subject:"Bug#1007714\: bullseye\-pu\: package openssh\/1\:8.4p1\-5\+deb11u1"

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

2022-07-01 Thread Colin Watson

On Wed, Jun 29, 2022 at 10:27:01PM +0100, Adam D. Barratt wrote:
> On Fri, 2022-03-18 at 08:43 +0100, Cyril Brulebois wrote:
> > Adam D. Barratt  (2022-03-17):
> > > As openssh builds a udeb, I'm CCing KiBi and tagging the bug
> > > accordingly.
> > 
> > Making sure upgrades have a chance to work properly seems more
> > important
> > than any possible regressions at install time, for those deploying
> > over
> > SSH, so no objections at all.
> 
> Just a quick reminder on this, as the window for getting changes into
> 11.4 closes over the coming weekend.

Oops, sorry!  I've just uploaded this.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

2022-06-29 Thread Adam D. Barratt

Hi Colin,

On Fri, 2022-03-18 at 08:43 +0100, Cyril Brulebois wrote:
> Adam D. Barratt  (2022-03-17):
> > As openssh builds a udeb, I'm CCing KiBi and tagging the bug
> > accordingly.
> 
> Making sure upgrades have a chance to work properly seems more
> important
> than any possible regressions at install time, for those deploying
> over
> SSH, so no objections at all.

Just a quick reminder on this, as the window for getting changes into
11.4 closes over the coming weekend.

Regards,

Adam

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

2022-03-18 Thread Cyril Brulebois

Adam D. Barratt  (2022-03-17):
> As openssh builds a udeb, I'm CCing KiBi and tagging the bug
> accordingly.

Making sure upgrades have a chance to work properly seems more important
than any possible regressions at install time, for those deploying over
SSH, so no objections at all.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

2022-03-17 Thread Adam D. Barratt

Control: tags -1 + confirmed d-i

On Tue, 2022-03-15 at 15:20 +, Colin Watson wrote:
> OpenSSH in stable breaks on 32-bit architectures (at least armhf,
> reportedly also i386) after upgrading libc6 to the version in
> bookworm,
> due to changes in its system call interface that affect OpenSSH's
> seccomp sandbox.  See https://bugs.debian.org/1004427.
> 
> [ Impact ]
> Without this change, I'm concerned that sshd may be unavailable
> during
> part of an upgrade from bullseye to bookworm (or even make the
> machine
> inaccessible, if it's headless and the upgrade fails).  Getting the
> sandbox tweak into bullseye at this stage would reduce that risk.
> 

Please go ahead.

As openssh builds a udeb, I'm CCing KiBi and tagging the bug
accordingly.

Regards,

Adam

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

2022-03-15 Thread Colin Watson

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
OpenSSH in stable breaks on 32-bit architectures (at least armhf,
reportedly also i386) after upgrading libc6 to the version in bookworm,
due to changes in its system call interface that affect OpenSSH's
seccomp sandbox.  See https://bugs.debian.org/1004427.

[ Impact ]
Without this change, I'm concerned that sshd may be unavailable during
part of an upgrade from bullseye to bookworm (or even make the machine
inaccessible, if it's headless and the upgrade fails).  Getting the
sandbox tweak into bullseye at this stage would reduce that risk.

[ Tests ]
Existing autopkgtests are quite comprehensive and ensure that normal
connections to sshd continue to work.  They don't cover the case of
upgrading to bookworm's libc6 and restarting sshd; that would need to be
done manually.

[ Risks ]
I think the only real risk here is the usual residual misbuild risk from
any update, which autopkgtests would catch.  The actual code change just
adds another allow rule to a seccomp filter.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable (modulo
  finalizing the changelog)
  [x] the issue is verified as fixed in unstable (fixed upstream as of
  OpenSSH 8.5p1, which has been in unstable since November)

[ Changes ]
An extra SC_ALLOW(__NR_pselect6_time64) if that syscall is defined.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]
diff -Nru openssh-8.4p1/debian/.git-dpm openssh-8.4p1/debian/.git-dpm
--- openssh-8.4p1/debian/.git-dpm   2021-03-13 09:59:40.0 +
+++ openssh-8.4p1/debian/.git-dpm   2022-02-25 16:09:00.0 +
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-421db3656dcafbe810226463bf27a18a0b1c3186
-421db3656dcafbe810226463bf27a18a0b1c3186
+ed99ef256258d8556dbe39d976c2528ede050f14
+ed99ef256258d8556dbe39d976c2528ede050f14
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 openssh_8.4p1.orig.tar.gz
diff -Nru openssh-8.4p1/debian/changelog openssh-8.4p1/debian/changelog
--- openssh-8.4p1/debian/changelog  2021-03-13 09:59:40.0 +
+++ openssh-8.4p1/debian/changelog  2022-02-25 16:09:00.0 +
@@ -1,3 +1,11 @@
+openssh (1:8.4p1-5+deb11u1) UNRELEASED; urgency=medium
+
+  * Backport from upstream:
+- Add new pselect6_time64 syscall on 32-bit architectures (closes:
+  #1004427).
+
+ -- Colin Watson   Fri, 25 Feb 2022 16:09:00 +
+
 openssh (1:8.4p1-5) unstable; urgency=high
 
   * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
diff -Nru openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch 
openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch
--- openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch  1970-01-01 
01:00:00.0 +0100
+++ openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch  2022-02-25 
16:09:00.0 +
@@ -0,0 +1,32 @@
+From ed99ef256258d8556dbe39d976c2528ede050f14 Mon Sep 17 00:00:00 2001
+From: Darren Tucker 
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: Add new pselect6_time64 syscall on ARM.
+
+This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
+jjelen at redhat.com.
+
+Origin: upstream, 
https://anongit.mindrot.org/openssh.git/commit/?id=0f90440ca70abab947acbd77795e9f130967956c
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Bug-Debian: https://bugs.debian.org/1004427
+Last-Update: 2022-02-25
+
+Patch-Name: sandbox-pselect6_time64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
 b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+   SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++  SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+   SC_ALLOW(__NR_read),
+ #endif
diff -Nru openssh-8.4p1/debian/patches/series 
openssh-8.4p1/debian/patches/series
--- openssh-8.4p1/debian/patches/series 2021-03-13 09:59:40.0 +
+++ openssh-8.4p1/debian/patches/series 2022-02-25 16:09:00.0 +
@@ -26,3 +26,4 @@
 revert-x32-sandbox-breakage.patch
 ssh-copy-id-heredoc-syntax.patch
 ssh-agent-double-free.patch
+sandbox-pselect6_time64.patch

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

5 matches

Site Navigation

Mail list logo

Footer information