diff --git a/fb87_070_logging_reverse_port_forward.patch b/fb87_070_logging_reverse_port_forward.patch
index 339fd35..a255577 100644
--- a/fb87_070_logging_reverse_port_forward.patch
+++ b/fb87_070_logging_reverse_port_forward.patch
@@ -1,6 +1,4 @@
-Index: b/channels.c
-===================================================================
---- b.orig/channels.c
+--- a/channels.c
+++ b/channels.c
@@ -3774,6 +3774,7 @@ int
channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
@@ -37,7 +35,7 @@ Index: b/channels.c
}
/*
-@@ -4593,7 +4603,7 @@ x11_create_display_inet(struct ssh *ssh,
+@@ -4591,7 +4601,7 @@ x11_create_display_inet(struct ssh *ssh,
if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
#ifdef EPFNOSUPPORT
&& (errno != EPFNOSUPPORT)
diff --git a/fb87_080_logging_certificates.patch b/fb87_080_logging_certificates.patch
index 46cc276..26e244e 100644
--- a/fb87_080_logging_certificates.patch
+++ b/fb87_080_logging_certificates.patch
@@ -1,8 +1,6 @@
-Index: b/auth2-pubkey.c
-===================================================================
---- b.orig/auth2-pubkey.c
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
-@@ -389,6 +389,10 @@ check_principals_line(struct ssh *ssh, c
+@@ -390,6 +390,10 @@ check_principals_line(struct ssh *ssh, c
continue;
debug3("%s: matched principal \"%.100s\"",
loc, cert->principals[i]);
@@ -13,7 +11,7 @@ Index: b/auth2-pubkey.c
found = 1;
slog_set_principal(cp);
}
-@@ -432,6 +436,8 @@ process_principals(struct ssh *ssh, FILE
+@@ -433,6 +437,8 @@ process_principals(struct ssh *ssh, FILE
found_principal = 1;
}
free(line);
@@ -22,7 +20,7 @@ Index: b/auth2-pubkey.c
return found_principal;
}
-@@ -710,7 +716,7 @@ check_authkey_line(struct ssh *ssh, stru
+@@ -711,7 +717,7 @@ check_authkey_line(struct ssh *ssh, stru
&reason) != 0)
goto fail_reason;
@@ -31,7 +29,7 @@ Index: b/auth2-pubkey.c
"signed by CA %s %s found at %s",
key->cert->key_id,
(unsigned long long)key->cert->serial,
-@@ -780,7 +786,7 @@ static int
+@@ -781,7 +787,7 @@ static int
user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
struct sshauthopt **authoptsp)
{
@@ -40,7 +38,7 @@ Index: b/auth2-pubkey.c
const char *reason;
struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;
struct sshauthopt *final_opts = NULL;
-@@ -796,11 +802,16 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -797,11 +803,16 @@ user_cert_trusted_ca(struct ssh *ssh, st
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
return 0;
@@ -57,7 +55,7 @@ Index: b/auth2-pubkey.c
goto out;
}
/*
-@@ -851,6 +862,11 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -852,6 +863,11 @@ user_cert_trusted_ca(struct ssh *ssh, st
if ((final_opts = sshauthopt_merge(principals_opts,
cert_opts, &reason)) == NULL) {
fail_reason:
@@ -69,7 +67,7 @@ Index: b/auth2-pubkey.c
error("%s", reason);
auth_debug_add("%s", reason);
goto out;
-@@ -858,9 +874,10 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -859,9 +875,10 @@ user_cert_trusted_ca(struct ssh *ssh, st
}
/* Success */
@@ -83,7 +81,7 @@ Index: b/auth2-pubkey.c
sshkey_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
if (authoptsp != NULL) {
-@@ -875,6 +892,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -876,6 +893,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
