Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
https://bugs.debian.org/749472 reports an upgrade problem from wheezy to jessie caused by OpenSSH's overly-tight OpenSSL version check; I incorrectly dropped the patch that removes this check shortly before wheezy, I've since reintroduced it in jessie, but that isn't enough to cope with the case where libssl1.0.0 is upgraded before openssh-server, tries to restart sshd, and fails. To fix this, I think the best thing to do is: * Restore the dropped patch to openssh in wheezy; * Make libssl1.0.0 in jessie declare Breaks on previous versions of openssh-server in wheezy. The second part of this is out of my control, but hopefully the openssl maintainer (CCed) will agree with me. However, doing the first part will at least reduce the incidence of these problems and I think clearly does no harm. I'd like approval to upload the following change, which matches what's currently in jessie: diff -Nru openssh-6.0p1/debian/changelog openssh-6.0p1/debian/changelog --- openssh-6.0p1/debian/changelog 2014-04-03 00:05:21.000000000 +0100 +++ openssh-6.0p1/debian/changelog 2014-06-28 14:27:50.000000000 +0100 @@ -1,3 +1,9 @@ +openssh (1:6.0p1-4+deb7u2) stable; urgency=medium + + * Restore patch to disable OpenSSL version check (closes: #749472). + + -- Colin Watson <[email protected]> Sat, 28 Jun 2014 14:27:46 +0100 + openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high * CVE-2014-2532: Disallow invalid characters in environment variable names diff -Nru openssh-6.0p1/debian/patches/no-openssl-version-check.patch openssh-6.0p1/debian/patches/no-openssl-version-check.patch --- openssh-6.0p1/debian/patches/no-openssl-version-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-6.0p1/debian/patches/no-openssl-version-check.patch 2014-06-28 14:26:36.000000000 +0100 @@ -0,0 +1,34 @@ +Description: Disable OpenSSL version check + OpenSSL's SONAME is sufficient nowadays. +Author: Philip Hands <[email protected]> +Author: Colin Watson <[email protected]> +Bug-Debian: http://bugs.debian.org/93581 +Bug-Debian: http://bugs.debian.org/664383 +Bug-Debian: http://bugs.debian.org/732940 +Bug-Debian: http://bugs.debian.org/749472 +Forwarded: not-needed +Last-Update: 2014-06-28 + +Index: b/entropy.c +=================================================================== +--- a/entropy.c ++++ b/entropy.c +@@ -209,18 +209,6 @@ + #ifndef OPENSSL_PRNG_ONLY + unsigned char buf[RANDOM_SEED_SIZE]; + #endif +- /* +- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) for <1.0.0. +- * After that, we acceptable compatible fix versions (so we +- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed +- * within a patch series. +- */ +- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; +- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || +- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) +- fatal("OpenSSL version mismatch. Built against %lx, you " +- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + + #ifndef OPENSSL_PRNG_ONLY + if (RAND_status() == 1) { diff -Nru openssh-6.0p1/debian/patches/series openssh-6.0p1/debian/patches/series --- openssh-6.0p1/debian/patches/series 2014-04-03 00:01:58.000000000 +0100 +++ openssh-6.0p1/debian/patches/series 2014-06-28 14:24:07.000000000 +0100 @@ -44,6 +44,7 @@ sandbox-fallback.patch # Debian-specific configuration +no-openssl-version-check.patch gnome-ssh-askpass2-icon.patch debian-config.patch CVE-2014-2532.patch Thanks, -- Colin Watson [[email protected]] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
