diff -Nru openssh-5.9p1/debian/changelog openssh-5.9p1/debian/changelog
--- openssh-5.9p1/debian/changelog	2014-04-22 13:28:40.000000000 +0000
+++ openssh-5.9p1/debian/changelog	2015-08-14 13:11:24.000000000 +0000
@@ -1,3 +1,25 @@
+openssh (1:5.9p1-5ubuntu1.6) precise-security; urgency=medium
+
+  * SECURITY UPDATE: possible user impersonation via PAM support
+    - debian/patches/pam-security-1.patch: don't resend username to PAM in
+      monitor.c, monitor_wrap.c.
+    - CVE number pending
+  * SECURITY UPDATE: use-after-free in PAM support
+    - debian/patches/pam-security-2.patch: fix use after free in monitor.c.
+    - CVE number pending
+  * SECURITY UPDATE: 
+    - debian/patches/CVE-2015-5600.patch: only query each
+      keyboard-interactive device once per authentication request in
+      auth2-chall.c.
+    - CVE-2015-5600
+  * SECURITY UPDATE: X connections access restriction bypass
+    - debian/patches/CVE-2015-5352.patch: refuse ForwardX11Trusted=no
+      connections attempted after ForwardX11Timeout expires in channels.c,
+      channels.h, clientloop.c.
+    - CVE-2015-5352
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 14 Aug 2015 07:45:28 -0400
+
 openssh (1:5.9p1-5ubuntu1.4) precise; urgency=medium
 
   * Re-enable btmp logging, as its permissions were fixed a long time ago.
diff -Nru openssh-5.9p1/debian/patches/CVE-2015-5352.patch openssh-5.9p1/debian/patches/CVE-2015-5352.patch
--- openssh-5.9p1/debian/patches/CVE-2015-5352.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-5.9p1/debian/patches/CVE-2015-5352.patch	2015-08-14 13:16:54.000000000 +0000
@@ -0,0 +1,151 @@
+Backport of:
+
+From 1bf477d3cdf1a864646d59820878783d42357a1d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 1 Jul 2015 02:26:31 +0000
+Subject: [PATCH] upstream commit
+
+better refuse ForwardX11Trusted=no connections attempted
+ after ForwardX11Timeout expires; reported by Jann Horn
+
+Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
+---
+ channels.c   | 18 +++++++++++++++++-
+ channels.h   |  3 ++-
+ clientloop.c | 29 +++++++++++++++++++++--------
+ 3 files changed, 40 insertions(+), 10 deletions(-)
+
+Index: openssh-5.9p1/channels.c
+===================================================================
+--- openssh-5.9p1.orig/channels.c	2015-08-14 09:07:03.884989756 -0400
++++ openssh-5.9p1/channels.c	2015-08-14 09:07:03.876989683 -0400
+@@ -148,6 +148,9 @@
+ static char *x11_saved_data = NULL;
+ static u_int x11_saved_data_len = 0;
+ 
++/* Deadline after which all X11 connections are refused */
++static u_int x11_refuse_time;
++
+ /*
+  * Fake X11 authentication data.  This is what the server will be sending us;
+  * we should replace any occurrences of this by the real data.
+@@ -883,6 +886,13 @@
+ 	u_char *ucp;
+ 	u_int proto_len, data_len;
+ 
++	/* Is this being called after the refusal deadline? */
++	if (x11_refuse_time != 0 && (u_int)time(NULL) >= x11_refuse_time) {
++		verbose("Rejected X11 connection after ForwardX11Timeout "
++		    "expired");
++		return -1;
++	}
++
+ 	/* Check if the fixed size part of the packet is in buffer. */
+ 	if (buffer_len(b) < 12)
+ 		return 0;
+@@ -1438,6 +1448,12 @@
+ 		error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+ }
+ 
++void
++channel_set_x11_refuse_time(u_int refuse_time)
++{
++	x11_refuse_time = refuse_time;
++}
++
+ /*
+  * This socket is listening for connections to a forwarded TCP/IP port.
