Package: openssh-server
Version: 1:7.9p1-10+deb10u1
Severity: important


this just bit me on current stable (Buster) while updating from the
security repo:

The following packages will be upgraded:
   openssh-client (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
   openssh-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
   openssh-sftp-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1.178 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 buster/updates/main amd64
openssh-sftp-server amd64 1:7.9p1-10+deb10u1 [44,6 kB]
Get:2 buster/updates/main amd64
openssh-server amd64 1:7.9p1-10+deb10u1 [352 kB]
Get:3 buster/updates/main amd64
openssh-client amd64 1:7.9p1-10+deb10u1 [782 kB]
Fetched 1.178 kB in 0s (4.945 kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 498927 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-sftp-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Preparing to unpack .../openssh-server_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Preparing to unpack .../openssh-client_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-client (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Setting up openssh-client (1:7.9p1-10+deb10u1) ...
Setting up openssh-sftp-server (1:7.9p1-10+deb10u1) ...
Setting up openssh-server (1:7.9p1-10+deb10u1) ...
Replacing config file /etc/ssh/sshd_config with new version is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u1) ...

The important line is the forth from the bottom.
Since I have changed the port of SSHD this makes it impossible to
open new connections afterwards. I can't believe that making computers
secure by essentially disconnecting their admins is the desired behavior
of this package (update). Arguably, changing the port back to its default
(as in my case) might even increase security risks. ;)
AFAIK there is no way to override the settings from the standard
config file (by files in a *.d directory as requested in other bug
reports). If there is no other (well-documented) workaround I strongly
consider this behavior a bug.

-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (91, 'testing'), (10, 
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.7
ii  libaudit1              1:2.8.4-3
ii  libc6                  2.28-10
ii  libcom-err2            1.44.5-1+deb10u2
ii  libgssapi-krb5-2       1.17-3
ii  libkrb5-3              1.17-3
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1d-0+deb10u1
ii  libsystemd0            241-7~deb10u1
ii  libwrap0               7.6.q-28
ii  lsb-base               10.2019051400
ii  openssh-client         1:7.9p1-10+deb10u1
ii  openssh-sftp-server    1:7.9p1-10+deb10u1
ii  procps                 2:3.3.15-2
ii  ucf                    3.0038+nmu1
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  241-7~deb10u1
ii  ncurses-term             6.1+20181013-2+deb10u1
ii  xauth                    1:1.0.10-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

Reply via email to