From 7374105a96ee7d925b3e0530685c21566fa2a32c Mon Sep 17 00:00:00 2001
From: Aneesh Agrawal <aneeshusa@gmail.com>
Date: Thu, 20 Oct 2016 14:49:08 -0400
Subject: [PATCH] openssh: Patch CVE-2016-8858

Also add myself as a maintainer.
---
 pkgs/tools/networking/openssh/default.nix             |  3 ++-
 pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index fabcda902be3..064f68947b80 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -50,6 +50,7 @@ stdenv.mkDerivation rec {
 
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
+      ./fix-CVE-2016-8858.patch
     ]
     ++ optional withGssapiPatches gssapiSrc;
 
@@ -92,7 +93,7 @@ stdenv.mkDerivation rec {
     description = "An implementation of the SSH protocol";
     license = stdenv.lib.licenses.bsd2;
     platforms = platforms.unix;
-    maintainers = with maintainers; [ eelco ];
+    maintainers = with maintainers; [ eelco aneeshusa ];
     broken = hpnSupport; # probably after 6.7 update
   };
 }
diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch
new file mode 100644
index 000000000000..e526161083c0
--- /dev/null
+++ b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch
@@ -0,0 +1,11 @@
+diff -u -r1.126 -r1.127
+--- ssh/kex.c	2016/09/28 21:44:52	1.126
++++ ssh/kex.c	2016/10/10 19:28:48	1.127
+@@ -461,6 +461,7 @@
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;