Bug#1105179: unblock: openssh/1:10.0p1-5
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: openssh@packages.debian.org
Control: affects -1 + src:openssh
User: release.debian.org@packages.debian.org
Usertags: unblock
I know the hard freeze hasn't started yet, but this openssh upload isn't
quite going to make it into testing in time, and since it's a key
package you're going to need to review it anyway; so I might as well get
the request in early. This fixes one grave bug (#1103418), one serious
bug (#1104992, filed after the upload so not in the changelog) and one
important bug (#1103522). All the changes are as targeted as I believe
to be possible.
The --with-linux-memlock-onfault change is probably the only non-obvious
one; see https://bugzilla.mindrot.org/show_bug.cgi?id=3822 for more
details there. It's basically just restoring previous behaviour, since
that option and the behaviour associated with it were new in 10.0p1.
openssh has pretty extensive autopkgtests. Admittedly they didn't catch
these issues (although I have my suspicions that the riscv64 autopkgtest
failures that I fixed by disabling --with-linux-memlock-onfault just on
riscv64 in 1:10.0p1-2 were in fact the canary in the coalmine), but they
do provide decent assurance that openssh still works in general.
unblock openssh/1:10.0p1-5
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
diff -Nru openssh-10.0p1/debian/changelog openssh-10.0p1/debian/changelog
--- openssh-10.0p1/debian/changelog 2025-04-15 14:19:35.000000000 +0100
+++ openssh-10.0p1/debian/changelog 2025-05-09 13:40:49.000000000 +0100
@@ -1,3 +1,25 @@
+openssh (1:10.0p1-5) unstable; urgency=medium
+
+ * Ensure that configure knows the path to passwd; fixes reproducibility of
+ openssh-tests.
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 09 May 2025 13:40:49 +0100
+
+openssh (1:10.0p1-4) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * Add Requires=ssh-agent.socket to ssh-agent.service (closes: #1103522).
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 09 May 2025 10:16:45 +0100
+
+openssh (1:10.0p1-3) unstable; urgency=medium
+
+ * Disable --with-linux-memlock-onfault again, since it causes
+ RLIMIT_MEMLOCK to be exceeded with some combinations of PAM modules
+ (closes: #1103418).
+
+ -- Colin Watson <cjwatson@debian.org> Wed, 07 May 2025 16:18:43 +0100
+
openssh (1:10.0p1-2) unstable; urgency=medium
[ Colin Watson ]
diff -Nru openssh-10.0p1/debian/rules openssh-10.0p1/debian/rules
--- openssh-10.0p1/debian/rules 2025-04-15 14:19:35.000000000 +0100
+++ openssh-10.0p1/debian/rules 2025-05-09 13:40:49.000000000 +0100
@@ -74,6 +74,10 @@
confflags += ossh_cv_cflag__fzero_call_used_regs_used=no
endif
+# passwd isn't otherwise needed and may not be installed at build time.
+# Ensure that sshd knows its path.
+confflags += PATH_PASSWD_PROG=/usr/bin/passwd
+
# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)
@@ -88,11 +92,6 @@
confflags += --with-selinux
confflags += --with-audit=linux
confflags += --with-security-key-builtin
-# On riscv64, this causes failures in ed25519-sk keytype tests, for unclear
-# reasons.
-ifneq ($(DEB_HOST_ARCH),riscv64)
-confflags += --with-linux-memlock-onfault
-endif
endif
# The deb build wants xauth; the udeb build doesn't.
diff -Nru openssh-10.0p1/debian/systemd/ssh-agent.service openssh-10.0p1/debian/systemd/ssh-agent.service
--- openssh-10.0p1/debian/systemd/ssh-agent.service 2025-04-15 14:19:35.000000000 +0100
+++ openssh-10.0p1/debian/systemd/ssh-agent.service 2025-05-09 13:40:49.000000000 +0100
@@ -1,6 +1,7 @@
[Unit]
Description=OpenSSH Agent
Documentation=man:ssh-agent(1)
+Requires=ssh-agent.socket
[Service]
Environment=SSH_ASKPASS_REQUIRE=force
Reply to: