Hi Martin, On Tue, Apr 16, 2024 at 09:26:02AM +0200, Martin Pitt wrote: > Control: tag -1 upstream fixed-upstream patch > Control: forwarded -1 https://github.com/cockpit-project/cockpit/pull/19790 > > Hello Salvatore and Santiago, > > Salvatore Bonaccorso [2024-04-15 19:28 +0200]: > > The update for cockpit in DSA 5655-1 had problems with the > > test-sshbridge test, causing FTBFS: > > > > >From the tail of the test failure: > > > > # cockpit-protocol-DEBUG: test-ssh: output queue empty > > > > (cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702: > > (src/ssh/cockpitsshrelay.c:1423):cockpit_ssh_connect: runtime check failed: > > (ssh_options_set (data->session, SSH_OPTIONS_HOST, host) == 0) > > > > (cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702: > > (src/ssh/cockpitsshrelay.c:1424):cockpit_ssh_connect: runtime check failed: > > (ssh_options_parse_config (data->session, NULL) == 0) > > # cockpit-protocol-DEBUG: test-ssh: reading input 1 > > # cockpit-protocol-DEBUG: test-ssh: received a 82 byte payload > > # cockpit-protocol-DEBUG: test-ssh: want more data > > ** > > cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init: > > assertion failed (json_object_get_string_member (init, "command") == > > "init"): ("authorize" == "init") > > Bail out! > > cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init: > > assertion failed (json_object_get_string_member (init, "command") == > > "init"): ("authorize" == "init") > > cockpit-ssh-Message: 20:51:17.704: cockpit-ssh some_host: -1 couldn't > > connect: Hostname required 'some_host' '22' > > cockpit-ssh-Message: 20:51:17.704: couldn't write control message: Broken > > pipe > > cockpit-ssh-Message: 20:51:17.704: couldn't write authorize message: > > Inappropriate ioctl for device > > FAIL test-sshbridge (exit status: 134) > > Argh, I can reproduce. The test passes with the previous > http://snapshot.debian.org/package/libssh/0.10.5-3/ but fails with current > 0.10.6-0+deb12u1. > > The reason is annoyingly mundane, and already got fixed upstream half a year > ago: > https://github.com/cockpit-project/cockpit/commit/518d36c3492020525 > > I prepared a package update with that fix cherry-picked. See attached debdiff. > It builds fine in a clean bookworm container now. > But I don't know how exactly to target and upload this: to bookworm-security > or > -updates? It's a follow-up for a previous security update to make that > actually > work, but not a security update in itself.
Technically speaking, as the issue is present already before the DSA release, you are right and the proposed update way would have been the way to go. *But* we have a released security-update wich de-facto does not reach the users right now, so I propose to release the regression fix trough a security and make it a DSA regression announce. Can you please upload to security-master? Regards, Salvatore
