f7fad7b3599d677a5991b140c66e3a67bedbe13b
+SHA1 (patch-includes.h) = 0a899d3b38ef3de7f5b08fec022696b4e998b54e
 SHA1 (patch-loginrec.c) = 0305a5b552c88ac99d8f894d3cda9686e0b0ccdd
 SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695
 SHA1 (patch-openbsd-compat_openbsd-compat.h) = 17690feb6962bd27fef96bd6fb1acfa60e9af9dc
 SHA1 (patch-openbsd-compat_port-tun.c) = 8288e2b9336ea1fcc1129d8a2ab5e55816b2ccbf
 SHA1 (patch-platform.c) = fcb85cca516d992ec50dfb259b9cc8ddbb032b5c
-SHA1 (patch-scp.c) = 0460cee3ad2626c71ce0a6e484fb4ed9ae559d1f
-SHA1 (patch-session.c) = aba585358f22db8b37b6673526af96765c65dc49
-SHA1 (patch-ssh.c) = eecce1698455567f9e48b498fe937d235890c315
-SHA1 (patch-sshd.c) = faf9ff468a0938e20f7cf18192c47dec46763e8c
+SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54
+SHA1 (patch-session.c) = dc7fd9ec8956c734cb4a6427243133919cb47158
+SHA1 (patch-sftp-common.c) = 5467a25bc996dac8e4c6e4cb657ad722a3284388
+SHA1 (patch-ssh.c) = e878057032340425ed01230ca6abc8bbfdb07dfb
+SHA1 (patch-sshd.c) = 547bf87e572229ab4e568d1e7b03e722d8a63302
 SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11
-SHA1 (patch-uidswap.c) = 4c7c4e1621dc54a180bcba9a81d58f114a819eb0
+SHA1 (patch-uidswap.c) = cbed1c1db63e7f198efaa76581e8f5a5aa9615da
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index db53c0018e4..8c8b3d50ace 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.25 2013/05/01 19:58:25 imil Exp $
+# $NetBSD: options.mk,v 1.25.4.1 2013/12/05 09:52:53 tron Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -16,8 +16,8 @@ CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
 .endif
 
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-6.2p1-hpn13v14.diff
-PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/imil/openssh/
+PATCHFILES=		openssh-6.4p1-hpn14v2.diff.gz
+PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
 PATCH_DIST_STRIP=	-p1
 .endif
 
diff --git a/security/openssh/patches/patch-Makefile.in b/security/openssh/patches/patch-Makefile.in
index 30e688f486c..8a30d5a8216 100644
--- a/security/openssh/patches/patch-Makefile.in
+++ b/security/openssh/patches/patch-Makefile.in
@@ -1,24 +1,27 @@
-$NetBSD: patch-Makefile.in,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-Makefile.in,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Removed install-sysconf as we handle that phase through post-install
 
---- Makefile.in.orig	2013-03-07 15:37:13.000000000 +0000
+--- Makefile.in.orig	2013-06-11 01:26:10.000000000 +0000
 +++ Makefile.in
-@@ -22,7 +22,7 @@ top_srcdir=@top_srcdir@
- DESTDIR=
+@@ -2,5 +2,5 @@
+ 
+ # uncomment if you run a non bourne compatable shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+ 
+ AUTORECONF=autoreconf
+@@ -23,5 +23,5 @@ DESTDIR=
  VPATH=@srcdir@
  SSH_PROGRAM=@bindir@/ssh
 -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
-@@ -242,7 +242,7 @@ distprep: catman-do
- 	-rm -rf autom4te.cache
+@@ -246,5 +246,5 @@ distprep: catman-do
  
  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
 -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
 +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  
- check-config:
diff --git a/security/openssh/patches/patch-auth.c b/security/openssh/patches/patch-auth.c
index 011008fd310..92aacb6a4bb 100644
--- a/security/openssh/patches/patch-auth.c
+++ b/security/openssh/patches/patch-auth.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth.c.orig	2013-03-12 00:31:05.000000000 +0000
+--- auth.c.orig	2013-06-01 21:41:51.000000000 +0000
 +++ auth.c
-@@ -385,7 +385,7 @@ check_key_in_hostfiles(struct passwd *pw
+@@ -407,7 +407,7 @@ check_key_in_hostfiles(struct passwd *pw
  		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
  		if (options.strict_modes &&
  		    (stat(user_hostfile, &st) == 0) &&
diff --git a/security/openssh/patches/patch-auth1.c b/security/openssh/patches/patch-auth1.c
index 1fe8e3b7a0e..2593109b069 100644
--- a/security/openssh/patches/patch-auth1.c
+++ b/security/openssh/patches/patch-auth1.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth1.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth1.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth1.c.orig	2012-12-02 22:53:20.000000000 +0000
+--- auth1.c.orig	2013-06-01 22:01:24.000000000 +0000
 +++ auth1.c
-@@ -321,7 +321,7 @@ do_authloop(Authctxt *authctxt)
+@@ -319,7 +319,7 @@ do_authloop(Authctxt *authctxt)
  
