--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/012-acceptenv.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,33 @@
+#
+# This is to fix a security bug (CVE-2014-2532) when using environment passing
+# with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6
+# could be tricked into accepting any enviornment variable that contains the
+# characters before the wildcard character. The bug fix code came from
+# OpenSSH.org. When we upgrade OpenSSH to version 6.6 or later, we will remove
+# this patch file.
+#
+--- orig/session.c Tue Mar 18 18:37:57 2014
++++ new/session.c Tue Mar 18 18:41:17 2014
+@@ -978,6 +978,11 @@
+ u_int envsize;
+ u_int i, namelen;
+
++ if (strchr(name, '=') != NULL) {
++ error("Invalid environment variable \"%.100s\"", name);
++ return;
++ }
++
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+ * entry before continuing.
+@@ -2225,8 +2230,8 @@
+ char *name, *val;
+ u_int name_len, val_len, i;
+
+- name = packet_get_string(&name_len);
+- val = packet_get_string(&val_len);
++ name = packet_get_cstring(&name_len);
++ val = packet_get_cstring(&val_len);
+ packet_check_eom();
+
+ /* Don't set too many environment variables */