sshauthopt_free(final_opts);
free(principals_file);
free(ca_fp);
@@ -91,8 +89,6 @@ Index: b/auth2-pubkey.c
return ret;
}
-Index: b/regress/cert-logging.sh
-===================================================================
--- /dev/null
+++ b/regress/cert-logging.sh
@@ -0,0 +1,84 @@
diff --git a/fb87_090_logging_shell_cmd_pty.patch b/fb87_090_logging_shell_cmd_pty.patch
index 6017884..f8c1731 100644
--- a/fb87_090_logging_shell_cmd_pty.patch
+++ b/fb87_090_logging_shell_cmd_pty.patch
@@ -1,8 +1,6 @@
-Index: b/session.c
-===================================================================
---- b.orig/session.c
+--- a/session.c
+++ b/session.c
-@@ -2049,6 +2049,8 @@ session_pty_req(struct ssh *ssh, Session
+@@ -2053,6 +2053,8 @@ session_pty_req(struct ssh *ssh, Session
return 0;
}
debug("session_pty_req: session %d alloc %s", s->self, s->tty);
@@ -11,7 +9,7 @@ Index: b/session.c
ssh_tty_parse_modes(ssh, s->ttyfd);
-@@ -2148,6 +2150,7 @@ session_shell_req(struct ssh *ssh, Sessi
+@@ -2152,6 +2154,7 @@ session_shell_req(struct ssh *ssh, Sessi
if ((r = sshpkt_get_end(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
@@ -19,7 +17,7 @@ Index: b/session.c
return do_exec(ssh, s, NULL) == 0;
}
-@@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio
+@@ -2167,6 +2170,7 @@ session_exec_req(struct ssh *ssh, Sessio
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
slog_set_command(command);
@@ -27,8 +25,6 @@ Index: b/session.c
success = do_exec(ssh, s, command) == 0;
free(command);
return success;
-Index: b/regress/session-req.sh
-===================================================================
--- /dev/null
+++ b/regress/session-req.sh
@@ -0,0 +1,39 @@
diff --git a/fb87_810_increase_ssh_cert_max_principals.patch b/fb87_810_increase_ssh_cert_max_principals.patch
index 2abe0e6..82919c2 100644
--- a/fb87_810_increase_ssh_cert_max_principals.patch
+++ b/fb87_810_increase_ssh_cert_max_principals.patch
@@ -1,8 +1,6 @@
-Index: b/sshkey.h
-===================================================================
---- b.orig/sshkey.h
+--- a/sshkey.h
+++ b/sshkey.h
-@@ -106,7 +106,7 @@ enum sshkey_private_format {
+@@ -109,7 +109,7 @@ enum sshkey_private_format {
/* key is stored in external hardware */
#define SSHKEY_FLAG_EXT 0x0001
diff --git a/fb87_log_accept_env.patch b/fb87_log_accept_env.patch
index cbb5c01..11bd761 100644
--- a/fb87_log_accept_env.patch
+++ b/fb87_log_accept_env.patch
@@ -1,8 +1,6 @@
-Index: b/session.c
-===================================================================
---- b.orig/session.c
+--- a/session.c
+++ b/session.c
-@@ -2206,7 +2206,7 @@ session_env_req(struct ssh *ssh, Session
+@@ -2210,7 +2210,7 @@ session_env_req(struct ssh *ssh, Session
for (i = 0; i < options.num_accept_env; i++) {
if (match_pattern(name, options.accept_env[i])) {
@@ -11,7 +9,7 @@ Index: b/session.c
s->env = xrecallocarray(s->env, s->num_env,
s->num_env + 1, sizeof(*s->env));
s->env[s->num_env].name = name;
-@@ -2215,7 +2215,7 @@ session_env_req(struct ssh *ssh, Session
+@@ -2219,7 +2219,7 @@ session_env_req(struct ssh *ssh, Session
return (1);
}
}
diff --git a/fb87_log_auth_info.patch b/fb87_log_auth_info.patch
index 45f320a..8b1ab6a 100644
--- a/fb87_log_auth_info.patch
+++ b/fb87_log_auth_info.patch
@@ -1,6 +1,4 @@
-Index: b/regress/slog.sh
-===================================================================
---- b.orig/regress/slog.sh
+--- a/regress/slog.sh
+++ b/regress/slog.sh
@@ -1,41 +1,60 @@
tid='structured log'
@@ -179,9 +177,7 @@ Index: b/regress/slog.sh
+make_cert "$princ" "$keytype" "$serial"
+test_auth_info "$keyfp" "$keytype" "$princ" "$serial"
+test_cert_serial "$serial"
-Index: b/auth.c
-===================================================================
---- b.orig/auth.c
+--- a/auth.c
+++ b/auth.c
@@ -351,6 +351,8 @@ auth_log(struct ssh *ssh, int authentica
extra != NULL ? ": " : "",
@@ -192,11 +188,9 @@ Index: b/auth.c
free(extra);
slog_set_auth_data(authenticated, method, authctxt->user);
-Index: b/auth2-pubkey.c
-===================================================================
---- b.orig/auth2-pubkey.c
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
-@@ -722,7 +722,7 @@ check_authkey_line(struct ssh *ssh, stru
+@@ -723,7 +723,7 @@ check_authkey_line(struct ssh *ssh, stru
(unsigned long long)key->cert->serial,
sshkey_type(found), fp, loc);
@@ -205,7 +199,7 @@ Index: b/auth2-pubkey.c
success:
if (finalopts == NULL)
fatal_f("internal error: missing options");
-@@ -885,6 +885,8 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -886,6 +886,8 @@ user_cert_trusted_ca(struct ssh *ssh, st
final_opts = NULL;
}
slog_set_cert_id(key->cert->key_id);
diff --git a/fb87_log_port_forwards.patch b/fb87_log_port_forwards.patch
index 8a7b030..d43b857 100644
--- a/fb87_log_port_forwards.patch
+++ b/fb87_log_port_forwards.patch
@@ -1,6 +1,4 @@
-Index: b/serverloop.c
-===================================================================
---- b.orig/serverloop.c
+--- a/serverloop.c
+++ b/serverloop.c
@@ -433,6 +433,7 @@ server_request_direct_tcpip(struct ssh *
char *target = NULL, *originator = NULL;
diff --git a/fb87_log_session_id.patch b/fb87_log_session_id.patch
index a86aa72..b23278a 100644
--- a/fb87_log_session_id.patch
+++ b/fb87_log_session_id.patch
@@ -1,6 +1,4 @@
-Index: b/sshd.c
-===================================================================
---- b.orig/sshd.c
+--- a/sshd.c
+++ b/sshd.c
@@ -1420,6 +1420,8 @@ server_accept_loop(struct ssh *ssh, int
options.log_level,
@@ -11,9 +9,7 @@ Index: b/sshd.c
if (rexec_flag)
close(config_s[0]);
else {
-Index: b/log.c
-===================================================================
---- b.orig/log.c
+--- a/log.c
+++ b/log.c
@@ -410,17 +410,17 @@ do_log(LogLevel level, int force, const
tmp_handler(level, force, fmtbuf, log_handler_ctx);
@@ -71,8 +67,6 @@ Index: b/log.c
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
-Index: b/regress/session-id.sh
-===================================================================
--- /dev/null
+++ b/regress/session-id.sh
@@ -0,0 +1,23 @@
@@ -99,9 +93,7 @@ Index: b/regress/session-id.sh
+if [ $line_count != $stable_id_count ]; then
+ fail 'Mismatching session ids found'
+fi
-Index: b/log.h
-===================================================================
---- b.orig/log.h
+--- a/log.h
+++ b/log.h
@@ -68,6 +68,9 @@ const char * log_level_name(LogLevel);
void set_log_handler(log_handler_fn *, void *);
@@ -113,9 +105,7 @@ Index: b/log.h
void sshlog(const char *, const char *, int, int,
LogLevel, const char *, const char *, ...)
