Merging debian version 1:9.7p1-4.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

15 files changed, 439 insertions, 92 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 430b68a..c9f38ee 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-7dc177f6145fd9f52b0ba7a072c3fd4739720a65
-7dc177f6145fd9f52b0ba7a072c3fd4739720a65
+1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
+1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
 cf05e8418c088a6e5712344cecaf6ee2d5eb550f
 cf05e8418c088a6e5712344cecaf6ee2d5eb550f
 openssh_9.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index b790dc3..11dd5cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:9.7p1-4) unstable; urgency=medium
+
+  * Rework systemd readiness notification and socket activation patches to
+    not link against libsystemd (the former via an upstream patch).
+  * Force -fzero-call-used-regs=used not to be used on ppc64el (it's
+    unsupported, but configure fails to detect this).
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 03 Apr 2024 12:06:08 +0100
+
 openssh (1:9.7p1-3~progress7.99u1) graograman-backports; urgency=medium
 
   * Uploading to graograman-backports, remaining changes:
diff --git a/debian/control b/debian/control
index c21abfb..3e1d8eb 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,6 @@ Build-Depends: debhelper (>= 13.1~),
                libpam0g-dev | libpam-dev,
                libselinux1-dev [linux-any],
                libssl-dev (>= 1.1.1),
-               libsystemd-dev [linux-any] | libelogind-dev [linux-any],
                libwrap0-dev | libwrap-dev,
                pkgconf,
                zlib1g-dev,
diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch
new file mode 100644
index 0000000..a79f5f1
--- /dev/null
+++ b/debian/patches/configure-cache-vars.patch
@@ -0,0 +1,137 @@
+From 1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Wed, 3 Apr 2024 11:52:04 +0100
+Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
+
+This allows overriding them on configure's command line in case the
+automatic checks go wrong somehow.  bz#3673
+
+Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3
+Last-Update: 2024-04-03
+
+Patch-Name: configure-cache-vars.patch
+---
+ m4/openssh.m4 | 42 ++++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 176a8d1c9..f420146f1 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -62,7 +62,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+-	AC_MSG_CHECKING([if $CC supports compile flag $1])
++  ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
++  AC_CACHE_CHECK([if $CC supports compile flag $1], [$ossh_cache_var], [
+ 	saved_CFLAGS="$CFLAGS"
+ 	CFLAGS="$CFLAGS $WERROR $1"
+ 	_define_flag="$2"
+@@ -71,22 +72,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ 		[
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+-		AC_MSG_RESULT([no])
++		eval "$ossh_cache_var=no"
+ 		CFLAGS="$saved_CFLAGS"
+ else
+ 		dnl If we are compiling natively, try running the program.
+ 		AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  CFLAGS="$saved_CFLAGS $_define_flag" ],
+-			[ AC_MSG_RESULT([no, fails at run time])
++			[ eval "$ossh_cache_var='no, fails at run time'"
+ 			  CFLAGS="$saved_CFLAGS" ],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  CFLAGS="$saved_CFLAGS $_define_flag" ],
+ 		)
+ fi],
+-		[ AC_MSG_RESULT([no])
++		[ eval "$ossh_cache_var=no"
+ 		  CFLAGS="$saved_CFLAGS" ]
+ 	)
++  ])
+ }])
+ 
+ dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+@@ -94,7 +96,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+-	AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
++  ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
++  AC_CACHE_CHECK([if $CC supports compile flag $1 and linking succeeds], [$ossh_cache_var], [
+ 	saved_CFLAGS="$CFLAGS"
+ 	CFLAGS="$CFLAGS $WERROR $1"
+ 	_define_flag="$2"
+@@ -103,22 +106,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+ 		[
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+-		AC_MSG_RESULT([no])
++		eval "$ossh_cache_var=no"
+ 		CFLAGS="$saved_CFLAGS"
+ else
+ 		dnl If we are compiling natively, try running the program.
+ 		AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  CFLAGS="$saved_CFLAGS $_define_flag" ],
+-			[ AC_MSG_RESULT([no, fails at run time])
++			[ eval "$ossh_cache_var='no, fails at run time'"
+ 			  CFLAGS="$saved_CFLAGS" ],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  CFLAGS="$saved_CFLAGS $_define_flag" ],
