[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh_7.2p2+ availability for wheezy

Hi Roberto,

My replies in line below.

On 27/07/2017 14:43, Roberto C. Sánchez wrote:

We have a server running Wheezy 7.1 running openssh_6.0p1 which we are not
ready to rebuild and migrate just yet.
We have recently been asked to update openssh to fix all known security

The Debian Security Team is responsible for ensuring that all known
vulnerabilities are addressed.  OpenSSH is an absolutely critical
package for just about every single Debian installation, so it receives
a great deal of attention.  That said, Debian's policy is to backport
security fixes and that has been the case for OpenSSH during the life
cycle of wheezy.  If you look in the changelog files:


You will see that there have been uploads for several security issues
over the years.  Just make sure that you have the security repository in
the sources.list for the machine(s) in question.

If there is a specific security issue which is not addressed and you
feel it should be, the best thing would be to bring it to the attention
of the security team.

These are the vulnerability I'm referring to and they have been addressed in OpenSSH versions 6.6 and 7.2p2:

Threat 1:

The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject
arbitrary xauth commands by sending an x11 channel request that includes a
newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.
Affected Versions:
OpenSSH versions prior to 7.2p2

Threat 2:

The security issue is caused by an error within the "child_set_env()" function
(usr.bin/ssh/session.c) and can be exploited to bypass intended environment
restrictions by using a substring before a wildcard character.
Affected Versions:
OpenSSH Versions prior to 6.6 are affected

I have just reviewed:


from Debian 7.11 stamped 9 August 2016 and I can't see any of the above mentioned there.
I've been trying to build my own openssh_7.4p1 package but due to complexity
and/or lack of experience I've been banging my head against errors for days.

If you need help resolving errors with building packages a description
of the steps you have taken along with the actual error messages or
failures you are seeing would make it easier to assist.

When building (as a test, on Wheezy 7.11) from:


I unpack the first and unpack the second (debian directory) inside the first.
Then resolve dependencies and run:

debuild -us -uc

dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/openssh_6.0p1-4+deb7u4.diff.EvXl1D
dpkg-source: info: you can integrate the local changes with dpkg-source --commit
dpkg-buildpackage: error: dpkg-source -b openssh-6.0p1 gave error exit status 2
debuild: fatal error at line 1357:

It sounds like some kind of mismatch.

What I really want to do is to build 7.4p1 which gives a very similar error which I believe has a common cause.

Another thing I've attempted was:

dpkg-buildpackage -b -d

which produced 3200 lines but eventually failed with:

../../config.h:1756:0: note: this is the location of the previous definition
In file included from /usr/include/krb5.h:8:0,
                 from ../../auth.h:42,
                 from ../../sshd.c:111:
/usr/include/krb5/krb5.h:7299:1: error: expected identifier or ‘(’ before ‘do’
/usr/include/krb5/krb5.h:7299:1: error: expected identifier or ‘(’ before ‘while’
make[2]: *** [sshd.o] Error 1
make[2]: Leaving directory `/opt/scratch/openssh-7.4p1/debian/build-deb'
make[1]: *** [override_dh_auto_build-arch] Error 2
make[1]: Leaving directory `/opt/scratch/openssh-7.4p1'
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2


Reply to: