Hi Colin, On Sun, Oct 06, 2019 at 09:32:26PM +0200, Salvatore Bonaccorso wrote: > Hi Colin, > > On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote: > > On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote: > > > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote: > > > > https://bugs.debian.org/941663 reports an OpenSSH regression on old > > > > kernels prompted by the interaction between an OpenSSL update and a > > > > seccomp filter; https://bugs.debian.org/941665 and > > > > https://github.com/openssh/openssh-portable/pull/149 have more details. > > > > The patch is an easy one to cherry-pick, and I've attached the resulting > > > > diff. I'd like approval to upload it. > > > > > > > > I'm not sure where's best to upload this to. Although I've filed this > > > > as a stable update request, there's an argument that perhaps it should > > > > be issued through the same channels as the OpenSSL update > > > > (stable-security and then copied to stable-proposed-updates, according > > > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. > > > > Any advice? > > > > > > Okay let's be on the safe side and update openssh for this functional > > > regression via buster-security. > > > > > > Can you adjust the changelog accordingly and upload to > > > security-master? (Make sure to build with -sa, and to not include a > > > _{arch}.buildinfo file in case you perform a source only upload). > > > > Done. I usually get something wrong in the mechanics of doing security > > uploads, but maybe I got it right for once. > > Looks good so far! > > > I don't have a pre-3.19 system around to test this on, but I at least > > made sure that an ordinary buster system (with 4.19) is fine. > > I was able to reproduce the issue in a buster LXC container running on > a host with < 3.19 kernel (specifically reproduced with a jessie > host). Will double check the fixed packages as well in that setup.
Your update was released with DSA 4539-2. So I think #941810 can now be closed as there is no action needed to be taken for the next buster point release. Thanks for your work! Regards, Salvatore