[Pkg-openssl-devel] Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060

Josh Triplett josh at joshtriplett.org
Sun Dec 22 22:45:32 UTC 2013 

Package: libssl1.0.0
Version: 1.0.1e-5
Followup-For: Bug #732940

Kurt Roeckx wrote:
>On Sun, Dec 22, 2013 at 02:16:43PM -0800, Josh Triplett wrote:
>> Package: libssl1.0.0
>> Version: 1.0.1e-5
>> Followup-For: Bug #732940
>> 
>> Julien Cristau wrote:
>> > On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote:
>> >> Package: libssl1.0.0
>> >> Version: 1.0.1e-5
>> >> Severity: critical
>> >> 
>> >> Upgrading OpenSSL caused SSH to break.
>> >> 
>> >> Here's the upgrade from aptitude's log:
>> >> [UPGRADE] libssl-dev:amd64 1.0.1e-4 -> 1.0.1e-5
>> >> [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 -> 1.0.1e-5
>> >> [UPGRADE] openssl:amd64 1.0.1e-4 -> 1.0.1e-5
>> >> 
>> >> And here's SSH failing:
>> >> $ ssh joshtriplett.org
>> >> OpenSSL version mismatch. Built against 1000105f, you have 10001060
>> >> 
>> > sounds like an openssh bug to me...
>> 
>> I upgraded OpenSSL and OpenSSH stopped working.  Since the SONAME didn't
>> change, kinda by definition this seems like a bug in OpenSSL, not
>> OpenSSH.
>
> So openssl is never supposed to change it's version number?

It's not OK to break forward compatibility without changing SONAME.
Software built against an older version of a library must always work
with a newer version that has the same SONAME; that's what the SONAME
exists for.  It'd be perfectly OK for software built against a newer
OpenSSL to refuse to work with an older version (ideally by requiring a
symbol the older library doesn't have), but the reverse is a bug,
regardless of the mechanism.

- Josh Triplett

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.52
ii  libc6                  2.17-97
ii  multiarch-support      2.17-97

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list