__attribute__((format(printf, 7, 8)));
-Index: b/session.c
-===================================================================
---- b.orig/session.c
+--- a/session.c
+++ b/session.c
@@ -1256,6 +1256,10 @@ do_setup_env(struct ssh *ssh, Session *s
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
diff --git a/fb87_pass_principals_to_child.patch b/fb87_pass_principals_to_child.patch
index 21d907c..49de966 100644
--- a/fb87_pass_principals_to_child.patch
+++ b/fb87_pass_principals_to_child.patch
@@ -1,6 +1,4 @@
-Index: b/session.c
-===================================================================
---- b.orig/session.c
+--- a/session.c
+++ b/session.c
@@ -98,6 +98,7 @@
#include "atomicio.h"
@@ -89,8 +87,6 @@ Index: b/session.c
/* set LOG_SESSION_ID for child */
child_set_env(&env, &envsize, "LOG_SESSION_ID", get_log_session_id());
-Index: b/regress/cert-princ-env.sh
-===================================================================
--- /dev/null
+++ b/regress/cert-princ-env.sh
@@ -0,0 +1,129 @@
diff --git a/fb87_slog.patch b/fb87_slog.patch
index ffeb03d..cc50788 100644
--- a/fb87_slog.patch
+++ b/fb87_slog.patch
@@ -1,7 +1,5 @@
-Index: openssh-8.7p1/slog.c
-===================================================================
--- /dev/null
-+++ openssh-8.7p1/slog.c
++++ b/slog.c
@@ -0,0 +1,619 @@
+/*
+ * Copyright 2004-present Facebook. All Rights Reserved.
@@ -622,10 +620,8 @@ Index: openssh-8.7p1/slog.c
+ return "Unknown session state"; // Should never happen
+ }
+}
-Index: openssh-8.7p1/servconf.c
-===================================================================
---- openssh-8.7p1.orig/servconf.c
-+++ openssh-8.7p1/servconf.c
+--- a/servconf.c
++++ b/servconf.c
@@ -205,6 +205,9 @@ initialize_server_options(ServerOptions
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
@@ -721,10 +717,8 @@ Index: openssh-8.7p1/servconf.c
/* other arguments */
for (i = 0; i < o->num_subsystems; i++)
-Index: openssh-8.7p1/auth2-pubkey.c
-===================================================================
---- openssh-8.7p1.orig/auth2-pubkey.c
-+++ openssh-8.7p1/auth2-pubkey.c
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
@@ -66,6 +66,7 @@
#include "monitor_wrap.h"
#include "authfile.h"
@@ -757,11 +751,9 @@ Index: openssh-8.7p1/auth2-pubkey.c
ret = 1;
out:
sshauthopt_free(principals_opts);
-Index: openssh-8.7p1/regress/test-exec.sh
-===================================================================
---- openssh-8.7p1.orig/regress/test-exec.sh
-+++ openssh-8.7p1/regress/test-exec.sh
-@@ -689,7 +689,7 @@ start_sshd ()
+--- a/regress/test-exec.sh
++++ b/regress/test-exec.sh
+@@ -690,7 +690,7 @@ start_sshd ()
trace "wait for sshd"
i=0;
@@ -770,10 +762,8 @@ Index: openssh-8.7p1/regress/test-exec.sh
i=`expr $i + 1`
sleep $i
done
-Index: openssh-8.7p1/session.c
-===================================================================
---- openssh-8.7p1.orig/session.c
-+++ openssh-8.7p1/session.c
+--- a/session.c
++++ b/session.c
@@ -96,6 +96,8 @@
#include "monitor_wrap.h"
#include "sftp.h"
@@ -791,7 +781,7 @@ Index: openssh-8.7p1/session.c
#ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1)
-@@ -1482,7 +1485,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1486,7 +1489,7 @@ do_setusercontext(struct passwd *pw)
perror("unable to set user context (setuser)");
exit(1);
}
@@ -800,7 +790,7 @@ Index: openssh-8.7p1/session.c
* FreeBSD's setusercontext() will not apply the user's
* own umask setting unless running with the user's UID.
