XPost: linux.debian.devel.release

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:openssh
User: [email protected]
Usertags: pu

I think this change needs to be included in stable-updates, per https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-the-stable-updates-suite.
Details below.

[ Reason ]
OpenSSH processes such as sshd check for OpenSSL version compatibility
when seeding their internal RNG. Versions prior to 9.4 failed to
tolerate newer minor versions of OpenSSL. This causes SSH connection
failures during upgrades from bookworm to trixie.

[ Impact ]
As described in https://bugs.debian.org/1110030, during most of the
upgrade process from bookworm to trixie, it's impossible to initiate new
SSH connections. If the upgrade fails, and the user forgets to maintain
a separate SSH connection or their network connection is interrupted,
the result may be a failed remote upgrade with no way to access the
system.

[ Tests ]
The detailed version compatibility rules are covered by unit tests; this
upload includes changes to those tests.

I've also tested this manually by creating a bookworm container and
running the relevant parts of the upgrade step by step, something like
this (obviously set up for me, but adjust as needed):

$ incus launch images:debian/bookworm openssh-upgrade
$ incus exec openssh-upgrade -- apt -y install openssh-server
$ incus exec openssh-upgrade -- adduser --disabled-password --comment 'Colin Watson' cjwatson
$ incus file push -p --uid 1000 --gid 1000 --mode=600 .ssh/id_ed25519.pub openssh-upgrade/home/cjwatson/.ssh/authorized_keys
$ dcmd incus file push openssh_9.2p1-2+deb12u7_amd64.changes openssh-upgrade/root/
$ incus exec openssh-upgrade -- apt install ./openssh-{client,server,sftp-server}_9.2p1-2+deb12u7_amd64.deb

Then run "while :; do date -Ins; ssh openssh-upgrade.incus true; sleep
0.1; done" in a separate terminal to monitor connectivity, and continue
the upgrade with:

$ dcmd incus file push openssh_10.0p1-6_amd64.changes openssh-upgrade/root/
$ incus exec openssh-upgrade -- dpkg --unpack openssh-{client,server,sftp-server}_10.0p1-6_amd64.deb
$ incus exec openssh-upgrade -- sed -i 's/bookworm/trixie/' /etc/apt/sources.list
$ incus exec openssh-upgrade -- apt update
$ incus exec openssh-upgrade -- apt -f install

(This also includes testing of a fix to trixie's openssh for a separate
bug with similar symptoms; see https://bugs.debian.org/1109742 and the
unblock request in https://bugs.debian.org/1110033.)

[ Risks ]
The changes are fairly simple (at least once you work your way through
the patch layers), and I don't believe any realistic alternatives are available. If I'd realized earlier that this would be an upgrade
problem, I'd already have included it in a previous bookworm update.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
This cherry-picks two commits from upstream to apply simpler and more
accurate version compatibility rules for OpenSSL 3 (also in the process dropping support for OpenSSL <1, which doesn't affect any version of
Debian since 7/wheezy).

In order to be able to cherry-pick the upstream patches neatly, I
inserted them some way back in the Debian patch stack and adjusted
another related patch to match. This produces some git-dpm noise and
somewhat confusing results if you're just looking at the debdiff. To
help understand this, I've attached a separate "openssh_9.2p1-2+deb12u7.upstreamdiff" file that shows the effective
patch to the upstream code, generated from git.

[ Other info ]
To minimize the change of users running into this during upgrades
shortly after the release of trixie, I think we need to get this into stable-updates rather than waiting for the next scheduled point release.
Let me know if there's anything else I need to do for that.

Thanks,

--
Colin Watson (he/him) [[email protected]]

diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/.git-dpm 2025-07-28 12:58:38.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package -cf9b65754f0e54de11d075fc7317ae90a1ae4389 -cf9b65754f0e54de11d075fc7317ae90a1ae4389 +d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f +d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-05-08 11:54:24.000000000 +0100
+++ openssh-9.2p1/debian/changelog 2025-07-28 12:59:40.000000000 +0100
@@ -1,3 +1,10 @@
+openssh (1:9.2p1-2+deb12u7) bookworm; urgency=medium
+
+ * Handle OpenSSL >=3 ABI compatibility; this helps to avoid new ssh
+ connections failing during upgrades to trixie (closes: #1110030).
+
+ -- Colin Watson <[email protected]> Mon, 28 Jul 2025 12:59:40 +0100
+
openssh (1:9.2p1-2+de

XPost: linux.debian.maint.boot

Control: tag -1 d-i

This should have a d-i ack for the udeb really, but I don't imagine any objections so I'm proceeding in the meantime.

Thanks,

--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Control: tag -1 confirmed

On Mon, Jul 28, 2025 at 01:18:32PM +0100, Colin Watson wrote:

[ Other info ]
To minimize the change of users running into this during upgrades
shortly after the release of trixie, I think we need to get this into stable-updates rather than waiting for the next scheduled point release.
Let me know if there's anything else I need to do for that.

Agree. The SUA text will have your name on it; how about the following?

| OpenSSH in bookworm contains a too-strict check of OpenSSL compatibility
| when seeding the internal random number generator. As a result, users may
| be unable to connect to remote systems with a newer OpenSSL, for example
| when an upgrade in progress.
|
| This update relaxes the check, allowing users to re-connect to remote
| systems in the event of an interrupted upgrade.

--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1110034 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: openssh
Version: 9.2p1-2+deb12u7

Explanation: handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Mon, Jul 28, 2025 at 09:53:25PM +0100, Jonathan Wiltshire wrote:

Agree. The SUA text will have your name on it; how about the following?

| OpenSSH in bookworm contains a too-strict check of OpenSSL compatibility
| when seeding the internal random number generator. As a result, users may
| be unable to connect to remote systems with a newer OpenSSL, for example
| when an upgrade in progress.
|
| This update relaxes the check, allowing users to re-connect to remote
| systems in the event of an interrupted upgrade.

s/when an upgrade in progress/when an upgrade is in progress/, but
otherwise this LGTM. Thanks!

--
Colin Watson (he/him) [[email protected]]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)