Control: tags -1 confirmed d-i Colin Watson: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock openssh 1:7.9p1-10; as discussed recently on > debian-devel, this reverts an upstream change in 7.8 that causes > problems for certain iptables configurations as well as for VMware. > > unblock openssh/1:7.9p1-10 >
Hi, Ok and unblocked from a release team PoV, but it needs a d-i ack due to its udeb. CC'ing kibi for that part (and quoting the diff in full for him). Thanks, ~Niels > diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm > --- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.000000000 +0100 > +++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.000000000 +0200 > @@ -1,6 +1,6 @@ > # see git-dpm(1) from git-dpm package > -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab > -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab > +6b56cd57db9061296231f14d537f1ebaf25e8877 > +6b56cd57db9061296231f14d537f1ebaf25e8877 > 3d246f10429fc9a37b98eabef94fe8dc7c61002b > 3d246f10429fc9a37b98eabef94fe8dc7c61002b > openssh_7.9p1.orig.tar.gz > diff -Nru openssh-7.9p1/debian/README.Debian > openssh-7.9p1/debian/README.Debian > --- openssh-7.9p1/debian/README.Debian 2019-03-01 10:57:52.000000000 > +0100 > +++ openssh-7.9p1/debian/README.Debian 2019-04-08 11:56:59.000000000 > +0200 > @@ -270,6 +270,26 @@ > > https://bugs.launchpad.net/bugs/1674330 > > +IPQoS defaults reverted to pre-7.8 values > +----------------------------------------- > + > +OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for > +interactive traffic and CS1 for bulk. This caused some problems with other > +software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this > +change for the time being. > + > +This is *temporary*, and we expect to come back into sync with upstream > +OpenSSH once those other issues have been fixed. If you want to restore the > +upstream default, add this to ssh_config and sshd_config: > + > + IPQoS af21 cs1 > + > +For further discussion, see: > + > + https://bugs.debian.org/923879 > + https://bugs.debian.org/926229 > + https://bugs.launchpad.net/1822370 > + > -- > Matthew Vernon <matt...@debian.org> > Colin Watson <cjwat...@debian.org> > diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog > --- openssh-7.9p1/debian/changelog 2019-03-01 13:23:36.000000000 +0100 > +++ openssh-7.9p1/debian/changelog 2019-04-08 12:13:04.000000000 +0200 > @@ -1,3 +1,11 @@ > +openssh (1:7.9p1-10) unstable; urgency=medium > + > + * Temporarily revert IPQoS defaults to pre-7.8 values until issues with > + "iptables -m tos" and VMware have been fixed (closes: #923879, #926229; > + LP: #1822370). > + > + -- Colin Watson <cjwat...@debian.org> Mon, 08 Apr 2019 11:13:04 +0100 > + > openssh (1:7.9p1-9) unstable; urgency=medium > > * Apply upstream patch to make scp handle shell-style brace expansions > diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch > openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch > --- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 2019-04-08 > 11:51:26.000000000 +0200 > @@ -0,0 +1,93 @@ > +From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001 > +From: Colin Watson <cjwat...@debian.org> > +Date: Mon, 8 Apr 2019 10:46:29 +0100 > +Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP > + AF21 for" > + > +This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. > + > +The IPQoS default changes have some unfortunate interactions with > +iptables (see https://bugs.debian.org/923880) and VMware, so I'm > +temporarily reverting them until those have been fixed. > + > +Bug-Debian: https://bugs.debian.org/923879 > +Bug-Debian: https://bugs.debian.org/926229 > +Bug-Ubuntu: https://bugs.launchpad.net/1822370 > +Last-Update: 2019-04-08 > + > +Patch-Name: revert-ipqos-defaults.patch > +--- > + readconf.c | 4 ++-- > + servconf.c | 4 ++-- > + ssh_config.5 | 6 ++---- > + sshd_config.5 | 6 ++---- > + 4 files changed, 8 insertions(+), 12 deletions(-) > + > +diff --git a/readconf.c b/readconf.c > +index 661b8bf40..6d046f063 100644 > +--- a/readconf.c > ++++ b/readconf.c > +@@ -2133,9 +2133,9 @@ fill_default_options(Options * options) > + if (options->visual_host_key == -1) > + options->visual_host_key = 0; > + if (options->ip_qos_interactive == -1) > +- options->ip_qos_interactive = IPTOS_DSCP_AF21; > ++ options->ip_qos_interactive = IPTOS_LOWDELAY; > + if (options->ip_qos_bulk == -1) > +- options->ip_qos_bulk = IPTOS_DSCP_CS1; > ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; > + if (options->request_tty == -1) > + options->request_tty = REQUEST_TTY_AUTO; > + if (options->proxy_use_fdpass == -1) > +diff --git a/servconf.c b/servconf.c > +index c5dd617ef..bf2669147 100644 > +--- a/servconf.c > ++++ b/servconf.c > +@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options) > + if (options->permit_tun == -1) > + options->permit_tun = SSH_TUNMODE_NO; > + if (options->ip_qos_interactive == -1) > +- options->ip_qos_interactive = IPTOS_DSCP_AF21; > ++ options->ip_qos_interactive = IPTOS_LOWDELAY; > + if (options->ip_qos_bulk == -1) > +- options->ip_qos_bulk = IPTOS_DSCP_CS1; > ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; > + if (options->version_addendum == NULL) > + options->version_addendum = xstrdup(""); > + if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) > +diff --git a/ssh_config.5 b/ssh_config.5 > +index 1a8e24bd1..f6c1b3b33 100644 > +--- a/ssh_config.5 > ++++ b/ssh_config.5 > +@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the > packet class unconditionally. > + If two values are specified, the first is automatically selected for > + interactive sessions and the second for non-interactive sessions. > + The default is > +-.Cm af21 > +-(Low-Latency Data) > ++.Cm lowdelay > + for interactive sessions and > +-.Cm cs1 > +-(Lower Effort) > ++.Cm throughput > + for non-interactive sessions. > + .It Cm KbdInteractiveAuthentication > + Specifies whether to use keyboard-interactive authentication. > +diff --git a/sshd_config.5 b/sshd_config.5 > +index ba50a30f1..03f813e72 100644 > +--- a/sshd_config.5 > ++++ b/sshd_config.5 > +@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet > class unconditionally. > + If two values are specified, the first is automatically selected for > + interactive sessions and the second for non-interactive sessions. > + The default is > +-.Cm af21 > +-(Low-Latency Data) > ++.Cm lowdelay > + for interactive sessions and > +-.Cm cs1 > +-(Lower Effort) > ++.Cm throughput > + for non-interactive sessions. > + .It Cm KbdInteractiveAuthentication > + Specifies whether to allow keyboard-interactive authentication. > diff -Nru openssh-7.9p1/debian/patches/series > openssh-7.9p1/debian/patches/series > --- openssh-7.9p1/debian/patches/series 2019-03-01 10:57:53.000000000 > +0100 > +++ openssh-7.9p1/debian/patches/series 2019-04-08 11:51:26.000000000 > +0200 > @@ -31,3 +31,4 @@ > fix-key-type-check.patch > request-rsa-sha2-cert-signatures.patch > scp-handle-braces.patch > +revert-ipqos-defaults.patch > > Thanks, >