diff --git a/openssh-5.1p1-cloexec.patch b/openssh-5.1p1-cloexec.patch
index 5dbff42..37a22a7 100644
--- a/openssh-5.1p1-cloexec.patch
+++ b/openssh-5.1p1-cloexec.patch
@@ -1,6 +1,36 @@
+diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
+--- openssh-5.1p1/channels.c.cloexec	2008-12-11 22:24:49.000000000 +0100
++++ openssh-5.1p1/channels.c	2008-12-11 22:29:52.000000000 +0100
+@@ -60,6 +60,7 @@
+ #include <termios.h>
+ #include <unistd.h>
+ #include <stdarg.h>
++#include <fcntl.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+@@ -230,6 +231,18 @@ channel_register_fds(Channel *c, int rfd
+ 
+ 	/* XXX set close-on-exec -markus */
+ 
++	if (rfd != -1) {
++		fcntl(rfd, F_SETFD, FD_CLOEXEC);
++	}
++
++	if (wfd != -1 && wfd != rfd) {
++		fcntl(wfd, F_SETFD, FD_CLOEXEC);
++	}
++
++	if (efd != -1 && efd != rfd && efd != wfd) {
++		fcntl(efd, F_SETFD, FD_CLOEXEC);
++	}
++
+ 	c->rfd = rfd;
+ 	c->wfd = wfd;
+ 	c->sock = (rfd == wfd) ? rfd : -1;
 diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
---- openssh-5.1p1/sshconnect2.c.cloexec	2008-07-23 15:21:23.000000000 +0200
-+++ openssh-5.1p1/sshconnect2.c	2008-07-23 15:23:19.000000000 +0200
+--- openssh-5.1p1/sshconnect2.c.cloexec	2008-12-11 22:24:49.000000000 +0100
++++ openssh-5.1p1/sshconnect2.c	2008-12-11 22:24:49.000000000 +0100
 @@ -38,6 +38,7 @@
  #include <stdio.h>
  #include <string.h>
@@ -19,7 +49,7 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
  		if (dup2(from[1], STDOUT_FILENO) < 0)
 diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
 --- openssh-5.1p1/sshconnect.c.cloexec	2008-07-02 14:34:30.000000000 +0200
-+++ openssh-5.1p1/sshconnect.c	2008-07-23 15:21:23.000000000 +0200
++++ openssh-5.1p1/sshconnect.c	2008-12-11 22:24:49.000000000 +0100
 @@ -38,6 +38,7 @@
  #include <stdlib.h>
  #include <string.h>
diff --git a/openssh-5.1p1-nss-keys.patch b/openssh-5.1p1-nss-keys.patch
index 8805f3e..6b21193 100644
--- a/openssh-5.1p1-nss-keys.patch
+++ b/openssh-5.1p1-nss-keys.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
 --- openssh-5.1p1/key.c.nss-keys	2008-07-11 09:35:09.000000000 +0200
-+++ openssh-5.1p1/key.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/key.c	2008-11-18 19:11:41.000000000 +0100
 @@ -96,6 +96,54 @@ key_new(int type)
  	return k;
  }
@@ -78,7 +78,7 @@ diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
  
 diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
 --- openssh-5.1p1/ssh-dss.c.nss-keys	2006-11-07 13:14:42.000000000 +0100
-+++ openssh-5.1p1/ssh-dss.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh-dss.c	2008-11-18 19:11:41.000000000 +0100
 @@ -39,6 +39,10 @@
  #include "log.h"
  #include "key.h"
@@ -138,7 +138,7 @@ diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
  			*lenp = SIGBLOB_LEN;
 diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
 --- openssh-5.1p1/ssh-agent.c.nss-keys	2008-07-04 15:10:49.000000000 +0200
-+++ openssh-5.1p1/ssh-agent.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh-agent.c	2008-11-18 19:11:41.000000000 +0100
 @@ -80,6 +80,10 @@
  #include "scard.h"
  #endif
@@ -283,7 +283,7 @@ diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
  		error("Unknown message %d", type);
 diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
 --- openssh-5.1p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200
-+++ openssh-5.1p1/authfd.h	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/authfd.h	2008-11-18 19:11:41.000000000 +0100
 @@ -49,6 +49,12 @@
  #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
  #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@@ -307,10 +307,10 @@ diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
  int
  ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
 diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
---- openssh-5.1p1/configure.ac.nss-keys	2008-07-23 19:16:00.000000000 +0200
-+++ openssh-5.1p1/configure.ac	2008-07-23 19:16:00.000000000 +0200
-@@ -3328,6 +3328,20 @@ AC_ARG_WITH(linux-audit,
- 	fi ]
+--- openssh-5.1p1/configure.ac.nss-keys	2008-11-18 19:11:41.000000000 +0100
++++ openssh-5.1p1/configure.ac	2008-11-18 19:12:38.000000000 +0100
+@@ -3436,6 +3436,20 @@ AC_ARG_WITH(kerberos5,
+ 	]
  )
  
 +# Check whether user wants NSS support
@@ -327,20 +327,20 @@ diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
 +	])
 +AC_SUBST(LIBNSS)
 +
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
- AC_ARG_WITH(kerberos5,
-@@ -4157,6 +4171,7 @@ echo "                   OSF SIA support
- echo "                 KerberosV support: $KRB5_MSG"
- echo "                   SELinux support: $SELINUX_MSG"
- echo "               Linux audit support: $LINUX_AUDIT_MSG"
+ # Looking for programs, paths and files
+ 
+ PRIVSEP_PATH=/var/empty
+@@ -4163,6 +4177,7 @@ echo "              TCP Wrappers support
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
 +echo "                       NSS support: $LIBNSS_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
- echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff -up /dev/null openssh-5.1p1/README.nss
---- /dev/null	2008-07-15 11:15:04.125063641 +0200
-+++ openssh-5.1p1/README.nss	2008-07-23 19:16:00.000000000 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
++++ openssh-5.1p1/README.nss	2008-11-18 19:11:41.000000000 +0100
 @@ -0,0 +1,36 @@
 +How to use NSS tokens with OpenSSH?
 +
@@ -380,7 +380,7 @@ diff -up /dev/null openssh-5.1p1/README.nss
 +	$ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
 diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
 --- openssh-5.1p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.1p1/authfd.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/authfd.c	2008-11-18 19:11:41.000000000 +0100
 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
  	return decode_reply(type);
  }
@@ -429,7 +429,7 @@ diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
   * by normal applications.
 diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
 --- openssh-5.1p1/readconf.h.nss-keys	2008-06-29 16:04:03.000000000 +0200
-+++ openssh-5.1p1/readconf.h	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/readconf.h	2008-11-18 19:11:41.000000000 +0100
 @@ -84,6 +84,8 @@ typedef struct {
  	char   *preferred_authentications;
  	char   *bind_address;	/* local socket address for connection to sshd */
@@ -440,8 +440,8 @@ diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
  