  #ifndef HAVE_CYGWIN
  		/* Special handling for root */
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
  		    !auth_root_allowed(meth->name)) {
   			authenticated = 0;
  # ifdef SSH_AUDIT_EVENTS
-@@ -425,8 +425,8 @@ do_authentication(Authctxt *authctxt)
+@@ -420,8 +420,8 @@ do_authentication(Authctxt *authctxt)
  	 * If we are not running as root, the user must have the same uid as
  	 * the server.
  	 */
diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c
index 6e1a46d4e52..c380b6f07ea 100644
--- a/security/openssh/patches/patch-auth2.c
+++ b/security/openssh/patches/patch-auth2.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth2.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth2.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth2.c.orig	2012-12-02 22:53:20.000000000 +0000
+--- auth2.c.orig	2013-06-01 21:41:51.000000000 +0000
 +++ auth2.c
-@@ -307,7 +307,7 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -310,7 +310,7 @@ userauth_finish(Authctxt *authctxt, int 
  		fatal("INTERNAL ERROR: authenticated and postponed");
  
  	/* Special handling for root */
diff --git a/security/openssh/patches/patch-config.h.in b/security/openssh/patches/patch-config.h.in
index 025354a2354..ba0e0c983ab 100644
--- a/security/openssh/patches/patch-config.h.in
+++ b/security/openssh/patches/patch-config.h.in
@@ -1,10 +1,10 @@
-$NetBSD: patch-config.h.in,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-config.h.in,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Added Interix and define new path to if_tun.h
 
---- config.h.in.orig	2013-03-21 23:38:18.000000000 +0000
+--- config.h.in.orig	2013-11-08 01:41:08.000000000 +0000
 +++ config.h.in
-@@ -561,6 +561,9 @@
+@@ -584,6 +584,9 @@
  /* define if you have int64_t data type */
  #undef HAVE_INT64_T
  
@@ -14,7 +14,7 @@ Added Interix and define new path to if_tun.h
  /* Define to 1 if you have the <inttypes.h> header file. */
  #undef HAVE_INTTYPES_H
  
-@@ -699,6 +702,9 @@
+@@ -737,6 +740,9 @@
  /* Define to 1 if you have the <net/if_tun.h> header file. */
  #undef HAVE_NET_IF_TUN_H
  
diff --git a/security/openssh/patches/patch-configure b/security/openssh/patches/patch-configure
index 2782ef6cfaf..e028819ac68 100644
--- a/security/openssh/patches/patch-configure
+++ b/security/openssh/patches/patch-configure
@@ -1,10 +1,10 @@
-$NetBSD: patch-configure,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-configure,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Various fixes regarding portability
 
---- configure.orig	2013-03-21 23:38:28.000000000 +0000
+--- configure.orig	2013-11-08 01:41:15.000000000 +0000
 +++ configure
-@@ -5993,6 +5993,9 @@ if test "${with_rpath+set}" = set; then 
+@@ -6159,6 +6159,9 @@ if test "${with_rpath+set}" = set; then 
  fi
  
  
@@ -14,7 +14,7 @@ Various fixes regarding portability
  # Allow user to specify flags
  
  # Check whether --with-cflags was given.
-@@ -6076,6 +6079,7 @@ for ac_header in  \
+@@ -6243,6 +6246,7 @@ for ac_header in  \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
@@ -22,7 +22,7 @@ Various fixes regarding portability
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -6786,6 +6790,36 @@ $as_echo "#define HAVE_SECUREWARE 1" >>c
+@@ -6978,6 +6982,36 @@ $as_echo "#define HAVE_SECUREWARE 1" >>c
  		;;
  	esac
  	;;
@@ -59,7 +59,7 @@ Various fixes regarding portability
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  
-@@ -6987,7 +7021,7 @@ fi
+@@ -7179,7 +7213,7 @@ fi
  $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
  
  	;;
@@ -68,7 +68,7 @@ Various fixes regarding portability
  	check_for_libcrypt_later=1
  
  $as_echo "#define LOCKED_PASSWD_PREFIX \"*LOCKED*\"" >>confdefs.h
-@@ -17033,12 +17067,18 @@ fi
+@@ -17406,12 +17440,18 @@ fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -92,7 +92,7 @@ Various fixes regarding portability
  #define CONF_WTMPX_FILE "$conf_wtmpx_location"
  _ACEOF
  
