Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Mon, Dec 23, 2013 at 01:16:17AM +0200, Uoti Urpala wrote: The OpenSSH Debian package has this changelog entry: openssh (1:5.9p1-4) unstable; urgency=low * Disable OpenSSL version check again, as its SONAME is sufficient nowadays (closes: #664383). but apparently it was either not really disabled or was enabled again for some reason; I see no changelog entry for that. That was actually a typo for Enable. Sorry for the confusion. I'll put that patch back. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 - Josh Triplett -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... Cheers, Julien signature.asc Description: Digital signature
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Julien Cristau wrote: On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't change, kinda by definition this seems like a bug in OpenSSL, not OpenSSH. - Josh Triplett -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: [Pkg-openssl-devel] Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Sun, Dec 22, 2013 at 02:16:43PM -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Julien Cristau wrote: On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't change, kinda by definition this seems like a bug in OpenSSL, not OpenSSH. So openssl is never supposed to change it's version number? Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Kurt Roeckx wrote: On Sun, Dec 22, 2013 at 02:16:43PM -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Julien Cristau wrote: On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't change, kinda by definition this seems like a bug in OpenSSL, not OpenSSH. So openssl is never supposed to change it's version number? It's not OK to break forward compatibility without changing SONAME. Software built against an older version of a library must always work with a newer version that has the same SONAME; that's what the SONAME exists for. It'd be perfectly OK for software built against a newer OpenSSL to refuse to work with an older version (ideally by requiring a symbol the older library doesn't have), but the reverse is a bug, regardless of the mechanism. - Josh Triplett -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: [Pkg-openssl-devel] Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Sun, Dec 22, 2013 at 02:45:32PM -0800, Josh Triplett wrote: It's not OK to break forward compatibility without changing SONAME. Software built against an older version of a library must always work with a newer version that has the same SONAME; that's what the SONAME exists for. It'd be perfectly OK for software built against a newer OpenSSL to refuse to work with an older version (ideally by requiring a symbol the older library doesn't have), but the reverse is a bug, regardless of the mechanism. Openssl does not do this version check, nor does it suggest to do any such check. I think I've already filed this bug against openssh twice and it seems to be comming back. I don't see how openssl is breaking either forward or backward compatibility. It just changed the version it returned. Openssl can't be responible for whatever people do with that version. Openssl in Debian also properly maintains the soname, it has versioned symbols depending on the version that introduced the symbol. If openssh wants to refused to run with a newer version of openssl and you say that that is perfectly OK, I guess there is no bug at all here and I can just close this bug. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On 2013-12-22 23:08 +0100, Julien Cristau wrote: On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... This had happened in the past, see #678661. Looks like that problem is biting us again. :-/ Cheers, Sven -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Josh Triplett wrote: I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't change, kinda by definition this seems like a bug in OpenSSL, not OpenSSH. That by definition only holds if you assume all applications are perfect software with no bugs whatsoever, and use libraries strictly according to their formal API only (however badly that API is often defined in practice). In reality it's quite common for perfectly ABI-compatible updates to break other software (or perhaps that should be phrased make the brokenness of other software have visible effects). In this case the breakage seems to be caused by an explicit version check in OpenSSH. There's this code in entropy.c: * OpenSSL version numbers: MNNFFPPS: major minor fix patch status * We match major, minor, fix and status (not patch) for 1.0.0. * After that, we acceptable compatible fix versions (so we * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed * within a patch series. */ u_long version_mask = SSLeay() = 0x100f ? ~0x0L : ~0xff0L; if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) version_mask) || (SSLeay() 12) (OPENSSL_VERSION_NUMBER 12)) fatal(OpenSSL version mismatch. Built against %lx, you have %lx, (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); For some weird reason the last byte status is not masked out of the comparison. This libssl update changed the version from 1.0.1e release to 1.0.1f beta0, and the release-beta0 (f to 0) change in last byte triggers the check. The OpenSSH Debian package has this changelog entry: openssh (1:5.9p1-4) unstable; urgency=low * Disable OpenSSL version check again, as its SONAME is sufficient nowadays (closes: #664383). but apparently it was either not really disabled or was enabled again for some reason; I see no changelog entry for that. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Kurt Roeckx wrote: On Sun, Dec 22, 2013 at 02:45:32PM -0800, Josh Triplett wrote: It's not OK to break forward compatibility without changing SONAME. Software built against an older version of a library must always work with a newer version that has the same SONAME; that's what the SONAME exists for. It'd be perfectly OK for software built against a newer OpenSSL to refuse to work with an older version (ideally by requiring a symbol the older library doesn't have), but the reverse is a bug, regardless of the mechanism. Openssl does not do this version check, nor does it suggest to do any such check. I think I've already filed this bug against openssh twice and it seems to be comming back. I don't see how openssl is breaking either forward or backward compatibility. It just changed the version it returned. Openssl can't be responible for whatever people do with that version. I stand corrected; my apologies. I've seen so many libraries that put in version checks like this that I assumed the version check lived in OpenSSL, not OpenSSH. You're right, this is *not* an OpenSSL bug, it's an OpenSSH bug. I'll reassign accordingly. - Josh Triplett -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org