[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1098272: marked as done (openssh-server: Security update 1:9.2p1-2+deb12u5 depends on libssl3 (>= 3.0.15), but that is not in debian security)

Your message dated Tue, 18 Feb 2025 16:12:09 +0000
with message-id <Z7SxWbCHcZb4vK77@riva.ucam.org>
and subject line Re: Bug#1098272: openssh-server: Security update 1:9.2p1-2+deb12u5 depends on libssl3 (>= 3.0.15), but that is not in debian security
has caused the Debian Bug report #1098272,
regarding openssh-server: Security update 1:9.2p1-2+deb12u5 depends on libssl3 (>= 3.0.15), but that is not in debian security
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1098272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098272
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important
X-Debbugs-Cc: team@security.debian.org

Dear Maintainer,

Security update for CVE-2025-26466, version 1:9.2p1-2+deb12u5, depends
on libssl3 >= 3.0.15, but that package is not available in Debian
Security. Therefore, the unattended upgrader, which is configured to
only install security updates, cannot install it:

# unattended-upgrade -v
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bookworm,label=Debian-Security, origin=Debian,codename=bookworm-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
package openssh-sftp-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
package openssh-sftp-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
No packages found that can be upgraded unattended and no pending auto-removals
Package openssh-client is kept back because a related package is kept back or due to local apt_preferences(5).
Package openssh-server is kept back because a related package is kept back or due to local apt_preferences(5).
Package openssh-sftp-server is kept back because a related package is kept back or due to local apt_preferences(5).

# apt-cache policy libssl3
libssl3:
  Installed: 3.0.14-1~deb12u2
  Candidate: 3.0.15-1~deb12u1
  Version table:
     3.0.15-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main amd64 Packages
 *** 3.0.14-1~deb12u2 500
        500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
        100 /var/lib/dpkg/status


I worked around it by just doing 'apt install openssh-server', but that
doesn't scale.

Regards,

Wiebe Cazemier



-- System Information:
Debian Release: 12.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-26-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+deb12u8
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+deb12u1
ii  libpam-runtime             1.5.2-6+deb12u1
ii  libpam0g                   1.5.2-6+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.15-1~deb12u1
ii  libsystemd0                252.26-1~deb12u2
ii  libwrap0                   7.6.q-32
ii  lsb-base                   11.6
ii  openssh-client             1:9.2p1-2+deb12u5
ii  openssh-sftp-server        1:9.2p1-2+deb12u5
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.2.13.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.26-1~deb12u2
ii  ncurses-term             6.4-4
ii  xauth                    1:1.1.2-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.7.2
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- Configuration Files:
/etc/pam.d/sshd changed [not included]

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
On Tue, Feb 18, 2025 at 04:11:36PM +0100, Wiebe Cazemier wrote:
> Security update for CVE-2025-26466, version 1:9.2p1-2+deb12u5, depends
> on libssl3 >= 3.0.15, but that package is not available in Debian
> Security. Therefore, the unattended upgrader, which is configured to
> only install security updates, cannot install it:
> 
> # unattended-upgrade -v
> Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
> Starting unattended upgrades script
> Allowed origins are: origin=Debian,codename=bookworm,label=Debian-Security, origin=Debian,codename=bookworm-security,label=Debian-Security
> Initial blacklist:
> Initial whitelist (not strict):
> package openssh-sftp-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
> package openssh-sftp-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
> No packages found that can be upgraded unattended and no pending auto-removals
> Package openssh-client is kept back because a related package is kept back or due to local apt_preferences(5).
> Package openssh-server is kept back because a related package is kept back or due to local apt_preferences(5).
> Package openssh-sftp-server is kept back because a related package is kept back or due to local apt_preferences(5).
> 
> # apt-cache policy libssl3
> libssl3:
>   Installed: 3.0.14-1~deb12u2
>   Candidate: 3.0.15-1~deb12u1
>   Version table:
>      3.0.15-1~deb12u1 500
>         500 http://deb.debian.org/debian bookworm/main amd64 Packages
>  *** 3.0.14-1~deb12u2 500
>         500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
>         100 /var/lib/dpkg/status

I think this is an unsupported unattended-upgrades configuration.  It
does sometimes happen that packages in bookworm (from a point release)
supersede those in bookworm-security, and at that point you're supposed
to upgrade to the new point release, not stick with the old versions
that were previously in bookworm-security.

As far as I can tell, unattended-upgrades doesn't ship this way by
default, so it looks like a change you've made yourself.  Specifically,
I think you must have deleted or commented out this line:

        "origin=Debian,codename=${distro_codename},label=Debian";

In any case, this is not something I can do anything about in
openssh-server; the autobuilders build against the latest packages in
the combination of bookworm and bookworm-security, and this is the
result.

Regards,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---
Reply to: