diff -r 0753ecc76d4d -r edeb951aa980 components/openssh/patches/049-kexinit_mem_exhaust.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/049-kexinit_mem_exhaust.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,21 @@
+#
+# Unregister the KEXINIT handler after message has been received.
+#
+# CVE-2016-8858
+#
+# Patch source: upstream
+# https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe
+#
+# We will drop this patch when upgrading to OpenSSH 7.4 or later.
+#
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
+@@ -517,6 +517,7 @@ kex_input_kexinit(int type, u_int32_t se
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;