Josh Triplett wrote: > I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't > change, kinda by definition this seems like a bug in OpenSSL, not > OpenSSH.
That "by definition" only holds if you assume all applications are perfect software with no bugs whatsoever, and use libraries strictly according to their formal API only (however badly that API is often defined in practice). In reality it's quite common for perfectly ABI-compatible updates to break other software (or perhaps that should be phrased "make the brokenness of other software have visible effects"). In this case the breakage seems to be caused by an explicit version check in OpenSSH. There's this code in entropy.c: > * OpenSSL version numbers: MNNFFPPS: major minor fix patch status > * We match major, minor, fix and status (not patch) for <1.0.0. > * After that, we acceptable compatible fix versions (so we > * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed > * within a patch series. > */ > u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; > if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || > (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) > fatal("OpenSSL version mismatch. Built against %lx, you " > "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); For some weird reason the last byte "status" is not masked out of the comparison. This libssl update changed the version from "1.0.1e release" to "1.0.1f beta0", and the release->beta0 (f to 0) change in last byte triggers the check. The OpenSSH Debian package has this changelog entry: openssh (1:5.9p1-4) unstable; urgency=low * Disable OpenSSL version check again, as its SONAME is sufficient nowadays (closes: #664383). but apparently it was either not really disabled or was enabled again for some reason; I see no changelog entry for that. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org