diff -Nru openssh-5.9p1/debian/changelog openssh-5.9p1/debian/changelog
--- openssh-5.9p1/debian/changelog	2014-03-21 15:05:55.000000000 +0000
+++ openssh-5.9p1/debian/changelog	2014-04-07 13:36:45.000000000 +0000
@@ -1,3 +1,12 @@
+openssh (1:5.9p1-5ubuntu1.3) precise-security; urgency=medium
+
+  * SECURITY UPDATE: failure to check SSHFP records if server presents a
+    certificate
+    - debian/patches/CVE-2014-2653.patch: fix logic in sshconnect.c.
+    - CVE-2014-2653
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 07 Apr 2014 09:36:45 -0400
+
 openssh (1:5.9p1-5ubuntu1.2) precise-security; urgency=medium
 
   * SECURITY UPDATE: AcceptEnv wildcard environment restrictions bypass
diff -Nru openssh-5.9p1/debian/patches/CVE-2014-2653.patch openssh-5.9p1/debian/patches/CVE-2014-2653.patch
--- openssh-5.9p1/debian/patches/CVE-2014-2653.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-5.9p1/debian/patches/CVE-2014-2653.patch	2014-04-07 13:36:39.000000000 +0000
@@ -0,0 +1,64 @@
+Description: fix failure to check SSHFP records if server presents a certificate
+Origin: backport, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect.c.diff?r1=1.246;r2=1.247
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
+
+Index: openssh-6.0p1/sshconnect.c
+===================================================================
+--- openssh-6.0p1.orig/sshconnect.c	2014-04-07 09:35:46.032962547 -0400
++++ openssh-6.0p1/sshconnect.c	2014-04-07 09:35:46.028962547 -0400
+@@ -1115,29 +1115,39 @@
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ 	debug("Server host key: %s %s", key_type(host_key), fp);
+ 	xfree(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff -Nru openssh-5.9p1/debian/patches/series openssh-5.9p1/debian/patches/series
--- openssh-5.9p1/debian/patches/series	2014-03-21 15:05:49.000000000 +0000
+++ openssh-5.9p1/debian/patches/series	2014-04-07 13:36:39.000000000 +0000
@@ -49,3 +49,4 @@
 doc-upstart.patch
 mention-ssh-keygen-on-keychange.patch
 CVE-2014-2532.patch
+CVE-2014-2653.patch