Your message dated Fri, 28 Feb 2025 10:41:37 +0000
with message-id <z8gs4bdxx4kfn...@riva.ucam.org>
and subject line Re: Bug#1099091: openssh-server: openssh packages
1:9.2p1-2+deb12u5 in bookworm-security depend on unavailable libssl version
has caused the Debian Bug report #1099091,
regarding openssh-server: openssh packages 1:9.2p1-2+deb12u5 in
bookworm-security depend on unavailable libssl version
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1099091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important
Dear Maintainer,
The 1:9.2p1-2+deb12u5 version of openssh packages in bookworm-security and
bookworm-proposed-updates are uninstallable on bookworm, since they strictly
depend on a libssl version unavailable on bookworm. This poses a security
problem, since one is either stuck with the older version in bookworm
(containing bugs that were fixed in this release) or has to install/backport
libssl from trixie/sid.
A plain simple recompile, without source changes, on a "clean" bookworm system
that does not contain the trixie/sid version of openssl is sufficient to fix
dependencies (I did this on my systems).
Thanks in advance, best regards
Giacomo Mulas
-- System Information:
Debian Release: 12.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (105,
'proposed-updates'), (104, 'stable'), (101, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-31-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.134
ii cdebconf [debconf-2.0] 0.270
ii debconf [debconf-2.0] 1.5.82
ii init-system-helpers 1.65.2
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u7
ii libcom-err2 1.47.0-2
ii libcrypt1 1:4.4.33-2
ii libgssapi-krb5-2 1.20.1-2+deb12u2
ii libkrb5-3 1.20.1-2+deb12u2
ii libpam-modules 1.5.2-6+deb12u1
ii libpam-runtime 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.14-1~deb12u2
ii libsystemd0 252.33-1~deb12u1
ii libwrap0 7.6.q-32
ii lsb-base 11.6
ii openssh-client 1:9.2p1-2+deb12u5
ii openssh-sftp-server 1:9.2p1-2+deb12u5
ii procps 2:4.0.2-3
ii runit-helper 2.15.2
ii sysvinit-utils [lsb-base] 3.06-4
ii ucf 3.0043+nmu1+deb12u1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 252.33-1~deb12u1
ii ncurses-term 6.4-4
ii xauth 1:1.1.2-1
Versions of packages openssh-server suggests:
ii ksshaskpass [ssh-askpass] 4:5.27.5-2
ii kwalletcli [ssh-askpass] 3.03-1
ii molly-guard 0.7.2
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-16
ii ssh-askpass-fullscreen [ssh-askpass] 1.3-1
ii ssh-askpass-gnome [ssh-askpass] 1:9.2p1-2+deb12u5
pn ufw <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On Fri, Feb 28, 2025 at 10:33:56AM +0100, Chris Hofstaedtler wrote:
On Fri, Feb 28, 2025 at 10:09:51AM +0100, Giacomo Mulas wrote:
Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important
The 1:9.2p1-2+deb12u5 version of openssh packages in bookworm-security and
bookworm-proposed-updates are uninstallable on bookworm, since they strictly
depend on a libssl version unavailable on bookworm. This poses a security
problem, since one is either stuck with the older version in bookworm
(containing bugs that were fixed in this release) or has to install/backport
libssl from trixie/sid.
This is the Depends from openssh-server in
bookworm-proposed-updates:
Package: openssh-server
Source: openssh
Version: 1:9.2p1-2+deb12u5
...
Depends: ..., libssl3 (>= 3.0.15), ...
However this is fine, as bookworm already has libssl3
3.0.15-1~deb12u1. Note that it's really in bookworm, not in
bookworm-security.
Versions of packages openssh-server depends on:
[..]
ii libssl3 3.0.14-1~deb12u2
Your system seems to be missing out on packages that are _in_
bookworm ("stable").
Yes. Giacomo, I suspect your system is misconfigured in the sort of way
I described in https://bugs.debian.org/1098272#10 (if not
unattended-upgrades, then something similar).
Note that the openssh packages in question were built on Debian's
autobuilders in their standard configuration. I didn't build them
locally, and they certainly were not built on trixie/sid.
--
Colin Watson (he/him) [cjwat...@debian.org]
--- End Message ---