Bug#1110030: marked as done (bookworm's sshd fails with "OpenSSL version mismatch" during upgrade to trixie)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 28 Jul 2025 21:17:08 +0000
with message-id <E1ugVDY-004JyT-2e@fasolo.debian.org>
and subject line Bug#1110030: fixed in openssh 1:9.2p1-2+deb12u7
has caused the Debian Bug report #1110030,
regarding bookworm's sshd fails with "OpenSSL version mismatch" during upgrade to trixie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110030
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie
• From: Manfred Stock <m-debian@nfred.ch>
• Date: Tue, 22 Jul 2025 19:42:07 +0200
• Message-id: <175320612753.3210.8158902610327546715.reportbug@monitoring.int.nfred.ch>

Package: upgrade-reports
Severity: normal

My previous release is: Debian Bookworm/12
I am upgrading to: Debian Trixie/13
Archive date: From https://mirror.init7.net/debian/project/trace/ftp-master.debian.org:
  Tue Jul 22 14:36:00 UTC 2025
  Creator: dak g7a63da59
  Running on host: fasolo.debian.org
  Archive serial: 2025072203
  Date: Tue, 22 Jul 2025 14:36:00 +0000
  Architectures: all amd64 arm64 armel armhf hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mips64el mipsel powerpc ppc64el riscv64 s390 s390x sparc source
Upgrade date: 2025-07-22, ~17:15 CEST
uname -a before upgrade: Not recorded
uname -a after upgrade: Linux monitoring 6.12.35+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.35-1 (2025-07-03) x86_64 GNU/Linux
Method: Roughly `apt update; apt dist-upgrade --autoremove --purge`, via SSH

Contents of /etc/apt/sources.list:
  deb https://mirror.init7.net/debian/ trixie main
  deb-src https://mirror.init7.net/debian/ trixie main
  deb https://mirror.init7.net/debian/ trixie-backports main
  deb-src https://mirror.init7.net/debian/ trixie-backports main
  deb https://mirror.init7.net/debian/ trixie-updates main
  deb-src https://mirror.init7.net/debian/ trixie-updates main

  deb https://security.debian.org/debian-security trixie-security main
  deb-src https://security.debian.org/debian-security trixie-security main

- Were there any non-Debian packages installed before the upgrade?  If
  so, what were they? => No, there should not have been any.

- Was the system pre-update a 'pure' system only containing packages
  from the previous release? If not, which packages were not from that
  release? => Yes, it should have been pure.

- Did any packages fail to upgrade? => No, there were no failures.

- Were there any problems with the system after upgrading? => No
  problems that I have noticed so far.


Further Comments/Problems: I've upgraded several Bookworm systems to
Trixie so far, which went pretty smooth. But there's one thing I keep
noticing, and which I observed a bit more closely while upgrading the
system I'm sending this report from: Starting at roughly the time when
dpkg says something like

  Unpacking openssh-server (1:10.0p1-5) over (1:9.2p1-2+deb12u6) ...  

I'm not able anymore to open new SSH connections to the system I'm
upgrading. The SSH daemon is still running, and the existing connections
also still work, but new connections fail with

  kex_exchange_identification: read: Connection reset by peer                    
  Connection reset by fd... port 22                 

on the client. At this time, I see messages like the following in the
output from `systemctl status openssh-server.service` (the SSH daemon is
still running, usually since the last reboot, or in this case since the
libc upgrade earlier during the upgrade process, so the daemon process
itself should still be running the binaries from Bookworm, even though
the new binaries have already been extracted):

  Jul 22 17:37:32 monitoring sshd[492742]: -R not supported here
 
The upgrade continues as usual. At some point, I get asked if I want to
install the new SSH configuration from the package or keep my modified
version (and it doesn't seem to matter what I answer to the question) -
but once dpkg restarts the SSH daemon afterwards, new connections are
possible again.

To me, it seems like the old binary, which is still running, is passing
an unsupported parameter to the new binary that was already unpacked
when trying to fork off a new process for the new connection (but I
haven't checked if that's how it actually works when a new connection is
opened, I'm just guessing). The "-R not supported here" string seems to
be 'new', i.e. I didn't find it in the openssh package source on
Bookworm, but it exists in the version from Trixie.

I can't preclude that I'm consistently doing something
wrong/unusual/strange during the upgrade or that my SSH daemon
configuration contains something weird (although I'm not aware of
anything special in there), so maybe this doesn't affect others. So far,
I haven't noticed any bug report against the openssh package, an entry
in the release notes for Trixie or the NEWS file for openssh which
mentions an issue like this one, but I'm sorry if I missed that.

Hope this helps, and many thanks for your efforts!
Manfred

--- End Message ---

--- Begin Message ---

• To: 1110030-close@bugs.debian.org
• Subject: Bug#1110030: fixed in openssh 1:9.2p1-2+deb12u7
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 28 Jul 2025 21:17:08 +0000
• Message-id: <E1ugVDY-004JyT-2e@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:9.2p1-2+deb12u7
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1110030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 28 Jul 2025 12:59:40 +0100
Source: openssh
Architecture: source
Version: 1:9.2p1-2+deb12u7
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1110030
Changes:
 openssh (1:9.2p1-2+deb12u7) bookworm; urgency=medium
 .
   * Handle OpenSSL >=3 ABI compatibility; this helps to avoid new ssh
     connections failing during upgrades to trixie (closes: #1110030).
Checksums-Sha1:
 3305e83199ec1648f79488580a4d318a13f1a1bf 3535 openssh_9.2p1-2+deb12u7.dsc
 49d55f9e69d9c4037fb44b043e2b83c350551b70 197308 openssh_9.2p1-2+deb12u7.debian.tar.xz
 3b59cab89b91b3afe1d905bd6ce22b8638228dbf 59035684 openssh_9.2p1-2+deb12u7.git.tar.xz
 130a42e8197ce0d4002f395609d22cc8c50406de 18086 openssh_9.2p1-2+deb12u7_source.buildinfo
Checksums-Sha256:
 08f5d94dbd2517a25432e8aa0d0eadc50b5459a8b35dcb88336e4cb555cb2da1 3535 openssh_9.2p1-2+deb12u7.dsc
 38fe612408e19713b7c971d9987d788eecf27bbb13a81a6edca4137fd38a9251 197308 openssh_9.2p1-2+deb12u7.debian.tar.xz
 143b4b0b76b4d1ca1119aab8e1817c5996958c3b44154468da09e7a585727f66 59035684 openssh_9.2p1-2+deb12u7.git.tar.xz
 2900abaea889214f2f06f0139af395601ab17d15be69220c1fb60124ccfbcbd9 18086 openssh_9.2p1-2+deb12u7_source.buildinfo
Files:
 9cf2b743d6c80b6bc1b8706aa2931c71 3535 net standard openssh_9.2p1-2+deb12u7.dsc
 3affcc62259635fca246ff45374fb2b5 197308 net standard openssh_9.2p1-2+deb12u7.debian.tar.xz
 4878e2e5d4c45704704ad81a915d4709 59035684 net standard openssh_9.2p1-2+deb12u7.git.tar.xz
 2d9da85cef4710e6d89b0468ec2b60a5 18086 net standard openssh_9.2p1-2+deb12u7_source.buildinfo
Git-Tag-Info: tag=bb2faba5900d0a5b0e82014efbe9c73049104623 fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <cjwatson@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmiHZ64ACgkQYG0ITkaD
wHlQyw/+JS9699yRdHeiwu2ywebeFjESUrhhVnFI2n0E667coyziv0aWe1MnzzvH
HYM1wFtiCJiB/T0WFqvIgoilSQGkqzcENZdkeR23ELcJdTUkrFQB1928v/PES86e
WeweT97L7E/BRaXhIfKJv1iQqWswUEgRzoNVb1hFGydx5AKgIRf7W/5ari25Qb+a
GhER9n+HUoRxFhjFq3K6PLu/4puohLZmmzXrmw1/MMcULjqvILoWHfB2iw37yn5z
VIvtOjkzG4IG97C9zYQ2OxZ2qGCkrEWbPfoSKXiCLv2WBQK/bedH7NMsVzcpvVUQ
ZXBzNAlZ/ewmlLbX6PXpIkVGsFOVYLVu9erN46/BegnGYcE+VNf8ISsxnCCER8EE
fnXHqGtZF/5ENrdEMKOc3Vhx0FgDUDdVKnMxW1gX2gUJGgqKmmdsiaj06a3ncT7l
nObYQztwYJGUCxcSvujCwex3P/2M15KLPjR6OuJJriE7Tv8b1O0icuSto5wxVPsa
DkJ92BC4r2Pj6G3nT+xa3aDZ5PegkFn/SNJDqIJ6CZYcfPV8sh8/LTTn7ZC3R8vG
EPnPsGS4k3p2uR3PNhH2sDEcvSz3WKISEe/JCIt1TeL8HYQF+LV79l/0ioESk3N9
FI2vgl1oHrlcISKHPiAklqqe5MHF82KY9hNm6cEQCBhj6vrruyg=
=dJlO
-----END PGP SIGNATURE-----

Attachment: pgpLzhhnQVze0.pgp
Description: PGP signature

--- End Message ---