+ 		)
+ fi],
+-		[ AC_MSG_RESULT([no])
++		[ eval "$ossh_cache_var=no"
+ 		  CFLAGS="$saved_CFLAGS" ]
+ 	)
++  ])
+ }])
+ 
+ dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag])
+@@ -126,7 +130,8 @@ dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+-	AC_MSG_CHECKING([if $LD supports link flag $1])
++  ossh_cache_var=AS_TR_SH([ossh_cv_ldflag_$1])
++  AC_CACHE_CHECK([if $LD supports link flag $1], [$ossh_cache_var], [
+ 	saved_LDFLAGS="$LDFLAGS"
+ 	LDFLAGS="$LDFLAGS $WERROR $1"
+ 	_define_flag="$2"
+@@ -135,22 +140,23 @@ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+ 		[
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+-		  AC_MSG_RESULT([no])
++		  eval "$ossh_cache_var=no"
+ 		  LDFLAGS="$saved_LDFLAGS"
+ else
+ 		  dnl If we are compiling natively, try running the program.
+ 		  AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  LDFLAGS="$saved_LDFLAGS $_define_flag" ],
+-			[ AC_MSG_RESULT([no, fails at run time])
++			[ eval "$ossh_cache_var='no, fails at run time'"
+ 			  LDFLAGS="$saved_LDFLAGS" ],
+-			[ AC_MSG_RESULT([yes])
++			[ eval "$ossh_cache_var=yes"
+ 			  LDFLAGS="$saved_LDFLAGS $_define_flag" ]
+ 		  )
+ fi		],
+-		[ AC_MSG_RESULT([no])
++		[ eval "$ossh_cache_var=no"
+ 		  LDFLAGS="$saved_LDFLAGS" ]
+ 	)
++  ])
+ }])
+ 
+ dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index f53bac5..ce3c1c0 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 4f52dcf6ce616f6e674d6af0ceebb3e2f6b147a3 Mon Sep 17 00:00:00 2001
+From 04acdcf452c7a88ac8c37ca6870a571125fbc8da Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch
index 4cfe801..bd5733b 100644
--- a/debian/patches/maxhostnamelen.patch
+++ b/debian/patches/maxhostnamelen.patch
@@ -1,4 +1,4 @@
-From 25f238231292eefa02a723b84de6428baca3b7ab Mon Sep 17 00:00:00 2001
+From 8bc03da34ff88845e6b10631719f872e81eaea74 Mon Sep 17 00:00:00 2001
 From: Svante Signell <svante.signell@gmail.com>
 Date: Fri, 5 Nov 2021 23:22:53 +0000
 Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch
index fed6e66..bdf1449 100644
--- a/debian/patches/regress-conch-dev-zero.patch
+++ b/debian/patches/regress-conch-dev-zero.patch
@@ -1,4 +1,4 @@
-From 7dc177f6145fd9f52b0ba7a072c3fd4739720a65 Mon Sep 17 00:00:00 2001
+From 6bd1413e583b16d600b39b15203b5b78a4e77f0a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 31 Mar 2024 00:24:11 +0000
 Subject: regress: Redirect conch stdin from /dev/zero
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index a614c3c..9e540cf 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 629d831d473ca49b8593e4a711012bb812e544b7 Mon Sep 17 00:00:00 2001
+From 06af6b2c9be423445bab0c964f4e85f439a91278 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 619328b..0b33aee 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From c6529b6eeabc3312e7b0c00c8451a496eb5d8ae6 Mon Sep 17 00:00:00 2001
+From d9fbfaf30a64cff9b4fdad1ff0974e239f29f7db Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff --git a/debian/patches/series b/debian/patches/series
index 90ac393..311759a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ systemd-socket-activation.patch
 skip-utimensat-test-on-zfs.patch
 zero-call-used-regs-m68k.patch
 regress-conch-dev-zero.patch
+configure-cache-vars.patch
 progress-linux/0001-ssh-keygen-default-rsa-size.patch
 progress-linux/0002-ssh-keygen-default-ecdsa-size.patch
 progress-linux/0003-ssh_config-update.patch
diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch
index 7707531..6a50e08 100644
--- a/debian/patches/skip-utimensat-test-on-zfs.patch
+++ b/debian/patches/skip-utimensat-test-on-zfs.patch
@@ -1,4 +1,4 @@
-From 4c1c5dc36c96a8e6dd34fd43caf83d292a33b797 Mon Sep 17 00:00:00 2001
+From c295622811895faaf4c0be0820cbb919c80b1143 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 11 Mar 2024 16:24:49 +0000
 Subject: Skip utimensat test on ZFS
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 8f1e1ae..883e35b 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,84 +1,224 @@
-From b939a041afc3938937a3e9d2495202cf1a7b90ab Mon Sep 17 00:00:00 2001
-From: Michael Biebl <biebl@debian.org>
-Date: Mon, 21 Dec 2015 16:08:47 +0000
-Subject: Add systemd readiness notification support
+From 3d48cca71737962972c5bbd0171919ecbc348443 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 3 Apr 2024 14:40:32 +1100
+Subject: notify systemd on listen and reload
 
+Standalone implementation that does not depend on libsystemd.
+With assistance from Luca Boccassi, and feedback/testing from Colin
+Watson. bz2641
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
 Bug-Debian: https://bugs.debian.org/778913
-Forwarded: no
-Last-Update: 2017-08-22
+Last-Update: 2024-04-03
 
 Patch-Name: systemd-readiness.patch
 ---
- configure.ac | 24 ++++++++++++++++++++++++
- sshd.c       |  9 +++++++++
- 2 files changed, 33 insertions(+)
+ configure.ac                |  1 +
+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
+ openbsd-compat/port-linux.h |  5 ++
+ platform.c                  | 11 +++++
+ platform.h                  |  1 +
+ sshd.c                      |  2 +
+ 6 files changed, 115 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2b2c4f086..81f75eb85 100644
+index 2b2c4f086..c7b563ef2 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4950,6 +4950,29 @@ AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- AC_SUBST([CHANNELLIBS])
+@@ -939,6 +939,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+ 	AC_DEFINE([USE_BTMP])
+ 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
++	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+ 	inet6_default_4in6=yes
+ 	case `uname -r` in
+ 	1.*|2.0.*)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 0394f4808..8e2824594 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -21,16 +21,23 @@
  
-+# Check whether user wants systemd support
-+SYSTEMD_MSG="no"
-+AC_ARG_WITH(systemd,
-+	[  --with-systemd          Enable systemd support],
-+	[ if test "x$withval" != "xno" ; then
-+		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+		if test "$PKGCONFIG" != "no"; then
-+			AC_MSG_CHECKING([for libsystemd])
-+			if $PKGCONFIG --exists libsystemd; then
-+				SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
-+				SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
-+				CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
-+				SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
-+				AC_MSG_RESULT([yes])
-+				AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
-+				SYSTEMD_MSG="yes"
-+			else
-+				AC_MSG_RESULT([no])
-+			fi
-+		fi
-+	fi ]
-+)
-+
- # Looking for programs, paths and files
+ #include "includes.h"
  
- PRIVSEP_PATH=/var/empty
-@@ -5769,6 +5792,7 @@ echo "                   libldns support: $LDNS_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
- echo "           Solaris project support: $SP_MSG"
- echo "         Solaris privilege support: $SPP_MSG"
-+echo "                   systemd support: $SYSTEMD_MSG"
- echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
-diff --git a/sshd.c b/sshd.c
-index 8fab51ebb..b981e7758 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -88,6 +88,10 @@
- #include <prot.h>
+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
++    defined(SYSTEMD_NOTIFY)
++#include <sys/socket.h>
++#include <sys/un.h>
++
+ #include <errno.h>
++#include <inttypes.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <time.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
++#include "misc.h"
+ 
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -317,4 +324,90 @@ oom_adjust_restore(void)
+ 	return;
+ }
+ #endif /* LINUX_OOM_ADJUST */
+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
++
++#ifdef SYSTEMD_NOTIFY
++
++static void ssh_systemd_notify(const char *, ...)
++    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
++
++static void
++ssh_systemd_notify(const char *fmt, ...)
++{
++	char *s = NULL;
++	const char *path;
++	struct stat sb;
++	struct sockaddr_un addr;
++	int fd = -1;
++	va_list ap;
++
++	if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
++		return;
++
++	va_start(ap, fmt);
++	xvasprintf(&s, fmt, ap);
++	va_end(ap);
++
++	/* Only AF_UNIX is supported, with path or abstract sockets */
++	if (path[0] != '/' && path[0] != '@') {
++		error_f("socket \"%s\" is not compatible with AF_UNIX", path);
++		goto out;
++	}
++
++	if (path[0] == '/' && stat(path, &sb) != 0) {
++		error_f("socket \"%s\" stat: %s", path, strerror(errno));
++		goto out;
++	}
++
++	memset(&addr, 0, sizeof(addr));
++	addr.sun_family = AF_UNIX;
++	if (strlcpy(addr.sun_path, path,
++	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
++		error_f("socket path \"%s\" too long", path);
++		goto out;
++	}
++	/* Support for abstract socket */
++	if (addr.sun_path[0] == '@')
++		addr.sun_path[0] = 0;
++	if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
++		error_f("socket \"%s\": %s", path, strerror(errno));
++		goto out;
++	}
++	if (connect(fd, &addr, sizeof(addr)) != 0) {
++		error_f("socket \"%s\" connect: %s", path, strerror(errno));
++		goto out;
++	}
++	if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
++		error_f("socket \"%s\" write: %s", path, strerror(errno));
++		goto out;
++	}
++	debug_f("socket \"%s\" notified %s", path, s);
++ out:
++	if (fd != -1)
++		close(fd);
++	free(s);
++}
++
++void
++ssh_systemd_notify_ready(void)
++{
++	ssh_systemd_notify("READY=1");
++}
++
++void
++ssh_systemd_notify_reload(void)
++{
++	struct timespec now;
++
++	monotime_ts(&now);
++	if (now.tv_sec < 0 || now.tv_nsec < 0) {
++		error_f("monotime returned negative value");
++		ssh_systemd_notify("RELOADING=1");
++	} else {
++		ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
++		    ((uint64_t)now.tv_sec * 1000000ULL) +
++		    ((uint64_t)now.tv_nsec / 1000ULL));
++	}
++}
++#endif /* SYSTEMD_NOTIFY */
++
++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index c88129428..6c4c37115 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
+ void oom_adjust_setup(void);
  #endif
  
-+#ifdef HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
++#ifdef SYSTEMD_NOTIFY
++void ssh_systemd_notify_ready(void);
++void ssh_systemd_notify_reload(void);
 +#endif
 +
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh2.h"
-@@ -2101,6 +2105,11 @@ main(int ac, char **av)
- 			}
- 		}
+ #endif /* ! _PORT_LINUX_H */
+diff --git a/platform.c b/platform.c
+index 70c3a9b58..163a54a46 100644
+--- a/platform.c
++++ b/platform.c
+@@ -44,6 +44,14 @@ platform_pre_listen(void)
+ #endif
+ }
  
