--- a/components/openssh/patches/021-CVE-2014-2653.patch Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,63 +0,0 @@
-#
-# This is to fix the CVE-2014-2653 security bug. The bug fix code came from
-# OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove
-# this patch file.
-#
---- orig/sshconnect.c Mon Jun 16 10:31:17 2014
-+++ new/sshconnect.c Mon Jun 16 10:44:16 2014
-@@ -1216,29 +1216,39 @@
- {
- int flags = 0;
- char *fp;
-+ Key *plain = NULL;
-
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
- free(fp);
-
-- /* XXX certs are not yet supported for DNS */
-- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-- if (flags & DNS_VERIFY_FOUND) {
--
-- if (options.verify_host_key_dns == 1 &&
-- flags & DNS_VERIFY_MATCH &&
-- flags & DNS_VERIFY_SECURE)
-- return 0;
--
-- if (flags & DNS_VERIFY_MATCH) {
-- matching_host_key_dns = 1;
-- } else {
-- warn_changed_key(host_key);
-- error("Update the SSHFP RR in DNS with the new "
-- "host key to get rid of this message.");
-+ if (options.verify_host_key_dns) {
-+ /*
-+ * XXX certs are not yet supported for DNS, so downgrade
-+ * them and try the plain key.
-+ */
-+ plain = key_from_private(host_key);
-+ if (key_is_cert(plain))
-+ key_drop_cert(plain);
-+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
-+ if (flags & DNS_VERIFY_FOUND) {
-+ if (options.verify_host_key_dns == 1 &&
-+ flags & DNS_VERIFY_MATCH &&
-+ flags & DNS_VERIFY_SECURE) {
-+ key_free(plain);
-+ return 0;
-+ }
-+ if (flags & DNS_VERIFY_MATCH) {
-+ matching_host_key_dns = 1;
-+ } else {
-+ warn_changed_key(plain);
-+ error("Update the SSHFP RR in DNS "
-+ "with the new host key to get rid "
-+ "of this message.");
-+ }
- }
- }
-+ key_free(plain);
- }
-
- return check_host_key(host, hostaddr, options.port, host_key, RDRW,