Bug#1110034: bookworm-pu: package openssh/1:9.2p1-2+deb12u7
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: openssh@packages.debian.org
Control: affects -1 + src:openssh
User: release.debian.org@packages.debian.org
Usertags: pu
I think this change needs to be included in stable-updates, per
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-the-stable-updates-suite.
Details below.
[ Reason ]
OpenSSH processes such as sshd check for OpenSSL version compatibility
when seeding their internal RNG. Versions prior to 9.4 failed to
tolerate newer minor versions of OpenSSL. This causes SSH connection
failures during upgrades from bookworm to trixie.
[ Impact ]
As described in https://bugs.debian.org/1110030, during most of the
upgrade process from bookworm to trixie, it's impossible to initiate new
SSH connections. If the upgrade fails, and the user forgets to maintain
a separate SSH connection or their network connection is interrupted,
the result may be a failed remote upgrade with no way to access the
system.
[ Tests ]
The detailed version compatibility rules are covered by unit tests; this
upload includes changes to those tests.
I've also tested this manually by creating a bookworm container and
running the relevant parts of the upgrade step by step, something like
this (obviously set up for me, but adjust as needed):
$ incus launch images:debian/bookworm openssh-upgrade
$ incus exec openssh-upgrade -- apt -y install openssh-server
$ incus exec openssh-upgrade -- adduser --disabled-password --comment 'Colin Watson' cjwatson
$ incus file push -p --uid 1000 --gid 1000 --mode=600 .ssh/id_ed25519.pub openssh-upgrade/home/cjwatson/.ssh/authorized_keys
$ dcmd incus file push openssh_9.2p1-2+deb12u7_amd64.changes openssh-upgrade/root/
$ incus exec openssh-upgrade -- apt install ./openssh-{client,server,sftp-server}_9.2p1-2+deb12u7_amd64.deb
Then run "while :; do date -Ins; ssh openssh-upgrade.incus true; sleep
0.1; done" in a separate terminal to monitor connectivity, and continue
the upgrade with:
$ dcmd incus file push openssh_10.0p1-6_amd64.changes openssh-upgrade/root/
$ incus exec openssh-upgrade -- dpkg --unpack openssh-{client,server,sftp-server}_10.0p1-6_amd64.deb
$ incus exec openssh-upgrade -- sed -i 's/bookworm/trixie/' /etc/apt/sources.list
$ incus exec openssh-upgrade -- apt update
$ incus exec openssh-upgrade -- apt -f install
(This also includes testing of a fix to trixie's openssh for a separate
bug with similar symptoms; see https://bugs.debian.org/1109742 and the
unblock request in https://bugs.debian.org/1110033.)
[ Risks ]
The changes are fairly simple (at least once you work your way through
the patch layers), and I don't believe any realistic alternatives are
available. If I'd realized earlier that this would be an upgrade
problem, I'd already have included it in a previous bookworm update.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This cherry-picks two commits from upstream to apply simpler and more
accurate version compatibility rules for OpenSSL 3 (also in the process
dropping support for OpenSSL <1, which doesn't affect any version of
Debian since 7/wheezy).
In order to be able to cherry-pick the upstream patches neatly, I
inserted them some way back in the Debian patch stack and adjusted
another related patch to match. This produces some git-dpm noise and
somewhat confusing results if you're just looking at the debdiff. To
help understand this, I've attached a separate
"openssh_9.2p1-2+deb12u7.upstreamdiff" file that shows the effective
patch to the upstream code, generated from git.
[ Other info ]
To minimize the change of users running into this during upgrades
shortly after the release of trixie, I think we need to get this into
stable-updates rather than waiting for the next scheduled point release.
Let me know if there's anything else I need to do for that.
