diff --git a/ChangeLog b/ChangeLog
index d6e3890f1..a149b0a54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,13 @@
    - markus@cvs.openbsd.org 2006/12/11 21:25:46
      [ssh-keygen.1 ssh.1]
      add rfc 4716 (public key format); ok jmc
+   - djm@cvs.openbsd.org 2006/12/12 03:58:42
+     [channels.c compat.c compat.h]
+     bz #1019: some ssh.com versions apparently can't cope with the
+     remote port forwarding bind_address being a hostname, so send
+     them an address for cases where they are not explicitly
+     specified (wildcard or localhost bind).  reported by daveroth AT
+     acm.org; ok dtucker@ deraadt@
 
 20061205
  - (djm) [auth.c] Fix NULL pointer dereference in fakepw().  Crash would
@@ -2630,4 +2637,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4594 2007/01/05 05:25:46 djm Exp $
+$Id: ChangeLog,v 1.4595 2007/01/05 05:26:45 djm Exp $
diff --git a/channels.c b/channels.c
index 26b63a1aa..6be121970 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.267 2006/12/12 03:58:42 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2525,11 +2525,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
 	/* Send the forward request to the remote side. */
 	if (compat20) {
 		const char *address_to_bind;
-		if (listen_host == NULL)
-			address_to_bind = "localhost";
-		else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
-			address_to_bind = "";
-		else
+		if (listen_host == NULL) {
+			if (datafellows & SSH_BUG_RFWD_ADDR)
+				address_to_bind = "127.0.0.1";
+			else
+				address_to_bind = "localhost";
+		} else if (*listen_host == '\0' ||
+			   strcmp(listen_host, "*") == 0) {
+			if (datafellows & SSH_BUG_RFWD_ADDR)
+				address_to_bind = "0.0.0.0";
+			else
+				address_to_bind = "";
+		} else
 			address_to_bind = listen_host;
 
 		packet_start(SSH2_MSG_GLOBAL_REQUEST);
diff --git a/compat.c b/compat.c
index da67f9410..bc1131581 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -133,7 +133,8 @@ compat_datafellows(const char *version)
 		{ "2.3.*",		SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
 					SSH_BUG_FIRSTKEX },
 		{ "2.4",		SSH_OLD_SESSIONID },	/* Van Dyke */
-		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
+		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
+					SSH_BUG_RFWD_ADDR },
 		{ "3.0.*",		SSH_BUG_DEBUG },
 		{ "3.0 SecureCRT*",	SSH_OLD_SESSIONID },
 		{ "1.7 SecureFX*",	SSH_OLD_SESSIONID },
diff --git a/compat.h b/compat.h
index 83d469d53..4d8ebc908 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -56,6 +56,7 @@
 #define SSH_BUG_PROBE		0x00400000
 #define SSH_BUG_FIRSTKEX	0x00800000
 #define SSH_OLD_FORWARD_ADDR	0x01000000
+#define SSH_BUG_RFWD_ADDR	0x02000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);