--- Begin Message ---
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: important
I'm trying to install the fix for DSA 1212-1 on a sarge system (with
some individual newer packages).
The upgrade fails to install:
Preparing to replace ssh 1:3.8.1p1-8.sarge.4 (using .../ssh_1%3a3.8.1p1-8.sarge.6_i386.deb) ...
Unpacking replacement ssh ...
dpkg: error processing /var/cache/apt/archives/ssh_1%3a3.8.1p1-8.sarge.6_i386.deb (--unpack):
trying to overwrite `/usr/bin/ssh', which is also in package openssh-client
dpkg-deb: subprocess paste killed by signal (Broken pipe)
I'm not sure how this one should be classified--it doesn't actually
"introduce a security hole" and it doesn't make my existing ssh
"unusable" to anyone per se. But its effect is at least as serious as
DSA 1212-1 itself.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.50 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7g-1 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
--- End Message ---
--- Begin Message ---
On Sun, Nov 19, 2006 at 01:22:44PM +0700, Jeroen Vermeulen wrote:
> I'm trying to install the fix for DSA 1212-1 on a sarge system (with
> some individual newer packages).
>
> The upgrade fails to install:
>
> Preparing to replace ssh 1:3.8.1p1-8.sarge.4 (using .../ssh_1%3a3.8.1p1-8.sarge.6_i386.deb) ...
> Unpacking replacement ssh ...
> dpkg: error processing /var/cache/apt/archives/ssh_1%3a3.8.1p1-8.sarge.6_i386.deb (--unpack):
> trying to overwrite `/usr/bin/ssh', which is also in package openssh-client
> dpkg-deb: subprocess paste killed by signal (Broken pipe)
>
> I'm not sure how this one should be classified--it doesn't actually
> "introduce a security hole" and it doesn't make my existing ssh
> "unusable" to anyone per se. But its effect is at least as serious as
> DSA 1212-1 itself.
DSA 1212-1 says:
For the stable distribution (sarge), these problems have been fixed in
version 1:3.8.1p1-8.sarge.6.
For the unstable and testing distributions, these problems have been fixed
in version 1:4.3p2-4.
You already have openssh-client installed from post-sarge (you must
have, since openssh-client didn't exist in sarge), so you need to use
the security update from testing/unstable, not the one from sarge.
Since openssh-client currently Conflicts/Replaces ssh (<< 1:3.8.1p1-9),
I assume that either you forced it in, or you upgraded to it before
1:4.2p1-1 when I fixed bug #324695. If the latter, then you should
probably upgrade openssh-client.
Cheers,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---