[Pkg-openssl-devel] Bug#941688: Bug#941688: openssl 1.1.1d security update breaks openssh login on old kernels

Kurt Roeckx kurt at roeckx.be
Thu Oct 3 21:47:09 BST 2019


On Thu, Oct 03, 2019 at 07:56:54PM +0000, Sylvain Rochet wrote:
> 
> Dear Maintainer,
> 
> Upgrading from openssl 1.1.1c-1 to openssl 1.1.1d-0+deb10u1 on Debian 
> Buster breaks openssh login on systems running old kernels (3.16.x at 
> least).
> 
> This is due to the missing getrandom syscall on those kernels and 
> seccomp filter triggering on fallback implementation of the missing 
> syscall, reverting to 1.1.1c-1 fixes the issue.
> 
> This is currently being discussed upstream at:
>   https://github.com/openssl/openssl/issues/9984
> 
> It only affects old kernels so it's no big deal anyway.

The getrandom() system call is available from version 3.19. You
will only run into this if you're running an older kernel that
doesn't provide getrandom().

I think this is really an openssh problem, not openssl problem.
It's one of the downsides of using seccomp that one of the
libraries you're using might start to do new calls.


Kurt



More information about the Pkg-openssl-devel mailing list