[Pkg-openssl-devel] Bug#753007: pu: package openssh/6.0p1-4+deb7u2
Colin Watson
cjwatson at debian.org
Sat Jun 28 13:37:09 UTC 2014
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: pu
https://bugs.debian.org/749472 reports an upgrade problem from wheezy to
jessie caused by OpenSSH's overly-tight OpenSSL version check; I
incorrectly dropped the patch that removes this check shortly before
wheezy, I've since reintroduced it in jessie, but that isn't enough to
cope with the case where libssl1.0.0 is upgraded before openssh-server,
tries to restart sshd, and fails.
To fix this, I think the best thing to do is:
* Restore the dropped patch to openssh in wheezy;
* Make libssl1.0.0 in jessie declare Breaks on previous versions of
openssh-server in wheezy.
The second part of this is out of my control, but hopefully the openssl
maintainer (CCed) will agree with me. However, doing the first part
will at least reduce the incidence of these problems and I think clearly
does no harm. I'd like approval to upload the following change, which
matches what's currently in jessie:
diff -Nru openssh-6.0p1/debian/changelog openssh-6.0p1/debian/changelog
--- openssh-6.0p1/debian/changelog 2014-04-03 00:05:21.000000000 +0100
+++ openssh-6.0p1/debian/changelog 2014-06-28 14:27:50.000000000 +0100
@@ -1,3 +1,9 @@
+openssh (1:6.0p1-4+deb7u2) stable; urgency=medium
+
+ * Restore patch to disable OpenSSL version check (closes: #749472).
+
+ -- Colin Watson <cjwatson at debian.org> Sat, 28 Jun 2014 14:27:46 +0100
+
openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high
* CVE-2014-2532: Disallow invalid characters in environment variable names
diff -Nru openssh-6.0p1/debian/patches/no-openssl-version-check.patch openssh-6.0p1/debian/patches/no-openssl-version-check.patch
--- openssh-6.0p1/debian/patches/no-openssl-version-check.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-6.0p1/debian/patches/no-openssl-version-check.patch 2014-06-28 14:26:36.000000000 +0100
@@ -0,0 +1,34 @@
+Description: Disable OpenSSL version check
+ OpenSSL's SONAME is sufficient nowadays.
+Author: Philip Hands <phil at hands.com>
+Author: Colin Watson <cjwatson at debian.org>
+Bug-Debian: http://bugs.debian.org/93581
+Bug-Debian: http://bugs.debian.org/664383
+Bug-Debian: http://bugs.debian.org/732940
+Bug-Debian: http://bugs.debian.org/749472
+Forwarded: not-needed
+Last-Update: 2014-06-28
+
+Index: b/entropy.c
+===================================================================
+--- a/entropy.c
++++ b/entropy.c
+@@ -209,18 +209,6 @@
+ #ifndef OPENSSL_PRNG_ONLY
+ unsigned char buf[RANDOM_SEED_SIZE];
+ #endif
+- /*
+- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+- * We match major, minor, fix and status (not patch) for <1.0.0.
+- * After that, we acceptable compatible fix versions (so we
+- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+- * within a patch series.
+- */
+- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
+- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
+- fatal("OpenSSL version mismatch. Built against %lx, you "
+- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+
+ #ifndef OPENSSL_PRNG_ONLY
+ if (RAND_status() == 1) {
diff -Nru openssh-6.0p1/debian/patches/series openssh-6.0p1/debian/patches/series
--- openssh-6.0p1/debian/patches/series 2014-04-03 00:01:58.000000000 +0100
+++ openssh-6.0p1/debian/patches/series 2014-06-28 14:24:07.000000000 +0100
@@ -44,6 +44,7 @@
sandbox-fallback.patch
# Debian-specific configuration
+no-openssl-version-check.patch
gnome-ssh-askpass2-icon.patch
debian-config.patch
CVE-2014-2532.patch
Thanks,
--
Colin Watson [cjwatson at debian.org]
More information about the Pkg-openssl-devel
mailing list