-+#ifdef HAVE_SYSTEMD
-+		/* Signal systemd that we are ready to accept connections */
-+		sd_notify(0, "READY=1");
++void
++platform_post_listen(void)
++{
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_ready();
 +#endif
++}
++
+ void
+ platform_pre_fork(void)
+ {
+@@ -55,6 +63,9 @@ platform_pre_fork(void)
+ void
+ platform_pre_restart(void)
+ {
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_reload();
++#endif
+ #ifdef LINUX_OOM_ADJUST
+ 	oom_adjust_restore();
+ #endif
+diff --git a/platform.h b/platform.h
+index 027fdfb51..1b77c3e3d 100644
+--- a/platform.h
++++ b/platform.h
+@@ -21,6 +21,7 @@
+ void platform_pre_listen(void);
+ void platform_pre_fork(void);
+ void platform_pre_restart(void);
++void platform_post_listen(void);
+ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+diff --git a/sshd.c b/sshd.c
+index 8fab51ebb..a18b85d1d 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2085,6 +2085,8 @@ main(int ac, char **av)
+ 		ssh_signal(SIGTERM, sigterm_handler);
+ 		ssh_signal(SIGQUIT, sigterm_handler);
+ 
++		platform_post_listen();
 +
- 		/* Accept a connection and return in a forked child */
- 		server_accept_loop(&sock_in, &sock_out,
- 		    &newsock, config_s);
+ 		/*
+ 		 * Write out the pid file after the sigterm handler
+ 		 * is setup and the listen sockets are bound
diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index 9867ccf..d2c5284 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From d4af38f9aa8f2daa0ae01b994666116f1420d305 Mon Sep 17 00:00:00 2001
+From f01545e3f9350c080a525c246b9d46ba71cb0d09 Mon Sep 17 00:00:00 2001
 From: Steve Langasek <steve.langasek@ubuntu.com>
 Date: Thu, 1 Sep 2022 16:03:37 +0100
 Subject: Support systemd socket activation
@@ -9,18 +9,32 @@ the child process handle the accept().  This lets us do delayed start
 of the sshd daemon without becoming incompatible with config options
 like ClientAliveCountMax.
 
-Last-Update: 2022-09-01
+Author: Colin Watson <cjwatson@debian.org>
+Last-Update: 2024-04-03
 
 Patch-Name: systemd-socket-activation.patch
 ---
- sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 75 insertions(+), 14 deletions(-)
+ configure.ac |   1 +
+ sshd.c       | 131 +++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 118 insertions(+), 14 deletions(-)
 
+diff --git a/configure.ac b/configure.ac
+index c7b563ef2..cdfb505bf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	AC_DEFINE([USE_BTMP])
+ 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
+ 	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
++	AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
+ 	inet6_default_4in6=yes
+ 	case `uname -r` in
+ 	1.*|2.0.*)
 diff --git a/sshd.c b/sshd.c
-index b981e7758..565e17b16 100644
+index a18b85d1d..105c688e4 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -140,10 +140,16 @@ int deny_severity;
+@@ -136,10 +136,18 @@ int deny_severity;
  #endif /* LIBWRAP */
  
  /* Re-exec fds */
@@ -28,8 +42,10 @@ index b981e7758..565e17b16 100644
 -#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
 -#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
 -#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
-+#ifdef HAVE_SYSTEMD
-+#define SYSTEMD_OFFSET sd_listen_fds(0)
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++static int get_systemd_listen_fds(void);
++#define SYSTEMD_OFFSET get_systemd_listen_fds()
++#define SYSTEMD_LISTEN_FDS_START 3
 +#else
 +#define SYSTEMD_OFFSET 0
 +#endif
@@ -41,11 +57,51 @@ index b981e7758..565e17b16 100644
  
  extern char *__progname;
  
-@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
+@@ -1016,6 +1024,88 @@ server_accept_inetd(int *sock_in, int *sock_out)
  	debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
  }
  