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/.git-dpm 2025-07-28 12:58:38.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-cf9b65754f0e54de11d075fc7317ae90a1ae4389
-cf9b65754f0e54de11d075fc7317ae90a1ae4389
+d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f
+d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/changelog 2025-07-28 12:59:40.000000000 +0100
@@ -1,3 +1,10 @@
+openssh (1:9.2p1-2+deb12u7) bookworm; urgency=medium
+
+ * Handle OpenSSL >=3 ABI compatibility; this helps to avoid new ssh
+ connections failing during upgrades to trixie (closes: #1110030).
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 28 Jul 2025 12:59:40 +0100
+
openssh (1:9.2p1-2+deb12u6) bookworm; urgency=medium
* CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-28531.patch openssh-9.2p1/debian/patches/CVE-2023-28531.patch
--- openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 3551a0444621320cc1eaa0dba7d127b6ee67d0b7 Mon Sep 17 00:00:00 2001
+From cdd7ccb0c240e0a8b21eacb25da9a310add20251 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 9 Mar 2023 06:58:26 +0000
Subject: upstream: include destination constraints for smartcard keys too.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 443d99e0bd3156c424b502fffcb621552607d9c6 Mon Sep 17 00:00:00 2001
+From d28ccf30cf25d22264819d998102dd72fbf6d312 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 13 Jul 2023 12:09:34 +1000
Subject: terminate pkcs11 process for bad libraries
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From e9aced930c69f1f38bffe28a2396661c92b2a23a Mon Sep 17 00:00:00 2001
+From 26c255d21ebeae770a4df88415c0623c89f047be Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 7 Jul 2023 13:30:15 +1000
Subject: disallow remote addition of FIDO/PKCS11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From f881f358de9432fe4524c4bc156a0911164631a3 Mon Sep 17 00:00:00 2001
+From 3657590a62106e02d302936bc6b1593ae24de22a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 19 Jul 2023 14:02:27 +0000
Subject: upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From c78d5a0d5c30c345377ff5a1ca5ddbd27ab4fbe2 Mon Sep 17 00:00:00 2001
+From 5d09f8bc808a50cb570b3f6782c55384224a488c Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:45:17 +0000
Subject: upstream: implement "strict key exchange" in ssh and sshd
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51384.patch openssh-9.2p1/debian/patches/CVE-2023-51384.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 01ada7980c52efffa52d0947efd23783245e70c4 Mon Sep 17 00:00:00 2001
+From ce0fe1459a5b8824e43e3733538481ea5ecbb0e1 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:46:12 +0000
Subject: upstream: apply destination constraints to all p11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51385.patch openssh-9.2p1/debian/patches/CVE-2023-51385.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From de0609ea68651da8720b6e858f5b45599e361ee3 Mon Sep 17 00:00:00 2001
+From e76c2b15332dbdfc01fa6ff796ad694a7c5c39b4 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:47:44 +0000
Subject: upstream: ban user/hostnames with most shell metacharacters
diff -Nru openssh-9.2p1/debian/patches/CVE-2025-26465.patch openssh-9.2p1/debian/patches/CVE-2025-26465.patch
--- openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 9310f331a14135d05374a5f2d5fbe37341ee9d29 Mon Sep 17 00:00:00 2001
+From 7b5cdb866db7c75c50c800fb4750e42392ebbf43 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 14 Feb 2025 00:13:11 +0000
Subject: CVE-2025-26465: Fix MitM in verify_host_key_callback
diff -Nru openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
--- openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 30e67756d4b5853f133d0ba4572e928a4ef5bff6 Mon Sep 17 00:00:00 2001
+From 423c6fe52d13614994827e5cee65dac925232855 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Jun 2024 21:33:03 +0200
Subject: Disable async-signal-unsafe code from the sshsigdie() function
diff -Nru openssh-9.2p1/debian/patches/conch-ssh-rsa.patch openssh-9.2p1/debian/patches/conch-ssh-rsa.patch
--- openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 617a61aac72c5446e99e0f2207a563a6369aa9d9 Mon Sep 17 00:00:00 2001
