Bug#1111446: marked as done (openssh: IPQoS changes upstream and debian revert-ipqos-defaults.patch since 2019 (#923879 and 923880))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 07 Oct 2025 21:22:59 +0000
with message-id <E1v6F99-008BtK-2l@fasolo.debian.org>
and subject line Bug#1111446: fixed in openssh 1:10.1p1-1
has caused the Debian Bug report #1111446,
regarding openssh: IPQoS changes upstream and debian revert-ipqos-defaults.patch since 2019 (#923879 and 923880)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1111446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111446
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh: IPQoS changes upstream and debian revert-ipqos-defaults.patch since 2019 (#923879 and 923880)
• From: Ludovic Pouzenc <bugreports@pouzenc.fr>
• Date: Mon, 18 Aug 2025 08:30:40 +0200
• Message-id: <175549864006.4092.13867296138032415036.reportbug@lud-5490>

Source: openssh
Version: all from 2019 to 2025
Severity: normal
X-Debbugs-Cc: bugreports@pouzenc.fr

Dear Maintainer,

I get there while doing tcpdump capture on ssh IPv6 traffic and seen
"invalid" values in DSCP field (in respect to IANA defined values) with
a default sshd config on Debian 13. It seems identical in unstable.

I see a patch qualified as "temporary" in #923879 from 2019 that is
still applied on Debian 13, named revert-ipqos-defaults.patch.

Mentionning that to friends, one of them points me to recent changes
commited in openssh around this topic, that, I think will make debian
revert patch unappliable or introduce a change in behavior, pushing
default system DSCP values (CS0 I beleive) instead of non DSCP compilant
curent values.

https://marc.info/?l=openbsd-cvs&m=175396095604983&w=2

This patch is still applied, saying that there was a bug in iptables -m
tos in 2019. I never found a clue that is was reported nor considered
upstream. Debian bug #923880 still open and seems to be in a dead state.

Could you reconsider revert-ipqos-defaults.patch for testing+unstable ?
As mentionned in one the two BR, Fedora since 2019 choosen to not revert
IPQoS default values and I am not aware that there is problems with that
nowadays.

Best regards,
Ludovic

-- System Information:
Debian Release: 12.11
  APT prefers oldstable-security
  APT policy: (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-38-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

• To: 1111446-close@bugs.debian.org
• Subject: Bug#1111446: fixed in openssh 1:10.1p1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 07 Oct 2025 21:22:59 +0000
• Message-id: <E1v6F99-008BtK-2l@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.1p1-1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1111446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Oct 2025 22:07:19 +0100
Source: openssh
Architecture: source
Version: 1:10.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1095922 1111446 1117529 1117530
Changes:
 openssh (1:10.1p1-1) unstable; urgency=medium
 .
   [ Allison Karlitskaya ]
   * sshd@.service: Support ephemeral keys from VM/container hosts.
 .
   [ Colin Watson ]
   * New upstream release:
     - ssh(1): add a warning when the connection negotiates a non-post
       quantum key agreement algorithm.
     - ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
       default, interactive traffic is assigned to the EF (Expedited
       Forwarding) class, while non-interactive traffic uses the operating
       system default DSCP marking.
     - ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
       keywords in the IPQoS configuration directive.
     - ssh-add(1): when adding certificates to an agent, set the expiry to
       the certificate expiry time plus a short (5 min) grace period.
     - All: remove experimental support for XMSS keys.
     - ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
       ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
     - CVE-2025-61984: ssh(1): disallow control characters in usernames
       passed via the commandline or expanded using %-sequences from the
       configuration file (closes: #1117529),
     - CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
       #1117530).
     - ssh(1), sshd(8): add SIGINFO handlers to log active channel and
       session information.
     - sshd(8): when refusing a certificate for user authentication, log
       enough information to identify the certificate in addition to the
       reason why it was being denied. Makes debugging certificate
       authorisation problems a bit easier.
     - ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
     - ssh(1): add an ssh_config(5) RefuseConnection option that, when
       encountered while processing an active section in a configuration,
       terminates ssh(1) with an error message that contains the argument to
       the option.
     - sshd(8): make the X11 display number check relative to
       X11DisplayOffset. This will allow people to use X11DisplayOffset to
       configure much higher port ranges if they really want, while not
       changing the default behaviour.
     - ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
       enabled.
     - sshd(8): increase the maximum size of the supported configuration from
       256KB to 4MB, which ought to be enough for anybody. Fail early and
       visibly when this limit is breached.
     - sftp(1): during sftp uploads, avoid a condition where a failed write
       could be ignored if a subsequent write succeeded. This is unlikely but
       technically possible because sftp servers are allowed to reorder
       requests.
     - sshd(8): avoid a race condition when the sshd-auth process exits that
       could cause a spurious error message to be logged.
     - sshd(8): log at level INFO when PerSourcePenalties actually blocks
       access to a source address range. Previously this was logged at level
       VERBOSE, which hid enforcement actions under default config settings.
     - sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
       first-match-wins as advertised.
     - ssh(1): fix an incorrect return value check in the local forward
       cancellation path that would cause failed cancellations not to be
       logged.
     - sshd(8): make "Match !final" not trigger a second parsing pass of
       ssh_config (unless hostname canonicalisation or a separate "Match
       final" does).
     - ssh(1): better debug diagnostics when loading keys. Will now list key
       fingerprint and algorithm (not just algorithm number) as well as
       making it explicit which keys didn't load.
     - All: fix a number of memory leaks found by LeakSanitizer, Coverity and
       manual inspection.
     - sshd(8): Output the current name for PermitRootLogin's
       "prohibit-password" in sshd -T instead of its deprecated alias
       "without-password" (closes: #1095922).
     - ssh(1): make writing known_hosts lines more atomic by writing the
       entire line in one operation and using unbuffered stdio.
     - sshd(8): check the username didn't change during the PAM transactions.
     - sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
       DNS lookups in the audit subsystem.
     - All: when making a copy of struct passwd, ensure struct fields are
       non-NULL.
     - sshd(8): handle futex_time64 properly in seccomp sandbox.
     - Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
     - ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
       preventing a graceful shutdown of an agent via systemd from
       incorrectly marking the service as "failed".
   * Drop patches:
     - no-openssl-version-status.patch: Mostly applied upstream; the rest
       only applied to OpenSSL < 3, which isn't relevant to current Debian
       releases.
     - revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
       so let's see how that works in Debian (closes: #1111446).
   * debian/run-tests: Fix path to dropbear.
Checksums-Sha1:
 30e42189cb7b9c75cddb4523baa1d53bc2228e53 3500 openssh_10.1p1-1.dsc
 7fd17b99d1beffb47cd380d64079e920bb0bd91f 1972831 openssh_10.1p1.orig.tar.gz
 3067baf706cbf8497a00d40113eb6c246a5db569 833 openssh_10.1p1.orig.tar.gz.asc
 3965f1ff2d72d73966fa8fa517a996a7afcbcad7 199172 openssh_10.1p1-1.debian.tar.xz
Checksums-Sha256:
 b9f358bcbe0e780865dbb5733be37f68b72d4c8574a932dac389f98352af6a7c 3500 openssh_10.1p1-1.dsc
 b9fc7a2b82579467a6f2f43e4a81c8e1dfda614ddb4f9b255aafd7020bbf0758 1972831 openssh_10.1p1.orig.tar.gz
 a96151c3f5d5b4b6278a4f5b29861c1308c3a0b96c9acfcec5aaeef0bb84ea92 833 openssh_10.1p1.orig.tar.gz.asc
 f4b7f3687e1139757f0e0dbee03c3627421444caa68eeacc6df098d6e3c17d59 199172 openssh_10.1p1-1.debian.tar.xz
Files:
 a276fcc4f45b9aedc428479a0d71369d 3500 net standard openssh_10.1p1-1.dsc
 80dd9bb00a86519934710d05903fdf07 1972831 net standard openssh_10.1p1.orig.tar.gz
 97c2579d423ce6397bba2eee504a3ec1 833 net standard openssh_10.1p1.orig.tar.gz.asc
 631d8f12ef92841a9004e144141f1d96 199172 net standard openssh_10.1p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmjlgTcACgkQOTWH2X2G
UAsSRBAArMXDacvEfXFuCAy5bFCatDzUGNF9TqOnLYR2P51bGipCjIUbcnCwPhhN
7KmvVp7nQ0lzTl6C5BuQ5t658feb9Msnd+/PGboeIvfl8oy5Wul8zyf9EBHK9yIt
78psiPXv+3q21yvV2uJzKpWt3LDaE2RcVYqBYKehgIpDCKSVTk6OH0FnZIsIAKsR
nY6yG3IBfxjFP4iGkV3TuzrWLhrdrFHaPLWuDB2bxItmkhhKZL+JEuu64KwtLkIa
eoR/81lDOsyxTZuQDuLFkUv2c8TGbzagdXrblDay344fIYsrlzS8IFvwy5n1Vo1F
8KWwV2mDB59Adn85FANgYdymQzitDxKkqqWNn+f9SXd85HbJgTykVOwA3sbwMouC
DP0IWdchoTl8fWytTTHWyMuNDg7s9w/CzRffhpco9Ura74qPPXNr7yG6bFhFk/cR
UQzbzaz5wLnQlT9Nj9kupriKyf1CMeoPk9htZ+m+3jbBagA4KFA3sWWlgwF+nQig
cjAzCC7vlk+A/5cZKPDrN+OIMMRQnMbPbC22bW2W3aXyABeh5y9brqHbNtE/TccG
DrOYY/zOcQWySRxpRqPu6k3Q5pToinLJRC1CipcX1Xkrv89JA4NM1e9KdODzPPu3
X6bXUfYXk6BGJaNr7JQh0hKt3swrQ2EauQsPFI6a5ydxT8275vs=
=sYUq
-----END PGP SIGNATURE-----

Attachment: pgpyyeqkXSa1D.pgp
Description: PGP signature

--- End Message ---