Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Josh Triplett wrote:
> I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't
> change, kinda by definition this seems like a bug in OpenSSL, not
> OpenSSH.
That "by definition" only holds if you assume all applications are
perfect software with no bugs whatsoever, and use libraries strictly
according to their formal API only (however badly that API is often
defined in practice). In reality it's quite common for perfectly
ABI-compatible updates to break other software (or perhaps that should
be phrased "make the brokenness of other software have visible
effects").
In this case the breakage seems to be caused by an explicit version
check in OpenSSH. There's this code in entropy.c:
> * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
> * We match major, minor, fix and status (not patch) for <1.0.0.
> * After that, we acceptable compatible fix versions (so we
> * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
> * within a patch series.
> */
> u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
> if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
> (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
> fatal("OpenSSL version mismatch. Built against %lx, you "
> "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
For some weird reason the last byte "status" is not masked out of the
comparison. This libssl update changed the version from "1.0.1e release"
to "1.0.1f beta0", and the release->beta0 (f to 0) change in last byte
triggers the check.
The OpenSSH Debian package has this changelog entry:
openssh (1:5.9p1-4) unstable; urgency=low
* Disable OpenSSL version check again, as its SONAME is sufficient
nowadays (closes: #664383).
but apparently it was either not really disabled or was enabled again
for some reason; I see no changelog entry for that.
Reply to: