Your message dated Thu, 18 Apr 2019 18:29:00 +0000
with message-id <8a093755-c9a3-5695-9e18-66614c7f2...@thykier.net>
and subject line Re: Bug#926853: unblock: openssh/1:7.9p1-10
has caused the Debian Bug report #926853,
regarding unblock: openssh/1:7.9p1-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock openssh 1:7.9p1-10; as discussed recently on
debian-devel, this reverts an upstream change in 7.8 that causes
problems for certain iptables configurations as well as for VMware.
unblock openssh/1:7.9p1-10
diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
--- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.000000000 +0100
+++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.000000000 +0200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
+6b56cd57db9061296231f14d537f1ebaf25e8877
+6b56cd57db9061296231f14d537f1ebaf25e8877
3d246f10429fc9a37b98eabef94fe8dc7c61002b
3d246f10429fc9a37b98eabef94fe8dc7c61002b
openssh_7.9p1.orig.tar.gz
diff -Nru openssh-7.9p1/debian/README.Debian openssh-7.9p1/debian/README.Debian
--- openssh-7.9p1/debian/README.Debian 2019-03-01 10:57:52.000000000 +0100
+++ openssh-7.9p1/debian/README.Debian 2019-04-08 11:56:59.000000000 +0200
@@ -270,6 +270,26 @@
https://bugs.launchpad.net/bugs/1674330
+IPQoS defaults reverted to pre-7.8 values
+-----------------------------------------
+
+OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
+interactive traffic and CS1 for bulk. This caused some problems with other
+software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
+change for the time being.
+
+This is *temporary*, and we expect to come back into sync with upstream
+OpenSSH once those other issues have been fixed. If you want to restore the
+upstream default, add this to ssh_config and sshd_config:
+
+ IPQoS af21 cs1
+
+For further discussion, see:
+
+ https://bugs.debian.org/923879
+ https://bugs.debian.org/926229
+ https://bugs.launchpad.net/1822370
+
--
Matthew Vernon <matt...@debian.org>
Colin Watson <cjwat...@debian.org>
diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
--- openssh-7.9p1/debian/changelog 2019-03-01 13:23:36.000000000 +0100
+++ openssh-7.9p1/debian/changelog 2019-04-08 12:13:04.000000000 +0200
@@ -1,3 +1,11 @@
+openssh (1:7.9p1-10) unstable; urgency=medium
+
+ * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
+ "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
+ LP: #1822370).
+
+ -- Colin Watson <cjwat...@debian.org> Mon, 08 Apr 2019 11:13:04 +0100
+
openssh (1:7.9p1-9) unstable; urgency=medium
* Apply upstream patch to make scp handle shell-style brace expansions
diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch
openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 2019-04-08
11:51:26.000000000 +0200
@@ -0,0 +1,93 @@
+From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwat...@debian.org>
+Date: Mon, 8 Apr 2019 10:46:29 +0100
+Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
+ AF21 for"
+
+This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
+
+The IPQoS default changes have some unfortunate interactions with
+iptables (see https://bugs.debian.org/923880) and VMware, so I'm
+temporarily reverting them until those have been fixed.
+
+Bug-Debian: https://bugs.debian.org/923879
+Bug-Debian: https://bugs.debian.org/926229
+Bug-Ubuntu: https://bugs.launchpad.net/1822370
+Last-Update: 2019-04-08
+
+Patch-Name: revert-ipqos-defaults.patch
+---
+ readconf.c | 4 ++--
+ servconf.c | 4 ++--
+ ssh_config.5 | 6 ++----
+ sshd_config.5 | 6 ++----
+ 4 files changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 661b8bf40..6d046f063 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
+ if (options->visual_host_key == -1)
+ options->visual_host_key = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
++ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->request_tty == -1)
+ options->request_tty = REQUEST_TTY_AUTO;
+ if (options->proxy_use_fdpass == -1)
+diff --git a/servconf.c b/servconf.c
+index c5dd617ef..bf2669147 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
+ if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
++ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup("");
+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1a8e24bd1..f6c1b3b33 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+diff --git a/sshd_config.5 b/sshd_config.5
+index ba50a30f1..03f813e72 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to allow keyboard-interactive authentication.
diff -Nru openssh-7.9p1/debian/patches/series
openssh-7.9p1/debian/patches/series
--- openssh-7.9p1/debian/patches/series 2019-03-01 10:57:53.000000000 +0100
+++ openssh-7.9p1/debian/patches/series 2019-04-08 11:51:26.000000000 +0200
@@ -31,3 +31,4 @@
fix-key-type-check.patch
request-rsa-sha2-cert-signatures.patch
scp-handle-braces.patch
+revert-ipqos-defaults.patch
Thanks,
--
Colin Watson [cjwat...@debian.org]
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Hi,
>
> Niels Thykier <ni...@thykier.net> (2019-04-18):
>> Ok and unblocked from a release team PoV, but it needs a d-i ack due to
>> its udeb. CC'ing kibi for that part (and quoting the diff in full for him).
>
> (Thanks; FWIW I tend to bts -m show $bug or to just look at my
> debian-release/ folder, so the full quote is not entirely needed. ;))
>
Noted. :)
> No objections, thanks.
>
>
> Cheers,
>
Unblocked, thanks.
~Niels
--- End Message ---