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++/*
++ * Get file descriptors passed by systemd; this implements the protocol
++ * described in the NOTES section of sd_listen_fds(3).
++ *
++ * We deliberately return 0 on error, so that the return value can safely be
++ * added as part of the REEXEC_*_FD macros without extra checks.
++ */
++static int
++get_systemd_listen_fds(void)
++{
++	const char *listen_pid_str, *listen_fds_str;
++	pid_t listen_pid;
++	int listen_fds;
++	const char *errstr = NULL;
++	int fd;
++
++	listen_pid_str = getenv("LISTEN_PID");
++	if (listen_pid_str == NULL)
++		return 0;
++	listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
++	if (errstr != NULL || getpid() != listen_pid)
++		return 0;
++
++	listen_fds_str = getenv("LISTEN_FDS");
++	if (listen_fds_str == NULL)
++		return 0;
++	listen_fds = (int)strtonum(listen_fds_str, 1,
++	    INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
++	if (errstr != NULL)
++		return 0;
++
++	for (fd = SYSTEMD_LISTEN_FDS_START;
++	    fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
++		if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
++			return 0;
++	}
++
++	return listen_fds;
++}
++
 +/*
 + * Configure our socket fds that were passed from systemd
 + */
@@ -90,11 +146,11 @@ index b981e7758..565e17b16 100644
  /*
   * Listen for TCP connections
   */
-@@ -1099,22 +1147,35 @@ static void
+@@ -1095,22 +1185,35 @@ static void
  server_listen(void)
  {
  	u_int i;
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
 +	int systemd_socket_count;
 +#endif
  
@@ -108,13 +164,13 @@ index b981e7758..565e17b16 100644
 -		free(options.listen_addrs[i].rdomain);
 -		memset(&options.listen_addrs[i], 0,
 -		    sizeof(options.listen_addrs[i]));
-+#ifdef HAVE_SYSTEMD
-+	systemd_socket_count = sd_listen_fds(0);
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++	systemd_socket_count = get_systemd_listen_fds();
 +	if (systemd_socket_count > 0)
 +	{
 +		int i;
 +		for (i = 0; i < systemd_socket_count; i++)
-+			setup_systemd_socket(SD_LISTEN_FDS_START + i);
++			setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
 +	} else
 +#endif
 +	{
diff --git a/debian/patches/zero-call-used-regs-m68k.patch b/debian/patches/zero-call-used-regs-m68k.patch
index 1e90eaa..84cd0a8 100644
--- a/debian/patches/zero-call-used-regs-m68k.patch
+++ b/debian/patches/zero-call-used-regs-m68k.patch
@@ -1,4 +1,4 @@
-From 781d9de6499eb979e9f1a66242bcf58250a1f21e Mon Sep 17 00:00:00 2001
+From f81c7307956c509e0638e8272454677d59961950 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 21 Mar 2024 10:20:21 +0000
 Subject: Extend -fzero-call-used-regs check to catch m68k gcc bug
diff --git a/debian/rules b/debian/rules
index 6184bef..6431a78 100755
--- a/debian/rules
+++ b/debian/rules
@@ -68,6 +68,12 @@ endif
 # Always use the internal mkdtemp; see https://bugs.debian.org/1001186.
 confflags += ac_cv_func_mkdtemp=no
 
+# ppc64el doesn't support -fzero-call-used-regs=used, but configure fails to
+# detect that.
+ifeq ($(DEB_HOST_ARCH),ppc64el)
+confflags += ossh_cv_cflag__fzero_call_used_regs_used=no
+endif
+
 # Everything above here is common to the deb and udeb builds.
 confflags_udeb := $(confflags)
 
@@ -80,7 +86,6 @@ confflags += --with-ssl-engine
 ifeq ($(DEB_HOST_ARCH_OS),linux)
 confflags += --with-selinux
 confflags += --with-audit=linux
-confflags += --with-systemd
 confflags += --with-security-key-builtin
 endif