+From 6d532487bc6c01eacf3f5f92a3239d9ff84a9f61 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 15 Feb 2022 18:25:35 +0000
Subject: Work around RSA SHA-2 signature issues in conch
diff -Nru openssh-9.2p1/debian/patches/debian-config.patch openssh-9.2p1/debian/patches/debian-config.patch
--- openssh-9.2p1/debian/patches/debian-config.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/debian-config.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 177b212b6b237dbca4c4f29feb69db959a2ecb81 Mon Sep 17 00:00:00 2001
+From 4363eb93bc775a6e759c1682da4f3a69543717bd Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From cf9b65754f0e54de11d075fc7317ae90a1ae4389 Mon Sep 17 00:00:00 2001
+From d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 9 Apr 2025 07:00:03 +0000
Subject: upstream: Fix logic error in DisableForwarding option. This option
diff -Nru openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch
--- openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 1de37afc2ed154a3db9d2a99e9c6b0b5c302e522 Mon Sep 17 00:00:00 2001
+From deab71aa1b1bffb0f036ce681045aad80a846db4 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff -Nru openssh-9.2p1/debian/patches/incorrect-return-values.patch openssh-9.2p1/debian/patches/incorrect-return-values.patch
--- openssh-9.2p1/debian/patches/incorrect-return-values.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/incorrect-return-values.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From b430b77904fa045d5753bad32f6c8a582396db57 Mon Sep 17 00:00:00 2001
+From 902b3eaff361ec5fe9aeb77b91d0c3f721621beb Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 14 Feb 2025 00:24:52 +0000
Subject: Fix incorrect return values on a number of error paths
diff -Nru openssh-9.2p1/debian/patches/maxhostnamelen.patch openssh-9.2p1/debian/patches/maxhostnamelen.patch
--- openssh-9.2p1/debian/patches/maxhostnamelen.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/maxhostnamelen.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 7f723a24e810b326747cacfecb4e4ae915a65840 Mon Sep 17 00:00:00 2001
+From 0de61f52e23476a50b05d8bc7aab66adb411defd Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff -Nru openssh-9.2p1/debian/patches/no-openssl-version-status.patch openssh-9.2p1/debian/patches/no-openssl-version-status.patch
--- openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 5d1c32cb181d5b4392210ddbf2ff84fcda79a89c Mon Sep 17 00:00:00 2001
+From 6512a9b0020d9c7a63d6e0cf237da4c088489a7b Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
@@ -14,34 +14,35 @@
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
-Last-Update: 2014-10-07
+Last-Update: 2025-07-28
Patch-Name: no-openssl-version-status.patch
---
- openbsd-compat/openssl-compat.c | 6 +++---
- openbsd-compat/regress/opensslvertest.c | 1 +
- 2 files changed, 4 insertions(+), 3 deletions(-)
+ openbsd-compat/openssl-compat.c | 8 ++++----
+ openbsd-compat/regress/opensslvertest.c | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index a37ca61bf..c1749210d 100644
+index 6c65003f2..30e97c464 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
-@@ -34,7 +34,7 @@
- /*
- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
- * We match major, minor, fix and status (not patch) for <1.0.0.
-- * After that, we acceptable compatible fix versions (so we
-+ * After that, we accept compatible fix and status versions (so we
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
- * within a patch series.
- */
-@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
+@@ -49,18 +49,18 @@ ssh_compatible_openssl(long headerver, long libver)
+ return 1;
+
+ /*
+- * For versions >= 3.0, only the major and status must match.
++ * For versions >= 3.0, only the major must match.
+ */
+ if (headerver >= 0x3000000f) {
+- mask = 0xf000000fL; /* major,status */
++ mask = 0xf0000000L; /* major */
+ return (headerver & mask) == (libver & mask);
}
/*
-- * For versions >= 1.0.0, major,minor,status must match and library
-+ * For versions >= 1.0.0, major,minor must match and library
- * fix version must be equal to or newer than the header.
+- * For versions >= 1.0.0, but <3, major,minor,status must match and
++ * For versions >= 1.0.0, but <3, major,minor must match and
+ * library fix version must be equal to or newer than the header.