+  */
+Index: openssh-5.9p1/channels.h
+===================================================================
+--- openssh-5.9p1.orig/channels.h	2015-08-14 09:07:03.884989756 -0400
++++ openssh-5.9p1/channels.h	2015-08-14 09:07:03.876989683 -0400
+@@ -267,6 +267,7 @@
+ 
+ /* x11 forwarding */
+ 
++void	 channel_set_x11_refuse_time(u_int);
+ int	 x11_connect_display(void);
+ int	 x11_create_display_inet(int, int, int, u_int *, int **);
+ void     x11_input_open(int, u_int32_t, void *);
+Index: openssh-5.9p1/clientloop.c
+===================================================================
+--- openssh-5.9p1.orig/clientloop.c	2015-08-14 09:07:03.884989756 -0400
++++ openssh-5.9p1/clientloop.c	2015-08-14 09:08:53.422000698 -0400
+@@ -164,7 +164,7 @@
+ static int connection_out;	/* Connection to server (output). */
+ static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
+ static int session_closed;	/* In SSH2: login session closed. */
+-static int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
++static u_int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
+ 
+ static void client_init_dispatch(void);
+ int	session_ident = -1;
+@@ -285,7 +285,8 @@
+ 	/* else we are already counting down to the timeout */
+ }
+ 
+-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
++#define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
++#define X11_TIMEOUT_SLACK	60
+ void
+ client_x11_get_proto(const char *display, const char *xauth_path,
+     u_int trusted, u_int timeout, char **_proto, char **_data)
+@@ -298,7 +299,7 @@
+ 	int got_data = 0, generated = 0, do_unlink = 0, i;
+ 	char *xauthdir, *xauthfile;
+ 	struct stat st;
+-	u_int now;
++	u_int now, x11_timeout_real;
+ 
+ 	xauthdir = xauthfile = NULL;
+ 	*_proto = proto;
+@@ -328,6 +329,15 @@
+ 			xauthdir = xmalloc(MAXPATHLEN);
+ 			xauthfile = xmalloc(MAXPATHLEN);
+ 			mktemp_proto(xauthdir, MAXPATHLEN);
++			/*
++			 * The authentication cookie should briefly outlive
++			 * ssh's willingness to forward X11 connections to
++			 * avoid nasty fail-open behaviour in the X server.
++			 */
++			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
++				x11_timeout_real = UINT_MAX;
++			else
++				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+ 			if (mkdtemp(xauthdir) != NULL) {
+ 				do_unlink = 1;
+ 				snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
+@@ -335,17 +345,20 @@
+ 				snprintf(cmd, sizeof(cmd),
+ 				    "%s -f %s generate %s " SSH_X11_PROTO
+ 				    " untrusted timeout %u 2>" _PATH_DEVNULL,
+-				    xauth_path, xauthfile, display, timeout);
++				    xauth_path, xauthfile, display,
++				    x11_timeout_real);
+ 				debug2("x11_get_proto: %s", cmd);
+-				if (system(cmd) == 0)
+-					generated = 1;
+ 				if (x11_refuse_time == 0) {
+ 					now = time(NULL) + 1;
+ 					if (UINT_MAX - timeout < now)
+ 						x11_refuse_time = UINT_MAX;
+ 					else
+ 						x11_refuse_time = now + timeout;
++					channel_set_x11_refuse_time(
++					    x11_refuse_time);
+ 				}
++				if (system(cmd) == 0)
++					generated = 1;
+ 			}
+ 		}
+ 
+@@ -1793,7 +1806,7 @@
+ 		    "malicious server.");
+ 		return NULL;
+ 	}
+-	if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
++	if (x11_refuse_time != 0 && (u_int)time(NULL) >= x11_refuse_time) {
+ 		verbose("Rejected X11 connection after ForwardX11Timeout "
+ 		    "expired");
+ 		return NULL;
diff -Nru openssh-5.9p1/debian/patches/CVE-2015-5600.patch openssh-5.9p1/debian/patches/CVE-2015-5600.patch
--- openssh-5.9p1/debian/patches/CVE-2015-5600.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-5.9p1/debian/patches/CVE-2015-5600.patch	2015-08-14 11:42:44.000000000 +0000
