- djm@cvs.openbsd.org 2010/01/29 00:20:41
     [sshd.c]
     set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
     ok dtucker@
diff --git a/ChangeLog b/ChangeLog
index f9a84fd..67cf0fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
      downgrade an error() to a debug() - this particular case can be hit in
      normal operation for certain sequences of mux slave vs session closure
      and is harmless
+   - djm@cvs.openbsd.org 2010/01/29 00:20:41
+     [sshd.c]
+     set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
+     ok dtucker@
 
 20100129
  - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
diff --git a/mux.c b/mux.c
index 64781d4..0e07883 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.12 2010/01/27 13:26:17 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.13 2010/01/29 20:16:17 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -212,7 +212,7 @@
 		sc->ctl_chan = -1;
 		if (sc->type != SSH_CHANNEL_OPEN) {
 			debug2("%s: channel %d: not open", __func__, sc->self);
-			chan_mark_dead(c);
+			chan_mark_dead(sc);
 		} else {
 			chan_read_failed(sc);
 			chan_write_failed(sc);
diff --git a/sshd.c b/sshd.c
index d84db89..bf2e76c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.371 2010/01/13 03:48:13 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.372 2010/01/29 00:20:41 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1748,6 +1748,10 @@
 		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
 	}
 
+	/* Executed child processes don't need these. */
+	fcntl(sock_out, F_SETFD, FD_CLOEXEC);
+	fcntl(sock_in, F_SETFD, FD_CLOEXEC);
+
 	/*
 	 * Disable the key regeneration alarm.  We will not regenerate the
 	 * key since we are no longer in a position to give it to anyone. We