*/
-@@ -2159,6 +2162,7 @@ session_exec_req(struct ssh *ssh, Sessio
+@@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio
(r = sshpkt_get_end(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
@@ -808,15 +798,13 @@ Index: openssh-8.7p1/session.c
success = do_exec(ssh, s, command) == 0;
free(command);
return success;
-@@ -2869,4 +2873,3 @@ session_get_remote_name_or_ip(struct ssh
+@@ -2873,4 +2877,3 @@ session_get_remote_name_or_ip(struct ssh
remote = ssh_remote_ipaddr(ssh);
return remote;
}
-
-Index: openssh-8.7p1/log.h
-===================================================================
---- openssh-8.7p1.orig/log.h
-+++ openssh-8.7p1/log.h
+--- a/log.h
++++ b/log.h
@@ -133,4 +133,6 @@ void sshlogdirect(LogLevel, int, const
#define logdie_fr(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
#define sigdie_fr(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
@@ -824,11 +812,9 @@ Index: openssh-8.7p1/log.h
+void do_log_slog_payload(const char *);
+
#endif
-Index: openssh-8.7p1/log.c
-===================================================================
---- openssh-8.7p1.orig/log.c
-+++ openssh-8.7p1/log.c
-@@ -529,3 +529,39 @@ sshlogdirect(LogLevel level, int forced,
+--- a/log.c
++++ b/log.c
+@@ -531,3 +531,39 @@ sshlogdirect(LogLevel level, int forced,
do_log(level, forced, NULL, fmt, args);
va_end(args);
}
@@ -868,10 +854,8 @@ Index: openssh-8.7p1/log.c
+ }
+ errno = saved_errno;
+}
-Index: openssh-8.7p1/slog.h
-===================================================================
--- /dev/null
-+++ openssh-8.7p1/slog.h
++++ b/slog.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2004-present Facebook. All Rights Reserved.
@@ -914,10 +898,8 @@ Index: openssh-8.7p1/slog.h
+void slog_log_session(void);
+
+#endif
-Index: openssh-8.7p1/sshd.c
-===================================================================
---- openssh-8.7p1.orig/sshd.c
-+++ openssh-8.7p1/sshd.c
+--- a/sshd.c
++++ b/sshd.c
@@ -132,6 +132,8 @@
#include "sk-api.h"
#include "srclimit.h"
@@ -927,7 +909,7 @@ Index: openssh-8.7p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
-@@ -2163,6 +2165,7 @@ main(int ac, char **av)
+@@ -2177,6 +2179,7 @@ main(int ac, char **av)
}
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -935,7 +917,7 @@ Index: openssh-8.7p1/sshd.c
if (FIPS_mode()) {
debug("FIPS mode initialized");
-@@ -2332,8 +2335,15 @@ main(int ac, char **av)
+@@ -2346,8 +2349,15 @@ main(int ac, char **av)
rdomain == NULL ? "" : " rdomain \"",
rdomain == NULL ? "" : rdomain,
rdomain == NULL ? "" : "\"");
@@ -952,7 +934,7 @@ Index: openssh-8.7p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2655,6 +2665,7 @@ cleanup_exit(int i)
+@@ -2674,6 +2684,7 @@ cleanup_exit(int i)
if (in_cleanup)
_exit(i);
in_cleanup = 1;
@@ -960,10 +942,8 @@ Index: openssh-8.7p1/sshd.c
if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt);
if (use_privsep && privsep_is_preauth &&
-Index: openssh-8.7p1/sshd_config
-===================================================================
---- openssh-8.7p1.orig/sshd_config
-+++ openssh-8.7p1/sshd_config
+--- a/sshd_config
++++ b/sshd_config
@@ -33,6 +33,15 @@ Include /etc/ssh/sshd_config.d/*.conf
# Logging
#SyslogFacility AUTH
@@ -980,10 +960,8 @@ Index: openssh-8.7p1/sshd_config
# Authentication:
-Index: openssh-8.7p1/auth-pam.c
-===================================================================
---- openssh-8.7p1.orig/auth-pam.c
-+++ openssh-8.7p1/auth-pam.c
+--- a/auth-pam.c
++++ b/auth-pam.c
