Bug#926853: unblock: openssh/1:7.9p1-10

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#926853: unblock: openssh/1:7.9p1-10

Colin Watson
Package: release.debian.org
Severity: normal
User: [hidden email]
Usertags: unblock

Please unblock openssh 1:7.9p1-10; as discussed recently on
debian-devel, this reverts an upstream change in 7.8 that causes
problems for certain iptables configurations as well as for VMware.

unblock openssh/1:7.9p1-10

diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
--- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.000000000 +0100
+++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.000000000 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
+6b56cd57db9061296231f14d537f1ebaf25e8877
+6b56cd57db9061296231f14d537f1ebaf25e8877
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff -Nru openssh-7.9p1/debian/README.Debian openssh-7.9p1/debian/README.Debian
--- openssh-7.9p1/debian/README.Debian 2019-03-01 10:57:52.000000000 +0100
+++ openssh-7.9p1/debian/README.Debian 2019-04-08 11:56:59.000000000 +0200
@@ -270,6 +270,26 @@
 
   https://bugs.launchpad.net/bugs/1674330
 
+IPQoS defaults reverted to pre-7.8 values
+-----------------------------------------
+
+OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
+interactive traffic and CS1 for bulk.  This caused some problems with other
+software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
+change for the time being.
+
+This is *temporary*, and we expect to come back into sync with upstream
+OpenSSH once those other issues have been fixed.  If you want to restore the
+upstream default, add this to ssh_config and sshd_config:
+
+  IPQoS af21 cs1
+
+For further discussion, see:
+
+  https://bugs.debian.org/923879
+  https://bugs.debian.org/926229
+  https://bugs.launchpad.net/1822370
+
 --
 Matthew Vernon <[hidden email]>
 Colin Watson <[hidden email]>
diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
--- openssh-7.9p1/debian/changelog 2019-03-01 13:23:36.000000000 +0100
+++ openssh-7.9p1/debian/changelog 2019-04-08 12:13:04.000000000 +0200
@@ -1,3 +1,11 @@
+openssh (1:7.9p1-10) unstable; urgency=medium
+
+  * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
+    "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
+    LP: #1822370).
+
+ -- Colin Watson <[hidden email]>  Mon, 08 Apr 2019 11:13:04 +0100
+
 openssh (1:7.9p1-9) unstable; urgency=medium
 
   * Apply upstream patch to make scp handle shell-style brace expansions
diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 2019-04-08 11:51:26.000000000 +0200
@@ -0,0 +1,93 @@
+From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
+From: Colin Watson <[hidden email]>
+Date: Mon, 8 Apr 2019 10:46:29 +0100
+Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
+ AF21 for"
+
+This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
+
+The IPQoS default changes have some unfortunate interactions with
+iptables (see https://bugs.debian.org/923880) and VMware, so I'm
+temporarily reverting them until those have been fixed.
+
+Bug-Debian: https://bugs.debian.org/923879
+Bug-Debian: https://bugs.debian.org/926229
+Bug-Ubuntu: https://bugs.launchpad.net/1822370
+Last-Update: 2019-04-08
+
+Patch-Name: revert-ipqos-defaults.patch
+---
+ readconf.c    | 4 ++--
+ servconf.c    | 4 ++--
+ ssh_config.5  | 6 ++----
+ sshd_config.5 | 6 ++----
+ 4 files changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 661b8bf40..6d046f063 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
+ if (options->visual_host_key == -1)
+ options->visual_host_key = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
++ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->request_tty == -1)
+ options->request_tty = REQUEST_TTY_AUTO;
+ if (options->proxy_use_fdpass == -1)
+diff --git a/servconf.c b/servconf.c
+index c5dd617ef..bf2669147 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
+ if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
++ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup("");
+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1a8e24bd1..f6c1b3b33 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+diff --git a/sshd_config.5 b/sshd_config.5
+index ba50a30f1..03f813e72 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to allow keyboard-interactive authentication.
diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series
--- openssh-7.9p1/debian/patches/series 2019-03-01 10:57:53.000000000 +0100
+++ openssh-7.9p1/debian/patches/series 2019-04-08 11:51:26.000000000 +0200
@@ -31,3 +31,4 @@
 fix-key-type-check.patch
 request-rsa-sha2-cert-signatures.patch
 scp-handle-braces.patch
+revert-ipqos-defaults.patch

Thanks,

--
Colin Watson                                       [[hidden email]]

Reply | Threaded
Open this post in threaded view
|

Bug#926853: unblock: openssh/1:7.9p1-10

Niels Thykier
Control: tags -1 confirmed d-i

Colin Watson:

> Package: release.debian.org
> Severity: normal
> User: [hidden email]
> Usertags: unblock
>
> Please unblock openssh 1:7.9p1-10; as discussed recently on
> debian-devel, this reverts an upstream change in 7.8 that causes
> problems for certain iptables configurations as well as for VMware.
>
> unblock openssh/1:7.9p1-10
>


Hi,

Ok and unblocked from a release team PoV, but it needs a d-i ack due to
its udeb.  CC'ing kibi for that part (and quoting the diff in full for him).

Thanks,
~Niels


> diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
> --- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.000000000 +0100
> +++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.000000000 +0200
> @@ -1,6 +1,6 @@
>  # see git-dpm(1) from git-dpm package
> -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
> -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
> +6b56cd57db9061296231f14d537f1ebaf25e8877
> +6b56cd57db9061296231f14d537f1ebaf25e8877
>  3d246f10429fc9a37b98eabef94fe8dc7c61002b
>  3d246f10429fc9a37b98eabef94fe8dc7c61002b
>  openssh_7.9p1.orig.tar.gz
> diff -Nru openssh-7.9p1/debian/README.Debian openssh-7.9p1/debian/README.Debian
> --- openssh-7.9p1/debian/README.Debian 2019-03-01 10:57:52.000000000 +0100
> +++ openssh-7.9p1/debian/README.Debian 2019-04-08 11:56:59.000000000 +0200
> @@ -270,6 +270,26 @@
>  
>    https://bugs.launchpad.net/bugs/1674330
>  
> +IPQoS defaults reverted to pre-7.8 values
> +-----------------------------------------
> +
> +OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
> +interactive traffic and CS1 for bulk.  This caused some problems with other
> +software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
> +change for the time being.
> +
> +This is *temporary*, and we expect to come back into sync with upstream
> +OpenSSH once those other issues have been fixed.  If you want to restore the
> +upstream default, add this to ssh_config and sshd_config:
> +
> +  IPQoS af21 cs1
> +
> +For further discussion, see:
> +
> +  https://bugs.debian.org/923879
> +  https://bugs.debian.org/926229
> +  https://bugs.launchpad.net/1822370
> +
>  --
>  Matthew Vernon <[hidden email]>
>  Colin Watson <[hidden email]>
> diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
> --- openssh-7.9p1/debian/changelog 2019-03-01 13:23:36.000000000 +0100
> +++ openssh-7.9p1/debian/changelog 2019-04-08 12:13:04.000000000 +0200
> @@ -1,3 +1,11 @@
> +openssh (1:7.9p1-10) unstable; urgency=medium
> +
> +  * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
> +    "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
> +    LP: #1822370).
> +
> + -- Colin Watson <[hidden email]>  Mon, 08 Apr 2019 11:13:04 +0100
> +
>  openssh (1:7.9p1-9) unstable; urgency=medium
>  
>    * Apply upstream patch to make scp handle shell-style brace expansions
> diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch
> --- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 1970-01-01 01:00:00.000000000 +0100
> +++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 2019-04-08 11:51:26.000000000 +0200
> @@ -0,0 +1,93 @@
> +From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
> +From: Colin Watson <[hidden email]>
> +Date: Mon, 8 Apr 2019 10:46:29 +0100
> +Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
> + AF21 for"
> +
> +This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
> +
> +The IPQoS default changes have some unfortunate interactions with
> +iptables (see https://bugs.debian.org/923880) and VMware, so I'm
> +temporarily reverting them until those have been fixed.
> +
> +Bug-Debian: https://bugs.debian.org/923879
> +Bug-Debian: https://bugs.debian.org/926229
