Your message dated Sat, 13 Nov 2021 14:34:24 +0000 with message-id <E1mlu6q-00063q-3p@fasolo.debian.org> and subject line Bug#999593: fixed in openssh 1:8.7p1-2 has caused the Debian Bug report #999593, regarding ssh: segfaults when using -Y find-principals to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 999593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999593 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: segfaults when using -Y find-principals
- From: "brian m. carlson" <sandals@crustytoothpaste.net>
- Date: Sat, 13 Nov 2021 00:03:53 +0000
- Message-id: <[🔎] YY8A6ZrAy04kE1M0@camp.crustytoothpaste.net>
Package: openssh-client Version: 1:8.7p1-1 Severity: normal OpenSSH 8.7 has a bug where the -Y find-principals command segfaults. This breaks the Git testsuite because the functionality is available but doesn't work. As a result, I'm impeded in doing Git development. I am also not the only person doing Git development on Debian unstable. The bug is fixed in OpenSSH 8.8[0], so the easiest solution is to simply upgrade the package to the new version. I am fully aware that it removes support for ssh-rsa (RSA with SHA-1) signatures by default, and I am also fully aware that many clients and servers are broken by that, including ones using the Go SSH library, and I've read #996391. However, none of this should have been a surprise to those implementations, since it was well announced in advance; all of those implementations have been broken with Fedora for some time, which has a default crypto policy excluding SHA-1 signatures; this is strictly a significant improvement in security, since SHA-1 is known to be weak; and there is a well documented workaround for those for whom functionality is important than security. Thus, I'm not especially partial to the idea that we should wait to upgrade because implementations are broken. However, it would also be acceptable to me if the relevant patch were backported to make OpenSSH not segfault, since my main goal is to make the Git testsuite work (and I fundamentally believe that programs should not segfault). Steps to reproduce: 1. sudo apt-get build-dep git 2. sudo apt-get install git build-essential 3. git clone https://github.com/git/git.git 4. cd git 5. make && make test [0] https://www.openssh.com/txt/release-8.8 -- System Information: Debian Release: bookworm/sid APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.9 ii libc6 2.32-4 ii libedit2 3.1-20210910-1 ii libfido2-1 1.9.0-1 ii libgssapi-krb5-2 1.18.3-7 ii libselinux1 3.3-1 ii libssl1.1 1.1.1l-1 ii passwd 1:4.8.1-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.1-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information -- brian m. carlson (he/him or they/them) Toronto, Ontario, CAAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 999593-close@bugs.debian.org
- Subject: Bug#999593: fixed in openssh 1:8.7p1-2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 13 Nov 2021 14:34:24 +0000
- Message-id: <E1mlu6q-00063q-3p@fasolo.debian.org>
- Reply-to: Colin Watson <cjwatson@debian.org>
Source: openssh Source-Version: 1:8.7p1-2 Done: Colin Watson <cjwatson@debian.org> We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 999593@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Nov 2021 13:40:50 +0000 Source: openssh Architecture: source Version: 1:8.7p1-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 999593 Changes: openssh (1:8.7p1-2) unstable; urgency=medium . * Backport from upstream: - Avoid NULL deref in -Y find-principals (closes: #999593). Checksums-Sha1: 041b9d382a6f9126c1ac9f136588970218ae4948 3382 openssh_8.7p1-2.dsc 3f78b356f043407e7634e28004c44055f1decdd2 186492 openssh_8.7p1-2.debian.tar.xz Checksums-Sha256: 3fb75e98b98e1154c1d682c5b78e241a1ddd61a819913cc8fcf6a8be2e3bd1e7 3382 openssh_8.7p1-2.dsc 0c35841b4096b6d6bda6b37c9d30f777888e256e90c15fa43f481520280222e1 186492 openssh_8.7p1-2.debian.tar.xz Files: 257a02ae202a00baca214d19d226c07c 3382 net standard openssh_8.7p1-2.dsc cf83dedf09dfcc8c6e76d72830f61c4f 186492 net standard openssh_8.7p1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmGPwIoACgkQOTWH2X2G UAvgoRAAm41yqatKAkq4vhd28twuKz34GaTdmCRQHkaXZCqO5tWSIorAMbRuW+Hc 4iZVzHq5fTKxYXGT1N3HIQ2d5czhRy7She28geN0DP9FMDeTOiTaojgsIZfKw/lx M3eNMeTWsKeZIFBPavrTl+yYwnCH66s6DErkCbT/RpG3WGZ5vN7PKyedHYB5EpgP tlcikfpw9gA82cVQNlfwbYok9dz/vFopRcPRxwANVtbj1pXPudJY5yc7/fei6Ovl 6WxlBkncvCejMMd1G8BDkRZDP2wF9P7shApbxZwG58NF5rji01o0mBPSUcT+XH7Y yKQ+vrNc2FWx0pPH+9k8mwh7WL97Bmmj75e6du7YbyFt+TD4xkwejmpO3sFOXpzD JHTe69n9ZpTcc0qlkw7qZCkjZ/jgUywFe+FnVj6tHv0W2v0juHO6MfbCU5toG4NV z7RxjHGoGR/VbDPPYa4E0zWDhBxSzSHvVUP6mAuiMvXESPL6IGQUFZwjd8CVY+h3 6tDYiQibp+zeHAYObiEhRMHgXlwvfsKBcWI81lC+gFzIzQ4b1bcPE8iBpYKAhV+X qB110eIMr6lAT37rac56/o9qbj/0pn/wl3hYtn4UFEwltp15+yQPcw0dv+rk2B7J DIocdoqT1jlJ50Wr+aTyG1KOm8lWJ3X/RSZAyoGzSCWDFlFat0I= =vBtM -----END PGP SIGNATURE-----
--- End Message ---