[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1099091: marked as done (openssh-server: openssh packages 1:9.2p1-2+deb12u5 in bookworm-security depend on unavailable libssl version)

Your message dated Fri, 28 Feb 2025 10:41:37 +0000
with message-id <Z8GS4bDxX4kfnG-7@riva.ucam.org>
and subject line Re: Bug#1099091: openssh-server: openssh packages 1:9.2p1-2+deb12u5 in bookworm-security depend on unavailable libssl version
has caused the Debian Bug report #1099091,
regarding openssh-server: openssh packages 1:9.2p1-2+deb12u5 in bookworm-security depend on unavailable libssl version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1099091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099091
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important

Dear Maintainer,

The 1:9.2p1-2+deb12u5 version of openssh packages in bookworm-security and bookworm-proposed-updates are uninstallable on bookworm, since they strictly depend on a libssl version unavailable on bookworm. This poses a security problem, since one is either stuck with the older version in bookworm (containing bugs that were fixed in this release) or has to install/backport libssl from trixie/sid.
A plain simple recompile, without source changes, on a "clean" bookworm system that does not contain the trixie/sid version of openssl is sufficient to fix dependencies (I did this on my systems).


Thanks in advance, best regards
Giacomo Mulas


-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (105, 'proposed-updates'), (104, 'stable'), (101, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-31-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  cdebconf [debconf-2.0]     0.270
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+deb12u7
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+deb12u1
ii  libpam-runtime             1.5.2-6+deb12u1
ii  libpam0g                   1.5.2-6+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.14-1~deb12u2
ii  libsystemd0                252.33-1~deb12u1
ii  libwrap0                   7.6.q-32
ii  lsb-base                   11.6
ii  openssh-client             1:9.2p1-2+deb12u5
ii  openssh-sftp-server        1:9.2p1-2+deb12u5
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1+deb12u1
ii  zlib1g                     1:1.2.13.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.33-1~deb12u1
ii  ncurses-term             6.4-4
ii  xauth                    1:1.1.2-1

Versions of packages openssh-server suggests:
ii  ksshaskpass [ssh-askpass]             4:5.27.5-2
ii  kwalletcli [ssh-askpass]              3.03-1
ii  molly-guard                           0.7.2
pn  monkeysphere                          <none>
ii  ssh-askpass                           1:1.2.4.1-16
ii  ssh-askpass-fullscreen [ssh-askpass]  1.3-1
ii  ssh-askpass-gnome [ssh-askpass]       1:9.2p1-2+deb12u5
pn  ufw                                   <none>

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
On Fri, Feb 28, 2025 at 10:33:56AM +0100, Chris Hofstaedtler wrote:

On Fri, Feb 28, 2025 at 10:09:51AM +0100, Giacomo Mulas wrote:

Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important

The 1:9.2p1-2+deb12u5 version of openssh packages in bookworm-security and bookworm-proposed-updates are uninstallable on bookworm, since they strictly depend on a libssl version unavailable on bookworm. This poses a security problem, since one is either stuck with the older version in bookworm (containing bugs that were fixed in this release) or has to install/backport libssl from trixie/sid.


This is the Depends from openssh-server in
bookworm-proposed-updates:

  Package: openssh-server
  Source: openssh
  Version: 1:9.2p1-2+deb12u5
  ...
  Depends: ..., libssl3 (>= 3.0.15), ...

However this is fine, as bookworm already has libssl3
3.0.15-1~deb12u1. Note that it's really in bookworm, not in
bookworm-security.


Versions of packages openssh-server depends on:

[..]

ii  libssl3                    3.0.14-1~deb12u2


Your system seems to be missing out on packages that are _in_
bookworm ("stable").
Yes. Giacomo, I suspect your system is misconfigured in the sort of way I described in https://bugs.debian.org/1098272#10 (if not unattended-upgrades, then something similar).
Note that the openssh packages in question were built on Debian's autobuilders in their standard configuration. I didn't build them locally, and they certainly were not built on trixie/sid. 

--
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---
Reply to: