[Bug 2038561] Re: Requesting Ubuntu package manager to release openssh updates to focal and jammy

Thu Oct 12 15:10:19 UTC 2023

https://packages.ubuntu.com/jammy/openssh-server clearly states the following under dependency section:

libssl3 (>= 3.0.1) [not amd64, i386]
    Secure Sockets Layer toolkit - shared libraries 
libssl3 (>= 3.0.2) [amd64, i386]

I am trying to use libssl3 version 3.1 which is in fact greater than
3.0.2. This in my opinion should be supported or the documentation
updated to state '>=3.0.2` and '<3.1' explicitly.

I also acknowledge that this is not a bug in ubuntu itself. 
However, this is a bug in OpenSSH. Their code isn't treating 3.1 as being greater than 3.0 which is wrong. And this is a critical bug because the impact of this is that we lose SSH access to our machines when we run into this.

To your comment "Unless you have specific needs, I suggest sticking with
the Ubuntu packaged version of OpenSSL." - I am trying to evaluate and
benchmark OpenSSL 3.1 so that we can consider moving to it soon since we
intend to use the functionality that comes with it. At the moment, the
OpenSSH bug is blocking that work. So I would think that my needs are
"specific" and I unfortunately can't "stick with the Ubuntu packaged
version of OpenSSL".

It's fine if you think it's not a problem that needs fixing at this time within Ubuntu. I reckon that leaves me with two options : 
1) Build OpenSSH myself with the fix in question on Ubuntu
2) Move away from Ubuntu and start using Debian Trixie (because it already comes with the newer version of OpenSSH) for our OpenSSL 3.1 evaluation/benchmarking work

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2038561

Title:
  Requesting Ubuntu package manager to release openssh updates to focal
  and jammy

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  We're are unable to test OpenSSL 3.1 versions on Ubuntu 22.04 and
  20.04 machines because the machine gets bricked and loses SSH after
  installation of OpenSSL 3.1.2.

  This is because SSHD gets restarted when OpenSSL 3.1 gets installed.
  But it fails to come up and we lose SSH access to the box.

  Debug logging on SSHD shows the below error when it tries to start : 
  OpenSSL version mismatch. Built against 30000020, you have 30100020

  After researching in online forums, it appears that this is an OpenSSH bug and it's been fixed in version 9.4p1 and 9.5p1 via this fix : 
  https://github.com/openssh/openssh-portable/commit/b7afd8a4ecaca8afd3179b55e9db79c0ff210237

  However, it appears that only 8.9p1 version of openssh-client and
  openssh-server are available in Ubuntu packages.

  Requesting you to please release openssh versions 9.4p1 or 9.5p1 on
  Jammy and Focal which will help us move past this bug and start
  testing OpenSSL 3.1 for our use cases.

  Additional information about our environment:
  $ lsb_release -rd
  Description:	Ubuntu 22.04.3 LTS
  Release:	22.04

  $ apt-cache policy openssh-server
  openssh-server:
    Installed: 1:8.9p1-3ubuntu0.4
    Candidate: 1:8.9p1-3ubuntu0.4
    Version table:
   *** 1:8.9p1-3ubuntu0.4 500
          500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1:8.9p1-3ubuntu0.3 500
          500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
       1:8.9p1-3 500
          500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2038561/+subscriptions