Package: openssh-client Version: 1:8.7p1-1 Severity: normal OpenSSH 8.7 has a bug where the -Y find-principals command segfaults. This breaks the Git testsuite because the functionality is available but doesn't work. As a result, I'm impeded in doing Git development. I am also not the only person doing Git development on Debian unstable. The bug is fixed in OpenSSH 8.8[0], so the easiest solution is to simply upgrade the package to the new version. I am fully aware that it removes support for ssh-rsa (RSA with SHA-1) signatures by default, and I am also fully aware that many clients and servers are broken by that, including ones using the Go SSH library, and I've read #996391. However, none of this should have been a surprise to those implementations, since it was well announced in advance; all of those implementations have been broken with Fedora for some time, which has a default crypto policy excluding SHA-1 signatures; this is strictly a significant improvement in security, since SHA-1 is known to be weak; and there is a well documented workaround for those for whom functionality is important than security. Thus, I'm not especially partial to the idea that we should wait to upgrade because implementations are broken. However, it would also be acceptable to me if the relevant patch were backported to make OpenSSH not segfault, since my main goal is to make the Git testsuite work (and I fundamentally believe that programs should not segfault). Steps to reproduce: 1. sudo apt-get build-dep git 2. sudo apt-get install git build-essential 3. git clone https://github.com/git/git.git 4. cd git 5. make && make test [0] https://www.openssh.com/txt/release-8.8 -- System Information: Debian Release: bookworm/sid APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.9 ii libc6 2.32-4 ii libedit2 3.1-20210910-1 ii libfido2-1 1.9.0-1 ii libgssapi-krb5-2 1.18.3-7 ii libselinux1 3.3-1 ii libssl1.1 1.1.1l-1 ii passwd 1:4.8.1-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.1-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature