--- a/algo.h	Sat Jan 24 00:05:26 2015 +0800
+++ b/algo.h	Wed Jan 28 21:38:27 2015 +0800
@@ -51,6 +51,7 @@
 extern algo_type sshciphers[];
 extern algo_type sshhashes[];
 extern algo_type ssh_compress[];
+extern algo_type ssh_delaycompress[];
 extern algo_type ssh_nocompress[];
 
 extern const struct dropbear_cipher dropbear_nocipher;

--- a/cli-runopts.c	Sat Jan 24 00:05:26 2015 +0800
+++ b/cli-runopts.c	Wed Jan 28 21:38:27 2015 +0800
@@ -156,7 +156,7 @@
 	cli_opts.proxycmd = NULL;
 #endif
 #ifndef DISABLE_ZLIB
-	opts.enable_compress = 1;
+	opts.compress_mode = DROPBEAR_COMPRESS_ON;
 #endif
 #ifdef ENABLE_USER_ALGO_LIST
 	opts.cipher_list = NULL;
@@ -609,7 +609,7 @@
 				passthrough_args, remainder);
 #ifndef DISABLE_ZLIB
 		/* The stream will be incompressible since it's encrypted. */
-		opts.enable_compress = 0;
+		opts.compress_mode = DROPBEAR_COMPRESS_OFF;
 #endif
 		m_free(passthrough_args);
 	}

--- a/common-algo.c	Sat Jan 24 00:05:26 2015 +0800
+++ b/common-algo.c	Wed Jan 28 21:38:27 2015 +0800
@@ -205,6 +205,12 @@
 	{"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
 	{NULL, 0, NULL, 0, NULL}
 };
+
+algo_type ssh_delaycompress[] = {
+	{"[email protected]", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL},
+	{"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
+	{NULL, 0, NULL, 0, NULL}
+};
 #endif
 
 algo_type ssh_nocompress[] = {

--- a/common-kex.c	Sat Jan 24 00:05:26 2015 +0800
+++ b/common-kex.c	Wed Jan 28 21:38:27 2015 +0800
@@ -238,14 +238,24 @@
 void kexfirstinitialise() {
 	ses.kexstate.donefirstkex = 0;
 
-#ifndef DISABLE_ZLIB
-	if (opts.enable_compress) {
-		ses.compress_algos = ssh_compress;
-	} else
+#ifdef DISABLE_ZLIB
+	ses.compress_algos = ssh_nocompress;
+#else
+	switch (opts.compress_mode)
+	{
+		case DROPBEAR_COMPRESS_DELAYED:
+			ses.compress_algos = ssh_delaycompress;
+			break;
+
+		case DROPBEAR_COMPRESS_ON:
+			ses.compress_algos = ssh_compress;
+			break;
+
+		case DROPBEAR_COMPRESS_OFF:
+			ses.compress_algos = ssh_nocompress;
+			break;
+	}
 #endif
-	{
-		ses.compress_algos = ssh_nocompress;
-	}
 	kexinitialise();
 }
 

--- a/options.h	Sat Jan 24 00:05:26 2015 +0800
+++ b/options.h	Wed Jan 28 21:38:27 2015 +0800
@@ -174,6 +174,11 @@
 #define DROPBEAR_ZLIB_WINDOW_BITS 15 
 #endif
 
+/* Server won't allow zlib compression until after authentication. Prevents
+   flaws in the zlib library being unauthenticated exploitable flaws.
+   Some old ssh clients may not support the alternative [email protected] method */
+#define DROPBEAR_SERVER_DELAY_ZLIB 1
+
 /* Whether to do reverse DNS lookups. */
 /*#define DO_HOST_LOOKUP */
 

--- a/runopts.h	Sat Jan 24 00:05:26 2015 +0800
+++ b/runopts.h	Wed Jan 28 21:38:27 2015 +0800
@@ -44,7 +44,11 @@
 	/* TODO: add a commandline flag. Currently this is on by default if compression
 	 * is compiled in, but disabled for a client's non-final multihop stages. (The
 	 * intermediate stages are compressed streams, so are uncompressible. */
-	int enable_compress;
+	enum {
+		DROPBEAR_COMPRESS_DELAYED, /* Server only */
+		DROPBEAR_COMPRESS_ON,
+		DROPBEAR_COMPRESS_OFF,
+	} compress_mode;
 #endif
 
 #ifdef ENABLE_USER_ALGO_LIST

--- a/svr-runopts.c	Sat Jan 24 00:05:26 2015 +0800
+++ b/svr-runopts.c	Wed Jan 28 21:38:27 2015 +0800
@@ -140,9 +140,15 @@
 #ifdef ENABLE_SVR_REMOTETCPFWD
 	svr_opts.noremotetcp = 0;
 #endif
+
 #ifndef DISABLE_ZLIB
-	opts.enable_compress = 1;
+#if DROPBEAR_SERVER_DELAY_ZLIB
+	opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
+#else
+	opts.compress_mode = DROPBEAR_COMPRESS_ON;
 #endif
+#endif 
+
 	/* not yet
 	opts.ipv4 = 1;
 	opts.ipv6 = 1;