Upstream: ClientAliveCountMax=0 disable the connection killing behaviour (#2015828)

Add support for "Include" directive in sshd_config file (#1926103)

CVE-2021-41617 upstream fix (#2008885)

sshd -T requires -C when "Match" is used in sshd_config (#1836277)

CVE-2020-14145 openssh: Observable Discrepancy leading to an information
Hostbased ssh authentication fails if session ID contains a '/' (#1944125)

ssh doesn't restore the blocking mode on standard output (#1942901)

SFTP sort upon the modification time (#1909988)
ssh-keygen printing fingerprint issue with Windows keys (#1901518)
PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372)
ssh-agent segfaults during ssh-add -s pkcs11 (#1868996)
ssh-copy-id could not resolve ipv6 address ends with colon (#1933517)
sshd provides PAM an incorrect error code (#1879503)

Openssh client window fix (#1913041)

Do not print "no slots" warning by default (#1744220)
Unbreak connecting using gssapi through proxy commands (#1749862)
Document in manual pages that CASignatureAlgorithms are handled by crypto policies (#1790604)
Use SHA2-based signature algorithms by default for signing certificates (#1790610)
Prevent simple ProxyJump loops in configuration files (#1804099)
Teach ssh-keyscan to use SHA2 RSA variants (#1744108)
Do not fail hard if getrandom() is not available and no SSH_USE_STRONG_RNG is specified (#1812120)
Improve wording of crypto policies references in manual pages (#1812854)
Do not break X11 forwarding if IPv6 is disabled (#1662189)
Enable SHA2-based GSSAPI key exchange algorithms by default (#1816226)
Mark RDomain server configuration option unsupported in RHEL (#1807686)
Clarify crypto policies defaults in manual pages (#1724195)
Mention RSA SHA2 variants in ssh-keygen manual page (#1665900)

Restore entropy patch for CC certification (#1785655)

Fix typos in manual pages (#1668325)
Use the upstream support for PKCS#8 PEM files alongside with the legacy PEM files (#1712436)
Unbreak ssh-keygen -A in FIPS mode (#1732424)
Add missing RSA certificate types to offered hostkey types in FIPS mode (#1732449)

Allow specifying a pin-value in PKCS #11 URI in ssh-add (#1639698)
Whitelist another syscall variant for s390x cryptographic module (ibmca engine) (#1714915)

New upstream release (#1691045)
Remove support for unused VendorPatchLevel configuration option
Fix kerberos cleanup procedures (#1683295)
Do not negotiate arbitrary primes with DH GEX in FIPS (#1685096)
Several GSSAPI key exchange improvements and sync with Debian
Allow to use labels in PKCS#11 URIs even if they do not match on private key (#1671262)
Do not fall back to sshd_net_t SELinux context (#1678695)
Use FIPS compliant high-level signature OpenSSL API and KDF
Mention crypto-policies in manual pages
Do not fail if non-FIPS approved algorithm is enabled in FIPS
Generate the PEM files in new PKCS#8 format without the need of MD5 (#1712436)

Unbreak PKCS#11 URI tests (#1648262)
Allow to disable RSA signatures with SHA1 (#1648898)
Dump missing GSS options from client configuration (#1649505)
Minor fixes from Fedora related to GSSAPI and keberos
Follow the system-wide PATH settings

Disable OpenSSH hardening flags and use the ones provided by system (#1630615)
Ignore unknown parts of PKCS#11 URI (#1631478)
Do not fail with GSSAPI enabled in match blocks (#1580017)
Fix the segfaulting cavs test (#1629692)

New upstream release fixing CVE 2018-15473
Remove unused patches
Remove reference to unused enviornment variable SSH_USE_STRONG_RNG
Address coverity issues
Unbreak scp between two IPv6 hosts (#1620333)
Unbreak GSSAPI key exchange (#1624323)
Unbreak rekeying with GSSAPI key exchange (#1624344)