-@@ -18441,7 +18481,7 @@ echo "OpenSSH has been configured with t
+@@ -18816,7 +18856,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
diff --git a/security/openssh/patches/patch-configure.ac b/security/openssh/patches/patch-configure.ac
index 891123a925e..d14e497be5f 100644
--- a/security/openssh/patches/patch-configure.ac
+++ b/security/openssh/patches/patch-configure.ac
@@ -1,10 +1,10 @@
-$NetBSD: patch-configure.ac,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-configure.ac,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Various fixes regarding portability
 
---- configure.ac.orig	2013-03-20 01:55:15.000000000 +0000
+--- configure.ac.orig	2013-08-04 11:48:41.000000000 +0000
 +++ configure.ac
-@@ -241,6 +241,9 @@ AC_ARG_WITH([rpath],
+@@ -246,6 +246,9 @@ AC_ARG_WITH([rpath],
  	]
  )
  
@@ -14,7 +14,7 @@ Various fixes regarding portability
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
  	[  --with-cflags           Specify additional flags to pass to compiler],
-@@ -309,6 +312,7 @@ AC_CHECK_HEADERS([ \
+@@ -315,6 +318,7 @@ AC_CHECK_HEADERS([ \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
@@ -22,7 +22,7 @@ Various fixes regarding portability
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -603,6 +607,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -618,6 +622,15 @@ main() { if (NSVersionOfRunTimeLibrary("
  		;;
  	esac
  	;;
@@ -38,7 +38,7 @@ Various fixes regarding portability
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  	AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -4460,9 +4473,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -4500,9 +4513,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -58,7 +58,7 @@ Various fixes regarding portability
  	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4547,7 +4568,7 @@ echo "OpenSSH has been configured with t
+@@ -4588,7 +4609,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
diff --git a/security/openssh/patches/patch-includes.h b/security/openssh/patches/patch-includes.h
index f2c0374e2c9..eb719e4603e 100644
--- a/security/openssh/patches/patch-includes.h
+++ b/security/openssh/patches/patch-includes.h
@@ -1,10 +1,10 @@
-$NetBSD: patch-includes.h,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-includes.h,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- includes.h.orig	2013-02-22 22:12:24.000000000 +0000
+--- includes.h.orig	2013-03-22 01:51:09.000000000 +0000
 +++ includes.h
-@@ -124,6 +124,10 @@
+@@ -126,6 +126,10 @@
  #ifdef HAVE_READPASSPHRASE_H
  # include <readpassphrase.h>
  #endif
diff --git a/security/openssh/patches/patch-scp.c b/security/openssh/patches/patch-scp.c
index 49ce681868e..efed98b0f42 100644
--- a/security/openssh/patches/patch-scp.c
+++ b/security/openssh/patches/patch-scp.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-scp.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-scp.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- scp.c.orig	2013-03-20 01:55:15.000000000 +0000
+--- scp.c.orig	2013-07-18 06:11:25.000000000 +0000
 +++ scp.c
 @@ -477,7 +477,11 @@ main(int argc, char **argv)
  	argc -= optind;
@@ -27,7 +27,7 @@ Interix support
  		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
  			continue;
  		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-@@ -1279,7 +1285,9 @@ okname(char *cp0)
+@@ -1292,7 +1298,9 @@ okname(char *cp0)
  			case '\'':
  			case '"':
  			case '`':
diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c
index b38a3874d5e..2efec1b1d16 100644
--- a/security/openssh/patches/patch-session.c
+++ b/security/openssh/patches/patch-session.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-session.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-session.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- session.c.orig	2013-03-15 00:22:37.000000000 +0000
+--- session.c.orig	2013-07-20 03:21:53.000000000 +0000
 +++ session.c
 @@ -1081,7 +1081,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
@@ -55,7 +55,7 @@ Interix support
  		endgrent();
  #endif
  
-@@ -2313,7 +2327,7 @@ session_pty_cleanup2(Session *s)
+@@ -2325,7 +2339,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c
new file mode 100644
index 00000000000..ec231b19de0
--- /dev/null
+++ b/security/openssh/patches/patch-sftp-common.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-sftp-common.c,v 1.1.2.2 2013/12/05 09:52:53 tron Exp $
+
+Include <unistd.h> for strmode(3).
+
+--- sftp-common.c.orig	2013-06-01 21:31:19.000000000 +0000
++++ sftp-common.c
+@@ -36,6 +36,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
++#include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c
index c2f54eae7a9..ccef3f912b0 100644
--- a/security/openssh/patches/patch-ssh.c
+++ b/security/openssh/patches/patch-ssh.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-ssh.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-ssh.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- ssh.c.orig	2012-07-06 03:45:01.000000000 +0000
+--- ssh.c.orig	2013-07-25 01:55:53.000000000 +0000
 +++ ssh.c
-@@ -794,7 +794,7 @@ main(int ac, char **av)
+@@ -820,7 +820,7 @@ main(int ac, char **av)
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
  	    options.tcp_keep_alive, 
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index de927853f47..8374a47acc3 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-sshd.c,v 1.1 2013/05/01 19:58:27 imil Exp $
+$NetBSD: patch-sshd.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- sshd.c.orig	2013-02-12 00:04:48.000000000 +0000
+--- sshd.c.orig	2013-07-20 03:21:53.000000000 +0000
 +++ sshd.c
-@@ -237,7 +237,11 @@ int *startup_pipes = NULL;
+@@ -243,7 +243,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  
  /* variables used for privilege separation */
@@ -16,7 +16,7 @@ Interix support
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
  
-@@ -625,10 +629,15 @@ privsep_preauth_child(void)
+@@ -631,10 +635,15 @@ privsep_preauth_child(void)
  	/* XXX not ready, too heavy after chroot */
  	do_setusercontext(privsep_pw);
  #else
@@ -32,7 +32,7 @@ Interix support
  #endif
  }
  
-@@ -688,7 +697,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -696,7 +705,7 @@ privsep_preauth(Authctxt *authctxt)
  		set_log_handler(mm_log_handler, pmonitor);
  
  		/* Demote the child */
@@ -41,7 +41,7 @@ Interix support
  			privsep_preauth_child();
  		setproctitle("%s", "[net]");
  		if (box != NULL)
-@@ -706,7 +715,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -714,7 +723,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -50,7 +50,7 @@ Interix support
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1363,8 +1372,10 @@ main(int ac, char **av)
+@@ -1390,8 +1399,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -62,7 +62,7 @@ Interix support
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1732,7 +1743,7 @@ main(int ac, char **av)
+@@ -1790,7 +1801,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -71,7 +71,7 @@ Interix support
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1755,8 +1766,10 @@ main(int ac, char **av)
+@@ -1813,8 +1824,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c
index 60f6d435c0a..f149a5fcb47 100644
--- a/security/openssh/patches/patch-uidswap.c
+++ b/security/openssh/patches/patch-uidswap.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-uidswap.c,v 1.1 2013/05/01 19:58:27 imil Exp $
+$NetBSD: patch-uidswap.c,v 1.1.4.1 2013/12/05 09:52:53 tron Exp $
 
 Interix support
 
---- uidswap.c.orig	2012-11-05 06:04:37.000000000 +0000
+--- uidswap.c.orig	2013-06-01 22:07:32.000000000 +0000
 +++ uidswap.c
 @@ -66,13 +66,13 @@ temporarily_use_uid(struct passwd *pw)
  	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
@@ -20,7 +20,7 @@ Interix support
  		privileged = 0;
  		return;
  	}
-@@ -96,9 +96,11 @@ temporarily_use_uid(struct passwd *pw)
+@@ -95,9 +95,11 @@ temporarily_use_uid(struct passwd *pw)
  
  	/* set and save the user's groups */
  	if (user_groupslen == -1) {
@@ -32,8 +32,8 @@ Interix support
  
  		user_groupslen = getgroups(0, NULL);
  		if (user_groupslen < 0)
-@@ -113,9 +115,11 @@ temporarily_use_uid(struct passwd *pw)
- 				xfree(user_groups);
+@@ -111,9 +113,11 @@ temporarily_use_uid(struct passwd *pw)
+ 			free(user_groups);
  		}
  	}
 +#ifndef HAVE_INTERIX
@@ -44,7 +44,7 @@ Interix support
  #ifndef SAVED_IDS_WORK_WITH_SETEUID
  	/* Propagate the privileged gid to all of our gids. */
  	if (setgid(getegid()) < 0)
-@@ -186,8 +190,10 @@ restore_uid(void)
+@@ -184,8 +188,10 @@ restore_uid(void)
  	setgid(getgid());
  #endif /* SAVED_IDS_WORK_WITH_SETEUID */
  
@@ -55,7 +55,7 @@ Interix support
  	temporarily_use_uid_effective = 0;
  }
  
-@@ -208,6 +214,10 @@ permanently_set_uid(struct passwd *pw)
+@@ -206,6 +212,10 @@ permanently_set_uid(struct passwd *pw)
  	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
  	    (u_int)pw->pw_gid);
  
@@ -66,7 +66,7 @@ Interix support
  	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
  		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
  
-@@ -244,6 +254,7 @@ permanently_set_uid(struct passwd *pw)
+@@ -242,6 +252,7 @@ permanently_set_uid(struct passwd *pw)
  	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
  		fatal("%s: was able to restore old [e]uid", __func__);
  #endif