Dev1 Galaxy Forum / Openssh update in Stable-Security Not installable?

Re: Openssh update in Stable-Security Not installable?

dummy@example.com (EnglishMohican) — Tue, 06 Aug 2024 21:48:53 +0000

Thank you for the replies.
I am not going to be able to pursue this sensibly for the moment because I now have a linux-image that will not install properly because of an nvidia-current module. I need to fix that before I know where I am.
However, just a few notes.
I have about a dozen libssl3.so on my system as I have both thunderbird and firefox plus steam - which installs about 10 copies!.
I updated again this evening and had 6 packages listed as upgradable (this is in synaptic) including the 3 openssh packages.
I then disabled daedalus-security repository (src and deb) and updated again - that gave me about 10 upgradable packages, all different to the 6 I had before.
I re-enabled daedalus-security and went back to just the 6 packages again. Disabled daedalus-security again and tried to update the 10 packages. At that point I found I had the nvidia-current problem.
I then used apt to force update of libssl3 (it did not feature in the 10 or the 6). That seemed to work - but apt tried to mend the broken packages and could not do it.
I have now re-activated daedalus-security and have 8 new packages and 177 updates.
I updated those, still appear to have a problem with nvidia but now have no further updates to do with daedalus-security active or not. So a small victory. Now to reboot and see what I get!

Re: Openssh update in Stable-Security Not installable?

dummy@example.com (fsmithred) — Tue, 06 Aug 2024 15:10:46 +0000

Maybe the newer version of libssl3 got a bug fix instead of a security fix, so it didn't go into daedalus-security.

I just do apt-update and apt-upgrade and I have the latest versions. No idea why it's not working for you.

ii  libssl3:amd64                            3.0.13-1~deb12u1                        amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssh-client                           1:9.2p1-2+deb12u3                       amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                           1:9.2p1-2+deb12u3                       amd64        secure shell (SSH) server, for secure access from remote machines

Looks like mozilla provides their own version of libssl3.so. I only have two copies because I don't have thunderbird installed.

$ apt-file find libssl3.so
firefox-esr: /usr/lib/firefox-esr/libssl3.so
libnss3: /usr/lib/x86_64-linux-gnu/libssl3.so
thunderbird: /usr/lib/thunderbird/libssl3.so

/usr/lib/firefox-esr/libssl3.so
/usr/lib/x86_64-linux-gnu/libssl3.so

Re: Openssh update in Stable-Security Not installable?

dummy@example.com (EnglishMohican) — Tue, 06 Aug 2024 10:49:33 +0000

I also get the -a version (now you have pointed it out!) but only one version in /usr/lib/.... It is the Feb 15 2023 version for what that is worth.

More puzzling to me is that the older version of libssl3 (3.0.11-1) lists its source as daedalus-security/main while the newer version (3.0.13-1) lists its source as daedalus/main. That seems the wrong way round - or maybe just wrong.

Re: Openssh update in Stable-Security Not installable?

dummy@example.com (alexkemp) — Tue, 06 Aug 2024 10:32:03 +0000

This seems peculiar.

I ran the following twice. The first time it told me to use the -a switch if I wanted to see the extra record, so I did:

N: There is 1 additional record. Please use the '-a' switch to see it
alexk@ng3:~$ apt info libssl3 -a
Package: libssl3
Version: 3.0.13-1~deb12u1
Priority: optional
Section: libs
Source: openssl
Maintainer: Debian OpenSSL Team 
Installed-Size: 6,152 kB
Depends: libc6 (>= 2.34)
Homepage: https://www.openssl.org/
Tag: role::shared-lib
Download-Size: 2,022 kB
APT-Manual-Installed: no
APT-Sources: http://deb.devuan.org/merged daedalus/main amd64 Packages
Description: Secure Sockets Layer toolkit - shared libraries
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It provides the libssl and libcrypto shared libraries.

Package: libssl3
Version: 3.0.11-1~deb12u2
Priority: optional
Section: libs
Source: openssl
Maintainer: Debian OpenSSL Team 
Installed-Size: 6,154 kB
Depends: libc6 (>= 2.34)
Homepage: https://www.openssl.org/
Download-Size: 2,019 kB
APT-Sources: http://deb.devuan.org/merged daedalus-security/main amd64 Packages
Description: Secure Sockets Layer toolkit - shared libraries
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It provides the libssl and libcrypto shared libraries.

Worse, it appears 3 times on disk (all different):

$ la /usr/lib/x86_64-linux-gnu/libssl3.so
-rw-r--r-- 1 root root 417144 Feb 15  2023 /usr/lib/x86_64-linux-gnu/libssl3.so
$ la /usr/lib/firefox-esr/libssl3.so
-rw-r--r-- 1 root root 394920 Jul  9 21:11 /usr/lib/firefox-esr/libssl3.so
$ la /usr/lib/thunderbird/libssl3.so
-rw-r--r-- 1 root root 390688 Jul 17 19:11 /usr/lib/thunderbird/libssl3.so

Openssh update in Stable-Security Not installable?

dummy@example.com (EnglishMohican) — Tue, 06 Aug 2024 10:19:55 +0000

There has been an update to Openssh-Client, Openssh-Server and Openssh-sftp in Stable Security for several weeks. They are not installable because libssl3 in stable is too old for these updates.

If this update is important enough to worry about then surely libssl3 should also be in Stable Security so it is easy/possible to implement.

This sounds a bit like I am complaining - but mostly I am wondering what I do not understand or have missed. Is it my system that is broken? Is the update worth worrying about? Can anybody offer some logical explanation of why a security update is offered that I cannot implement.