Bug#399307: marked as done (ssh: Security update breaks)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#399307: marked as done (ssh: Security update breaks)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 20 Nov 2006 03:48:14 -0800
Message-id: <[🔎] handler.399307.D399307.116402284421126.ackdone@bugs.debian.org>
References: <20061120113844.GP28442@riva.ucam.org> <[🔎] 20061119062244.AF4D4364064@thaiopensource.org>

Your message dated Mon, 20 Nov 2006 11:38:46 +0000
with message-id <20061120113844.GP28442@riva.ucam.org>
and subject line Bug#399307: ssh: Security update breaks
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: Security update breaks
From: Jeroen Vermeulen <jtv@thaiopensource.org>
Date: Sun, 19 Nov 2006 13:22:44 +0700
Message-id: <[🔎] 20061119062244.AF4D4364064@thaiopensource.org>

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: important


I'm trying to install the fix for DSA 1212-1 on a sarge system (with
some individual newer packages).

The upgrade fails to install:

Preparing to replace ssh 1:3.8.1p1-8.sarge.4 (using .../ssh_1%3a3.8.1p1-8.sarge.6_i386.deb) ...
Unpacking replacement ssh ...
dpkg: error processing /var/cache/apt/archives/ssh_1%3a3.8.1p1-8.sarge.6_i386.deb (--unpack):
 trying to overwrite `/usr/bin/ssh', which is also in package openssh-client
dpkg-deb: subprocess paste killed by signal (Broken pipe)

I'm not sure how this one should be classified--it doesn't actually
"introduce a security hole" and it doesn't make my existing ssh
"unusable" to anyone per se.  But its effect is at least as serious as
DSA 1212-1 itself.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages ssh depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf               1.4.50             Debian configuration management sy
ii  dpkg                  1.10.28            Package maintenance system for Deb
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libpam-modules        0.76-22            Pluggable Authentication Modules f
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libssl0.9.7           0.9.7g-1           SSL shared libraries
ii  libwrap0              7.6.dbs-8          Wietse Venema's TCP wrappers libra
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/ssh2_keys_merged:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false

--- End Message ---

--- Begin Message ---

To: 399307-done@bugs.debian.org
Subject: Re: Bug#399307: ssh: Security update breaks
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 20 Nov 2006 11:38:46 +0000
Message-id: <20061120113844.GP28442@riva.ucam.org>
In-reply-to: <[🔎] 20061119062244.AF4D4364064@thaiopensource.org>
References: <[🔎] 20061119062244.AF4D4364064@thaiopensource.org>

On Sun, Nov 19, 2006 at 01:22:44PM +0700, Jeroen Vermeulen wrote:
> I'm trying to install the fix for DSA 1212-1 on a sarge system (with
> some individual newer packages).
> 
> The upgrade fails to install:
> 
> Preparing to replace ssh 1:3.8.1p1-8.sarge.4 (using .../ssh_1%3a3.8.1p1-8.sarge.6_i386.deb) ...
> Unpacking replacement ssh ...
> dpkg: error processing /var/cache/apt/archives/ssh_1%3a3.8.1p1-8.sarge.6_i386.deb (--unpack):
>  trying to overwrite `/usr/bin/ssh', which is also in package openssh-client
> dpkg-deb: subprocess paste killed by signal (Broken pipe)
> 
> I'm not sure how this one should be classified--it doesn't actually
> "introduce a security hole" and it doesn't make my existing ssh
> "unusable" to anyone per se.  But its effect is at least as serious as
> DSA 1212-1 itself.

DSA 1212-1 says:

    For the stable distribution (sarge), these problems have been fixed in
    version 1:3.8.1p1-8.sarge.6.

    For the unstable and testing distributions, these problems have been fixed
    in version 1:4.3p2-4.

You already have openssh-client installed from post-sarge (you must
have, since openssh-client didn't exist in sarge), so you need to use
the security update from testing/unstable, not the one from sarge.

Since openssh-client currently Conflicts/Replaces ssh (<< 1:3.8.1p1-9),
I assume that either you forced it in, or you upgraded to it before
1:4.2p1-1 when I fixed bug #324695. If the latter, then you should
probably upgrade openssh-client.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

Reply to:

References:
- Bug#399307: ssh: Security update breaks
  - From: Jeroen Vermeulen <jtv@thaiopensource.org>

Prev by Date: Bug#399307: ssh: Security update breaks
Next by Date: Bug#399307: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#399307: ssh: Security update breaks)
Previous by thread: Bug#399307: ssh: Security update breaks
Next by thread: Bug#399307: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#399307: ssh: Security update breaks)
Index(es):
- Date
- Thread