> +Bug-Ubuntu: https://bugs.launchpad.net/1822370
> +Last-Update: 2019-04-08
> +
> +Patch-Name: revert-ipqos-defaults.patch
> +---
> + readconf.c    | 4 ++--
> + servconf.c    | 4 ++--
> + ssh_config.5  | 6 ++----
> + sshd_config.5 | 6 ++----
> + 4 files changed, 8 insertions(+), 12 deletions(-)
> +
> +diff --git a/readconf.c b/readconf.c
> +index 661b8bf40..6d046f063 100644
> +--- a/readconf.c
> ++++ b/readconf.c
> +@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
> + if (options->visual_host_key == -1)
> + options->visual_host_key = 0;
> + if (options->ip_qos_interactive == -1)
> +- options->ip_qos_interactive = IPTOS_DSCP_AF21;
> ++ options->ip_qos_interactive = IPTOS_LOWDELAY;
> + if (options->ip_qos_bulk == -1)
> +- options->ip_qos_bulk = IPTOS_DSCP_CS1;
> ++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
> + if (options->request_tty == -1)
> + options->request_tty = REQUEST_TTY_AUTO;
> + if (options->proxy_use_fdpass == -1)
> +diff --git a/servconf.c b/servconf.c
> +index c5dd617ef..bf2669147 100644
> +--- a/servconf.c
> ++++ b/servconf.c
> +@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
> + if (options->permit_tun == -1)
> + options->permit_tun = SSH_TUNMODE_NO;
> + if (options->ip_qos_interactive == -1)
> +- options->ip_qos_interactive = IPTOS_DSCP_AF21;
> ++ options->ip_qos_interactive = IPTOS_LOWDELAY;
> + if (options->ip_qos_bulk == -1)
> +- options->ip_qos_bulk = IPTOS_DSCP_CS1;
> ++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
> + if (options->version_addendum == NULL)
> + options->version_addendum = xstrdup("");
> + if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
> +diff --git a/ssh_config.5 b/ssh_config.5
> +index 1a8e24bd1..f6c1b3b33 100644
> +--- a/ssh_config.5
> ++++ b/ssh_config.5
> +@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
> + If two values are specified, the first is automatically selected for
> + interactive sessions and the second for non-interactive sessions.
> + The default is
> +-.Cm af21
> +-(Low-Latency Data)
> ++.Cm lowdelay
> + for interactive sessions and
> +-.Cm cs1
> +-(Lower Effort)
> ++.Cm throughput
> + for non-interactive sessions.
> + .It Cm KbdInteractiveAuthentication
> + Specifies whether to use keyboard-interactive authentication.
> +diff --git a/sshd_config.5 b/sshd_config.5
> +index ba50a30f1..03f813e72 100644
> +--- a/sshd_config.5
> ++++ b/sshd_config.5
> +@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
> + If two values are specified, the first is automatically selected for
> + interactive sessions and the second for non-interactive sessions.
> + The default is
> +-.Cm af21
> +-(Low-Latency Data)
> ++.Cm lowdelay
> + for interactive sessions and
> +-.Cm cs1
> +-(Lower Effort)
> ++.Cm throughput
> + for non-interactive sessions.
> + .It Cm KbdInteractiveAuthentication
> + Specifies whether to allow keyboard-interactive authentication.
> diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series
> --- openssh-7.9p1/debian/patches/series 2019-03-01 10:57:53.000000000 +0100
> +++ openssh-7.9p1/debian/patches/series 2019-04-08 11:51:26.000000000 +0200
> @@ -31,3 +31,4 @@
>  fix-key-type-check.patch
>  request-rsa-sha2-cert-signatures.patch
>  scp-handle-braces.patch
> +revert-ipqos-defaults.patch
>
> Thanks,
>

Reply | Threaded
Open this post in threaded view
|

Bug#926853: unblock: openssh/1:7.9p1-10

Cyril Brulebois-4
Hi,

Niels Thykier <[hidden email]> (2019-04-18):
> Ok and unblocked from a release team PoV, but it needs a d-i ack due to
> its udeb.  CC'ing kibi for that part (and quoting the diff in full for him).

(Thanks; FWIW I tend to bts -m show $bug or to just look at my
debian-release/ folder, so the full quote is not entirely needed. ;))

No objections, thanks.


Cheers,
--
Cyril Brulebois ([hidden email])            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

signature.asc (849 bytes) Download Attachment