Bug#843064: [Pkg-openssl-devel] Bug#843064: Bug#843064: openssl: incompatibility for enc command between openssl 1.1.0b-2 and previous 1.0.x versions
On 2016-11-07 13:25:55PM +0100, Sebastian Andrzej Siewior wrote: > On 2016-11-03 22:15:50 [+0100], Marek Lukaszuk wrote: > > Thanks, it works, I feel like an idiot for not finding this. > it wasn't documented. how should you find it? I just figured it out > myself. True, but in retrospect it is obvious that checking for changes in the defaults would be the best place to start, I was a bit lazy/busy that day ;). > > > Let me see what upstream says… > > > > It is a bit of a surprise, normally I would argue for a bit more clear error > > message but in this case I'm not sure if that would be ok. > > I will try to add something to the error message (more than just > "decompression failed") and maybe something to the news file. Will check > with Kurt. The c release is around the corner… I'm following the conversation on openssl-dev mailing list. I've checked the package changelog using "aptitude changelog openssl" before opening the ticket, so maybe putting it somewhere there would be a good thing, but probably news file and man page would help also lot. Marek
Bug#843064: [Pkg-openssl-devel] Bug#843064: openssl: incompatibility for enc command between openssl 1.1.0b-2 and previous 1.0.x versions
On 2016-11-03 21:12:10PM +0100, Sebastian Andrzej Siewior wrote: > On 2016-11-03 15:59:25 [+0100], Marek Lukaszuk wrote: > > passphrase I'm getting below error: > > > > > cat file_encrypted.dat | openssl enc -d -aes-256-cbc > > enter aes-256-cbc decryption password: > > bad decrypt > > 139814539760704:error:06065064:digital envelope > > routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:529: > > bah. They changed the default digest from md5 to sha256 to create the > key. If you add '-md md5' to your 1.1. openssl then it will work. The > other way around you need '-md sha256' to keep 1.0 happy. Thanks, it works, I feel like an idiot for not finding this. > Let me see what upstream says… It is a bit of a surprise, normally I would argue for a bit more clear error message but in this case I'm not sure if that would be ok. Either way, thank you for a very quick answer. Marek
Bug#843064: openssl: incompatibility for enc command between openssl 1.1.0b-2 and previous 1.0.x versions
Package: openssl Version: 1.1.0b-2 Severity: important Dear Maintainer, * What led up to the situation? Upgrading from openssl:amd64 1.0.2j-1 to 1.1.0b-2 * What exactly did you do (or not do) that was effective (or ineffective)? I have few files encrypted using this logic: cat "somedata" | openssl enc -aes-256-cbc > file_encrypted.dat I'm accessing them using the command: cat file_encrypted.dat | openssl enc -d -aes-256-cbc After upgrading to openssl 1.1.0b-2, when I try to decrypt a file encrypted with a previous version of openssl, even if I provide a correct passphrase I'm getting below error: > cat file_encrypted.dat | openssl enc -d -aes-256-cbc enter aes-256-cbc decryption password: bad decrypt 139814539760704:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:529: I've verfied that the file is not corrupted, the sha256 digest matches with a backup copy that I have. If I downgrade openssl to openssl_1.0.2j-1 I can again decrypt the same file. The interesting thing is that if I create an encrypt file using the same method and openssl 1.1.0b-2 I can decrypt it using 1.1.0b-2 without any problems, but I can not decrypt it using older openssl version. The older version being: > openssl version OpenSSL 1.0.2g 1 Mar 2016 The error on the older version when decrypting file encrypted with 1.1.0b-2: > cat a.dat | openssl enc -d -aes-256-cbc enter aes-256-cbc decryption password: bad decrypt 140055000397464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (600, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssl depends on: ii libc6 2.24-5 ii libssl1.1 1.1.0b-2 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20160104 -- no debconf information
Bug#764799: update to the bug
After some analysis the issues turned out to be related to missing ed25519 host key. Once it was created the sshd had no issues with running. My custom sshd_config has only specific HostKeys defined and for some reason not having there ed25519 cause this crash. Running: ssh-keygen -A and adding to /etc/ssh/sshd_config line: HostKey /etc/ssh/ssh_host_ed25519_key solved this. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764799: openssh-server: sshd segfaults after connecting from remote client
Package: openssh-server Version: 1:6.7p1-2 Severity: important Dear Maintainer, The issue started after upgrading to the 6.7p1-2 openssh-server package. I was connecting from different clients (openssh, putty) from different machines and each connection resulted in this error in the /var/log/syslog : kernel: [86408.871163] sshd[51390]: segfault at fff8 ip 7f358d713414 sp 7fff82af5f48 error 4 in libc-2.19.so[7f358d697000+19f000] client session output: ssh -vv localhost OpenSSH_6.7p1 Debian-2, OpenSSL 1.0.1i 6 Aug 2014 debug1: Reading configuration data /home/USER1/.ssh/config debug1: /home/USER1/.ssh/config line 12: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket /home/USER1/.ssh/sockets/USER1@localhost:22 does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug2: fd 3 setting O_NONBLOCK debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/USER1/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/USER1/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 debug1: match: OpenSSH_6.7p1 pat OpenSSH* compat 0x0400 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman -group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-c ert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-d ss debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: z...@openssh.com,zlib,none debug2: kex_parse_kexinit: z...@openssh.com,zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman -group-exchange-sha256 debug2: kex_parse_kexinit: ecdsa-sha2-nistp521,ssh-rsa debug2: kex_parse_kexinit: chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 debug2: kex_parse_kexinit: umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-ripemd160 debug1: kex: server-client aes256-ctr hmac-ripemd160 z...@openssh.com debug2: mac_setup: setup hmac-ripemd160 debug1: kex: client-server aes256-ctr hmac-ripemd160 z...@openssh.com debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting
Bug#626479: Additional information
On Thu, May 12, 2011 at 13:20, Eccles, David david.ecc...@mpi-muenster.mpg.de wrote: Some more information... running amd64 Debian unstable, linux image: linux-image-2.6.38-2-amd64_2.6.38-5_amd64.deb I'm using lvm, which has required me to forbid udev version 168-1 (it wasn't able to run udev at computer boot, which made X unusable due to a lack of mouse/keyboard control). I notice that this update changed udev to 168-2. Details of lvm setup follow : root@ubuntu:/target# lvm pvscan PV /dev/sdb1 VG spin0_thaliana lvm2 [931.51 GiB / 0 free] PV /dev/sda1 VG ssd_thaliana lvm2 [167.68 GiB / 0 free] Total: 2 [1.07 TiB] / in use: 2 [1.07 TiB] / in no VG: 0 [0 ] root@ubuntu:/target# lvm lvscan ACTIVE '/dev/spin0_thaliana/home' [931.51 GiB] inherit ACTIVE '/dev/ssd_thaliana/boot' [188.00 MiB] inherit ACTIVE '/dev/ssd_thaliana/swap' [18.62 GiB] inherit ACTIVE '/dev/ssd_thaliana/root' [148.87 GiB] inherit The problem is due to latest libc upgrade 2.13-3 it removed the link /lib64 - /lib once added my system started working. Related bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626447 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626449 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626450 Hope this helps, Marek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org