@@ -94,6 +94,7 @@ extern char *__progname;
#include "auth-pam.h"
#include "canohost.h"
@@ -992,7 +970,7 @@ Index: openssh-8.7p1/auth-pam.c
#include "msg.h"
#include "packet.h"
#include "misc.h"
-@@ -1223,9 +1224,12 @@ do_pam_session(struct ssh *ssh)
+@@ -1210,9 +1211,12 @@ do_pam_session(struct ssh *ssh)
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
@@ -1006,10 +984,8 @@ Index: openssh-8.7p1/auth-pam.c
else {
sshpam_session_open = 0;
auth_restrict_session(ssh);
-Index: openssh-8.7p1/servconf.h
-===================================================================
---- openssh-8.7p1.orig/servconf.h
-+++ openssh-8.7p1/servconf.h
+--- a/servconf.h
++++ b/servconf.h
@@ -22,6 +22,8 @@
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
@@ -1032,10 +1008,8 @@ Index: openssh-8.7p1/servconf.h
} ServerOptions;
/* Information about the incoming connection as used by Match */
-Index: openssh-8.7p1/regress/slog.sh
-===================================================================
--- /dev/null
-+++ openssh-8.7p1/regress/slog.sh
++++ b/regress/slog.sh
@@ -0,0 +1,59 @@
+tid='structured log'
+
@@ -1096,10 +1070,8 @@ Index: openssh-8.7p1/regress/slog.sh
+
+test_log_counts
+test_json_valid
-Index: openssh-8.7p1/Makefile.in
-===================================================================
---- openssh-8.7p1.orig/Makefile.in
-+++ openssh-8.7p1/Makefile.in
+--- a/Makefile.in
++++ b/Makefile.in
@@ -129,7 +129,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -1118,10 +1090,8 @@ Index: openssh-8.7p1/Makefile.in
rm -rf autom4te.cache
rm -f regress/check-perm
rm -f regress/mkdtemp
-Index: openssh-8.7p1/auth.c
-===================================================================
---- openssh-8.7p1.orig/auth.c
-+++ openssh-8.7p1/auth.c
+--- a/auth.c
++++ b/auth.c
@@ -76,6 +76,7 @@
#include "ssherr.h"
#include "compat.h"
diff --git a/openssh-8.7p1-CVE-2024-6387.patch b/openssh-8.7p1-CVE-2024-6387.patch
new file mode 100644
index 0000000..e32f68f
--- /dev/null
+++ b/openssh-8.7p1-CVE-2024-6387.patch
@@ -0,0 +1,17 @@
+--- a/log.c
++++ b/log.c
+@@ -455,12 +455,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
diff --git a/openssh.spec b/openssh.spec
index dcfcc40..171e5d4 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -52,7 +52,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
%global openssh_rel 38
-%global hyperscale_rel 8
+%global hyperscale_rel 9
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5
@@ -300,6 +300,9 @@ Patch1018: openssh-9.6p1-CVE-2023-48795.patch
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+# temporary CVE-2024-6387 fix; drop when rebasing on patched c9s
+Patch1020: openssh-8.7p1-CVE-2024-6387.patch
+
# c9s specific logic factored out of openssh-7.7p1-fips.patch
Patch2000: openssh-7.7p1-fips-warning.patch
@@ -564,6 +567,8 @@ popd
%patch1018 -p1 -b .cve-2023-48795
%patch1019 -p1 -b .cve-2023-51385
+%patch1020 -p1 -b .cve-2024-6387
+
%if 0%{?facebook} && !0%{?use_quilt}
%patch2010 -p1 -b .log_session_id
%patch2011 -p1 -b .slog
@@ -868,6 +873,10 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
+* Tue Jul 02 2024 Michel Lind <salimma@centosproject.org> - 8.7p1-38.9 + 0.10.4-5.7
+- Fix CVE-2024-6387 (regreSSHion)
+- Refresh Facebook patches
+
* Fri May 3 2024 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-38.8 + 0.10.4-5.7
- Merge "Add LOG_SESSION_ID for everyone" patch into fb87_log_session_id.patch,
update fb87_pass_principals_to_child.patch to account for this change