@@ -0,0 +1,45 @@
+Backport of:
+
+From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: [PATCH] upstream commit
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+---
+ auth2-chall.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+Index: openssh-5.9p1/auth2-chall.c
+===================================================================
+--- openssh-5.9p1.orig/auth2-chall.c	2015-08-14 07:31:32.476193165 -0400
++++ openssh-5.9p1/auth2-chall.c	2015-08-14 07:41:33.737087794 -0400
+@@ -82,6 +82,7 @@
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,9 +170,15 @@
+ 
+ 		if (len == 0)
+ 			break;
+-		for (i = 0; devices[i]; i++)
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++		for (i = 0; devices[i]; i++) {
++			if ((kbdintctxt->devices_done & (1 << i)) != 0)
++ 				continue;
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
++ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+ 		xfree(t);
diff -Nru openssh-5.9p1/debian/patches/pam-security-1.patch openssh-5.9p1/debian/patches/pam-security-1.patch
--- openssh-5.9p1/debian/patches/pam-security-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-5.9p1/debian/patches/pam-security-1.patch	2015-08-14 11:42:59.000000000 +0000
@@ -0,0 +1,37 @@
+From d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:33:24 +1000
+Subject: [PATCH] Don't resend username to PAM; it already has it.
+
+Pointed out by Moritz Jodeit; ok dtucker@
+---
+ monitor.c      | 2 --
+ monitor_wrap.c | 1 -
+ 2 files changed, 3 deletions(-)
+
+Index: openssh-5.9p1/monitor.c
+===================================================================
+--- openssh-5.9p1.orig/monitor.c	2015-08-14 07:42:57.153766179 -0400
++++ openssh-5.9p1/monitor.c	2015-08-14 07:42:57.149766146 -0400
+@@ -1072,9 +1072,7 @@
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+Index: openssh-5.9p1/monitor_wrap.c
+===================================================================
+--- openssh-5.9p1.orig/monitor_wrap.c	2015-08-14 07:42:57.153766179 -0400
++++ openssh-5.9p1/monitor_wrap.c	2015-08-14 07:42:57.149766146 -0400
+@@ -837,7 +837,6 @@
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff -Nru openssh-5.9p1/debian/patches/pam-security-2.patch openssh-5.9p1/debian/patches/pam-security-2.patch
--- openssh-5.9p1/debian/patches/pam-security-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-5.9p1/debian/patches/pam-security-2.patch	2015-08-14 11:45:04.000000000 +0000
@@ -0,0 +1,34 @@
+Backport of:
+
+From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:34:12 +1000
+Subject: [PATCH] set sshpam_ctxt to NULL after free
+
+Avoids use-after-free in monitor when privsep child is compromised.
+Reported by Moritz Jodeit; ok dtucker@
+---
+ monitor.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Index: openssh-5.9p1/monitor.c
+===================================================================
+--- openssh-5.9p1.orig/monitor.c	2015-08-14 07:43:05.885837182 -0400
++++ openssh-5.9p1/monitor.c	2015-08-14 07:44:30.238523004 -0400
+@@ -1154,13 +1154,15 @@
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++	sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive/pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
diff -Nru openssh-5.9p1/debian/patches/series openssh-5.9p1/debian/patches/series
--- openssh-5.9p1/debian/patches/series	2014-04-07 13:36:39.000000000 +0000
+++ openssh-5.9p1/debian/patches/series	2015-08-14 13:06:58.000000000 +0000
@@ -50,3 +50,7 @@
 mention-ssh-keygen-on-keychange.patch
 CVE-2014-2532.patch
 CVE-2014-2653.patch
+CVE-2015-5600.patch
+pam-security-1.patch
+pam-security-2.patch
+CVE-2015-5352.patch