  	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
 diff -up /dev/null openssh-5.1p1/nsskeys.c
---- /dev/null	2008-07-15 11:15:04.125063641 +0200
-+++ openssh-5.1p1/nsskeys.c	2008-07-23 19:16:00.000000000 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
++++ openssh-5.1p1/nsskeys.c	2008-11-18 19:11:41.000000000 +0100
 @@ -0,0 +1,327 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -772,7 +772,7 @@ diff -up /dev/null openssh-5.1p1/nsskeys.c
 +#endif /* HAVE_LIBNSS */
 diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
 --- openssh-5.1p1/ssh.c.nss-keys	2008-07-04 04:53:50.000000000 +0200
-+++ openssh-5.1p1/ssh.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh.c	2008-11-18 19:11:41.000000000 +0100
 @@ -104,6 +104,9 @@
  #ifdef SMARTCARD
  #include "scard.h"
@@ -825,8 +825,8 @@ diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
  		fatal("load_public_identity_files: getpwuid failed");
  	pwname = xstrdup(pw->pw_name);
 diff -up /dev/null openssh-5.1p1/nsskeys.h
---- /dev/null	2008-07-15 11:15:04.125063641 +0200
-+++ openssh-5.1p1/nsskeys.h	2008-07-23 19:16:00.000000000 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
++++ openssh-5.1p1/nsskeys.h	2008-11-18 19:11:41.000000000 +0100
 @@ -0,0 +1,39 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -869,7 +869,7 @@ diff -up /dev/null openssh-5.1p1/nsskeys.h
 +#endif
 diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
 --- openssh-5.1p1/Makefile.in.nss-keys	2008-07-08 16:21:12.000000000 +0200
-+++ openssh-5.1p1/Makefile.in	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/Makefile.in	2008-11-18 19:11:41.000000000 +0100
 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
  	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@@ -881,7 +881,7 @@ diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
  	sshconnect.o sshconnect1.o sshconnect2.o mux.o
 diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
 --- openssh-5.1p1/key.h.nss-keys	2008-06-12 20:40:35.000000000 +0200
-+++ openssh-5.1p1/key.h	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/key.h	2008-11-18 19:11:41.000000000 +0100
 @@ -29,11 +29,17 @@
  #include <openssl/rsa.h>
  #include <openssl/dsa.h>
@@ -933,7 +933,7 @@ diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
  int		 key_equal(const Key *, const Key *);
 diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
 --- openssh-5.1p1/ssh-add.c.nss-keys	2008-02-28 09:13:52.000000000 +0100
-+++ openssh-5.1p1/ssh-add.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh-add.c	2008-11-18 19:11:41.000000000 +0100
 @@ -44,6 +44,14 @@
  #include <openssl/evp.h>
  #include "openbsd-compat/openssl-compat.h"
@@ -1162,7 +1162,7 @@ diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
  		struct passwd *pw;
 diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
 --- openssh-5.1p1/ssh-rsa.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.1p1/ssh-rsa.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh-rsa.c	2008-11-18 19:11:41.000000000 +0100
 @@ -32,6 +32,10 @@
  #include "compat.h"
  #include "ssh.h"
@@ -1235,7 +1235,7 @@ diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
  	buffer_put_cstring(&b, "ssh-rsa");
 diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
 --- openssh-5.1p1/ssh-keygen.c.nss-keys	2008-07-14 03:28:29.000000000 +0200
-+++ openssh-5.1p1/ssh-keygen.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/ssh-keygen.c	2008-11-18 19:11:41.000000000 +0100
 @@ -53,6 +53,11 @@
  #include "scard.h"
  #endif
@@ -1339,7 +1339,7 @@ diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
  		if (download)
 diff -up openssh-5.1p1/readconf.c.nss-keys openssh-5.1p1/readconf.c
 --- openssh-5.1p1/readconf.c.nss-keys	2008-06-29 16:04:03.000000000 +0200
-+++ openssh-5.1p1/readconf.c	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/readconf.c	2008-11-18 19:11:41.000000000 +0100
 @@ -124,6 +124,7 @@ typedef enum {
  	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
  	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
diff --git a/openssh.spec b/openssh.spec
index a6fc526..6d30b3e 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -60,10 +60,10 @@
 %define libedit 0
 %endif
 
-Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
+Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.1p1
-Release: 3%{?dist}%{?rescue_rel}
+Release: 4%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -148,12 +148,12 @@ BuildRequires: audit-libs >= 1.0.8
 BuildRequires: xauth
 
 %package clients
-Summary: The OpenSSH client applications
+Summary: An open source SSH client applications
 Requires: openssh = %{version}-%{release}
 Group: Applications/Internet
 
 %package server
-Summary: The OpenSSH server daemon
+Summary: An open source SSH server daemon
 Group: System Environment/Daemons
 Requires: openssh = %{version}-%{release}
 Requires(post): chkconfig >= 0.9, /sbin/service
@@ -175,8 +175,7 @@ untrusted hosts over an insecure network. X11 connections and
 arbitrary TCP/IP ports can also be forwarded over the secure channel.
 
 OpenSSH is OpenBSD's version of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
-all patented algorithms to separate libraries.
+it up to date in terms of security and features.
 
 This package includes the core files necessary for both the OpenSSH
 client and server. To make this package useful, you should also
@@ -186,14 +185,12 @@ install openssh-clients, openssh-server, or both.
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package includes
 the clients necessary to make encrypted connections to SSH servers.
-You'll also need to install the openssh package on OpenSSH clients.
 
 %description server
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
-securely connect to your SSH server. You also need to have the openssh
-package installed.
+securely connect to your SSH server.
 
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
@@ -482,6 +479,11 @@ fi
 %endif
 
 %changelog
+* Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4
+- set FD_CLOEXEC on channel sockets (#475866)
+- adjust summary
+- adjust nss-keys patch so it is applicable without selinux patches (#470859)
+
 * Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-3
 - fix compatibility with some servers (#466818)