*/
- mask = 0xfff0000fL; /* major,minor,status */
+ mask = 0xfff00000L; /* major,minor */
@@ -49,14 +50,22 @@
lfix = (libver & 0x000ff000) >> 12;
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
-index d50066609..aeccc107b 100644
+index 99c894418..351df4374 100644
--- a/openbsd-compat/regress/opensslvertest.c
+++ b/openbsd-compat/regress/opensslvertest.c
-@@ -37,6 +37,7 @@ struct version_test {
-
+@@ -28,6 +28,7 @@ struct version_test {
+ } version_tests[] = {
/* built with 1.0.1b release headers */
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
+@@ -48,6 +49,7 @@ struct version_test {
+
+ /* built with 3.0.1 release headers */
+ { 0x3010101fL, 0x3010101fL, 1},/* exact match */
++ { 0x3010101fL, 0x30101010L, 1}, /* different status: ok */
+ { 0x3010101fL, 0x3010102fL, 1}, /* newer library patch version: ok */
+ { 0x3010101fL, 0x3010100fL, 1}, /* older library patch version: ok */
+ { 0x3010101fL, 0x3010201fL, 1}, /* newer library fix version: ok */
diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch
--- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch 2025-07-28 12:58:38.000000000 +0100
@@ -0,0 +1,61 @@
+From f32089dd98a157929164f1f38ba88d3114e63312 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Tue, 9 May 2023 17:12:50 +1000
+Subject: Update OpenSSL compat test for 3.x.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=47742c513e4e045ecc985c6483fc5c8b050acda2
+Bug-Debian: https://bugs.debian.org/1110030
+Last-Update: 2025-07-28
+
+Patch-Name: openssl-3-abi-compatibility-test.patch
+---
+ openbsd-compat/regress/opensslvertest.c | 29 +++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
+index d50066609..99c894418 100644
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -26,15 +26,6 @@ struct version_test {
+ long libver;
+ int result;
+ } version_tests[] = {
+- /* built with 0.9.8b release headers */
+- { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
+- { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
+- { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
+- { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
+- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
+- { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
+- { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
+-
+ /* built with 1.0.1b release headers */
+ { 0x1000101fL, 0x1000101fL, 1},/* exact match */
+ { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
+@@ -44,6 +35,26 @@ struct version_test {
+ { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
+ { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
+ { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
++
++ /* built with 1.1.1b release headers */
++ { 0x1010101fL, 0x1010101fL, 1},/* exact match */
++ { 0x1010101fL, 0x1010102fL, 1}, /* newer library patch version: ok */
++ { 0x1010101fL, 0x1010100fL, 1}, /* older library patch version: ok */
++ { 0x1010101fL, 0x1010201fL, 1}, /* newer library fix version: ok */
++ { 0x1010101fL, 0x1010001fL, 0}, /* older library fix version: NO */
++ { 0x1010101fL, 0x1020001fL, 0}, /* newer library minor version: NO */
++ { 0x1010101fL, 0x0010101fL, 0}, /* older library major version: NO */
++ { 0x1010101fL, 0x2010101fL, 0}, /* newer library major version: NO */
++
++ /* built with 3.0.1 release headers */
++ { 0x3010101fL, 0x3010101fL, 1},/* exact match */
++ { 0x3010101fL, 0x3010102fL, 1}, /* newer library patch version: ok */
++ { 0x3010101fL, 0x3010100fL, 1}, /* older library patch version: ok */
++ { 0x3010101fL, 0x3010201fL, 1}, /* newer library fix version: ok */
++ { 0x3010101fL, 0x3010001fL, 1}, /* older library fix version: ok */
++ { 0x3010101fL, 0x3020001fL, 1}, /* newer library minor version: ok */
++ { 0x3010101fL, 0x1010101fL, 0}, /* older library major version: NO */
++ { 0x3010101fL, 0x4010101fL, 0}, /* newer library major version: NO */
+ };
+
+ void
diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch
--- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch 2025-07-28 12:58:38.000000000 +0100
@@ -0,0 +1,60 @@
+From 45e9a6aeb8179ed7bf306785f042fef6137e866a Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 8 May 2023 20:12:59 +1000
+Subject: Handle OpenSSL >=3 ABI compatibility.
+
+Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only
+major must match instead of major and minor in earlier versions).
+bz#3548, ok djm@
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b7afd8a4ecaca8afd3179b55e9db79c0ff210237
+Bug-Debian: https://bugs.debian.org/1110030
+Last-Update: 2025-07-28
+
+Patch-Name: openssl-3-abi-compatibility.patch
+---
+ openbsd-compat/openssl-compat.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index a37ca61bf..6c65003f2 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -33,10 +33,10 @@
+
+ /*
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+- * We match major, minor, fix and status (not patch) for <1.0.0.
+- * After that, we acceptable compatible fix versions (so we
+- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+- * within a patch series.
++ * Versions >=3 require only major versions to match.
++ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
++ * to work with 1.0.0). Going backwards is only allowed within a patch series.
++ * See https://www.openssl.org/policies/releasestrat.html
+ */
+
+ int
+@@ -48,15 +48,17 @@ ssh_compatible_openssl(long headerver, long libver)
+ if (headerver == libver)
+ return 1;
+
+- /* for versions < 1.0.0, major,minor,fix,status must match */
+- if (headerver < 0x1000000f) {
+- mask = 0xfffff00fL; /* major,minor,fix,status */
++ /*
++ * For versions >= 3.0, only the major and status must match.
++ */
++ if (headerver >= 0x3000000f) {
++ mask = 0xf000000fL; /* major,status */
+ return (headerver & mask) == (libver & mask);
+ }
+
+ /*
+- * For versions >= 1.0.0, major,minor,status must match and library
+- * fix version must be equal to or newer than the header.
++ * For versions >= 1.0.0, but <3, major,minor,status must match and
++ * library fix version must be equal to or newer than the header.
+ */
+ mask = 0xfff0000fL; /* major,minor,status */
+ hfix = (headerver & 0x000ff000) >> 12;
diff -Nru openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
--- openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From d6b66b9c06a5a8491c7e0887185a4651b31acae0 Mon Sep 17 00:00:00 2001
+From d6a6e02729e06e77a8068122ee88ec391789fd4c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Feb 2023 23:55:19 +0000
Subject: Remove spurious ssh-agent options
diff -Nru openssh-9.2p1/debian/patches/restore-authorized_keys2.patch openssh-9.2p1/debian/patches/restore-authorized_keys2.patch
--- openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 58c39c93aef24277b9125185d70d38f958fa054c Mon Sep 17 00:00:00 2001
+From 808fc9c9fe9af878a8d2ad8db47ea01292d2740d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff -Nru openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 60b3b7a847fcf97259c137d3fc0c25ae5a49650d Mon Sep 17 00:00:00 2001
+From 8ec019ee41a379ba31344b0dc767b0aeb9c12fd5 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff -Nru openssh-9.2p1/debian/patches/series openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/series 2025-07-28 12:58:38.000000000 +0100
@@ -16,6 +16,8 @@
ssh-argv0.patch
doc-hash-tab-completion.patch
ssh-agent-setgid.patch
+openssl-3-abi-compatibility.patch
+openssl-3-abi-compatibility-test.patch
no-openssl-version-status.patch
gnome-ssh-askpass2-icon.patch
systemd-readiness.patch
diff -Nru openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch
--- openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 253c4c0047bd8258e21388cf8ad6fe3b1172c1da Mon Sep 17 00:00:00 2001
+From 28483d6bfa7171cb3569b9650191a4ea03d2c157 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 22 Aug 2024 23:11:30 +0000
Subject: upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned,
diff -Nru openssh-9.2p1/debian/patches/systemd-readiness.patch openssh-9.2p1/debian/patches/systemd-readiness.patch
--- openssh-9.2p1/debian/patches/systemd-readiness.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/systemd-readiness.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 5322641c953083906543314f0f6e6865cd2c12c5 Mon Sep 17 00:00:00 2001
+From b12e301f5d94cdbc28598ba38709f44fe433b4bb Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
diff -Nru openssh-9.2p1/debian/patches/systemd-socket-activation.patch openssh-9.2p1/debian/patches/systemd-socket-activation.patch
--- openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2025-07-28 12:58:38.000000000 +0100
@@ -1,4 +1,4 @@
-From 00457e91987f0212cf851f74e8cb266e01b7f347 Mon Sep 17 00:00:00 2001
+From 8b86adf81bb0f382117bc693efeab25378ff6187 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index c1749210d..30e97c464 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -33,10 +33,10 @@
/*
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
- * We match major, minor, fix and status (not patch) for <1.0.0.
- * After that, we accept compatible fix and status versions (so we
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
- * within a patch series.
+ * Versions >=3 require only major versions to match.
+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
+ * See https://www.openssl.org/policies/releasestrat.html
*/
int
@@ -48,15 +48,17 @@ ssh_compatible_openssl(long headerver, long libver)
if (headerver == libver)
return 1;
- /* for versions < 1.0.0, major,minor,fix,status must match */
- if (headerver < 0x1000000f) {
- mask = 0xfffff00fL; /* major,minor,fix,status */
+ /*
+ * For versions >= 3.0, only the major must match.
+ */
+ if (headerver >= 0x3000000f) {
+ mask = 0xf0000000L; /* major */
return (headerver & mask) == (libver & mask);
}
/*
- * For versions >= 1.0.0, major,minor must match and library
- * fix version must be equal to or newer than the header.
+ * For versions >= 1.0.0, but <3, major,minor must match and
+ * library fix version must be equal to or newer than the header.
*/
mask = 0xfff00000L; /* major,minor */
hfix = (headerver & 0x000ff000) >> 12;
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
index aeccc107b..351df4374 100644
--- a/openbsd-compat/regress/opensslvertest.c
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -26,15 +26,6 @@ struct version_test {
long libver;
int result;
} version_tests[] = {
- /* built with 0.9.8b release headers */
- { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
- { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
- { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
- { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
- { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
- { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
-
/* built with 1.0.1b release headers */
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
{ 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
@@ -45,6 +36,27 @@ struct version_test {
{ 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
{ 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
{ 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
+
+ /* built with 1.1.1b release headers */
+ { 0x1010101fL, 0x1010101fL, 1},/* exact match */
+ { 0x1010101fL, 0x1010102fL, 1}, /* newer library patch version: ok */
+ { 0x1010101fL, 0x1010100fL, 1}, /* older library patch version: ok */
+ { 0x1010101fL, 0x1010201fL, 1}, /* newer library fix version: ok */
+ { 0x1010101fL, 0x1010001fL, 0}, /* older library fix version: NO */
+ { 0x1010101fL, 0x1020001fL, 0}, /* newer library minor version: NO */
+ { 0x1010101fL, 0x0010101fL, 0}, /* older library major version: NO */
+ { 0x1010101fL, 0x2010101fL, 0}, /* newer library major version: NO */
+
+ /* built with 3.0.1 release headers */
+ { 0x3010101fL, 0x3010101fL, 1},/* exact match */
+ { 0x3010101fL, 0x30101010L, 1}, /* different status: ok */
+ { 0x3010101fL, 0x3010102fL, 1}, /* newer library patch version: ok */
+ { 0x3010101fL, 0x3010100fL, 1}, /* older library patch version: ok */
+ { 0x3010101fL, 0x3010201fL, 1}, /* newer library fix version: ok */
+ { 0x3010101fL, 0x3010001fL, 1}, /* older library fix version: ok */
+ { 0x3010101fL, 0x3020001fL, 1}, /* newer library minor version: ok */
+ { 0x3010101fL, 0x1010101fL, 0}, /* older library major version: NO */
+ { 0x3010101fL, 0x4010101fL, 0}, /* newer library major version: NO */
};
void
Reply to: