diff --git a/openssh-8.7p1-find-principals-fix.patch b/openssh-8.7p1-find-principals-fix.patch
new file mode 100644
index 0000000..4c6594b
--- /dev/null
+++ b/openssh-8.7p1-find-principals-fix.patch
@@ -0,0 +1,13 @@
+diff -up openssh-8.7p1/ssh-keygen.c.find-princ openssh-8.7p1/ssh-keygen.c
+--- openssh-8.7p1/ssh-keygen.c.find-princ 2021-11-29 15:27:03.032070863 +0100
++++ openssh-8.7p1/ssh-keygen.c 2021-11-29 15:27:34.736342968 +0100
+@@ -2700,7 +2700,8 @@ sig_process_opts(char * const *opts, siz
+ time_t now;
+
+ *verify_timep = 0;
+- *print_pubkey = 0;
++ if (print_pubkey)
++ *print_pubkey = 0;
+ for (i = 0; i < nopts; i++) {
+ if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
+ if (parse_absolute_time(opts[i] + 12,
diff --git a/openssh.spec b/openssh.spec
index da665e7..f0d9fec 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
-%global openssh_rel 4
+%global openssh_rel 5
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 4
@@ -199,6 +199,8 @@ Patch976: openssh-8.7p1-sftp-default-protocol.patch
Patch977: openssh-8.7p1-scp-kill-switch.patch
# CVE-2021-41617
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
+# fix for `ssh-keygen -Y find-principals -f /dev/null -s /dev/null` (#2024902)
+Patch979: openssh-8.7p1-find-principals-fix.patch
License: BSD
Requires: /sbin/nologin
@@ -377,6 +379,7 @@ popd
%patch976 -p1 -b .sftp-by-default
%patch977 -p1 -b .kill-scp
%patch978 -p1 -b .cve-2021-41617
+%patch979 -p1 -b .find-principals
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
@@ -661,6 +664,10 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
+* Mon Nov 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-5
+- Fix `ssh-keygen -Y find-principals -f /dev/null -s /dev/null` segfault
+ Related: rhbz#2024902
+
* Mon Oct 25 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-4
- Fix memory leaks introduced in OpenSSH 8.7
Related: rhbz#2001002