Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in buster-backports #10910

Merged
merged 18 commits into from
Jun 2, 2022
Merged

[202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in buster-backports #10910

merged 18 commits into from
Jun 2, 2022

Conversation

Blueve
Copy link
Contributor

@Blueve Blueve commented May 24, 2022
edited
Loading

Signed-off-by: Jing Kan [email protected]

Why I did it

Upgrade 202012 sshd to 1:8.4p1-2 for security concern.

How I did it

Bullseye has already upgrade to use 1:8.4p1-5 and well tested.

This PR is for buster base image, we want to upgrade our openssh to buster-backports stable version 1:8.4p1-2

How to verify it

Build the openssh-server deb package and manually install it to a DUT

  • Test ssh
  • Test console reverse ssh

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@Blueve Blueve requested a review from saiarcot895 May 24, 2022 05:25
@Blueve Blueve changed the title [cherry-pick 202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in Bullseye [cherry-pick 202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in buster-backports May 24, 2022
@Blueve
Copy link
Contributor Author

Blueve commented May 24, 2022

Hello @saiarcot895 Do you think we can upgrade the openssh server version in 202012?

@Blueve
Copy link
Contributor Author

Blueve commented May 24, 2022

The build failed due to incorrect dependencies version

@saiarcot895
Copy link
Contributor

It might be fine to upgrade to 8.4 on buster, but one thing that'll need to be verified is that anything using SSH is still able to connect to this new version. OpenSSH may disable/remove support for less secure ciphers/encryption/signature methods, and while most clients will be fine, anything that is using very old versions of OpenSSH or using other implementations may have issues, because they may be trying to use those less secure ciphers/encryption/signature methods.

@Blueve Blueve changed the title [cherry-pick 202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in buster-backports [202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match version in buster-backports May 24, 2022
@Blueve
Copy link
Contributor Author

Blueve commented May 24, 2022

It might be fine to upgrade to 8.4 on buster, but one thing that'll need to be verified is that anything using SSH is still able to connect to this new version. OpenSSH may disable/remove support for less secure ciphers/encryption/signature methods, and while most clients will be fine, anything that is using very old versions of OpenSSH or using other implementations may have issues, because they may be trying to use those less secure ciphers/encryption/signature methods.

Yes, that is a valid concern...

On the other hand, seems like some dependencies are not exists in buster-backports.
I downgrade to https://sources.debian.org/patches/openssh/1:8.4p1-2~bpo10+1/

@Blueve
Copy link
Contributor Author

Blueve commented May 26, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Blueve Blueve force-pushed the dev/jika/upgrade_openssh branch from 9e5a024 to a5cc43d Compare May 26, 2022 08:06
@Blueve
Copy link
Contributor Author

Blueve commented May 30, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Blueve
Copy link
Contributor Author

Blueve commented May 31, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Blueve
Copy link
Contributor Author

Blueve commented May 31, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@sonic-net sonic-net deleted a comment from azure-pipelines bot May 31, 2022
@sonic-net sonic-net deleted a comment from azure-pipelines bot May 31, 2022
@sonic-net sonic-net deleted a comment from azure-pipelines bot May 31, 2022
@Blueve
Copy link
Contributor Author

Blueve commented Jun 1, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Blueve Blueve requested a review from xumia June 1, 2022 12:15
@Blueve Blueve merged commit 14fdcc8 into sonic-net:202012 Jun 2, 2022
@Blueve Blueve deleted the dev/jika/upgrade_openssh branch June 2, 2022 08:06
@Blueve Blueve mentioned this pull request Jun 14, 2022
Open
Blueve added a commit that referenced this pull request Jun 14, 2022
@Blueve
Revert "[202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match …
3985ed6 
…version in buster-backports (#10910)"

This reverts commit 14fdcc8.
@Blueve Blueve mentioned this pull request Jun 14, 2022
Merged
Blueve added a commit that referenced this pull request Jun 17, 2022
@Blueve
Revert "[202012][openssh] openssh: Upgrade from 7.9 to 8.4, to match …
5b2261d 
…version in buster-backports (#10910)" (#11136)

This reverts commit 14fdcc8.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xumia xumia xumia approved these changes

@saiarcot895 saiarcot895 Awaiting requested review from saiarcot895

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Blueve @saiarcot895 @xumia