Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock openssh 1:7.9p1-10; as discussed recently on debian-devel, this reverts an upstream change in 7.8 that causes problems for certain iptables configurations as well as for VMware. unblock openssh/1:7.9p1-10 diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm --- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.000000000 +0100 +++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.000000000 +0200 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab +6b56cd57db9061296231f14d537f1ebaf25e8877 +6b56cd57db9061296231f14d537f1ebaf25e8877 3d246f10429fc9a37b98eabef94fe8dc7c61002b 3d246f10429fc9a37b98eabef94fe8dc7c61002b openssh_7.9p1.orig.tar.gz diff -Nru openssh-7.9p1/debian/README.Debian openssh-7.9p1/debian/README.Debian --- openssh-7.9p1/debian/README.Debian 2019-03-01 10:57:52.000000000 +0100 +++ openssh-7.9p1/debian/README.Debian 2019-04-08 11:56:59.000000000 +0200 @@ -270,6 +270,26 @@ https://bugs.launchpad.net/bugs/1674330 +IPQoS defaults reverted to pre-7.8 values +----------------------------------------- + +OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for +interactive traffic and CS1 for bulk. This caused some problems with other +software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this +change for the time being. + +This is *temporary*, and we expect to come back into sync with upstream +OpenSSH once those other issues have been fixed. If you want to restore the +upstream default, add this to ssh_config and sshd_config: + + IPQoS af21 cs1 + +For further discussion, see: + + https://bugs.debian.org/923879 + https://bugs.debian.org/926229 + https://bugs.launchpad.net/1822370 + -- Matthew Vernon <matt...@debian.org> Colin Watson <cjwat...@debian.org> diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog --- openssh-7.9p1/debian/changelog 2019-03-01 13:23:36.000000000 +0100 +++ openssh-7.9p1/debian/changelog 2019-04-08 12:13:04.000000000 +0200 @@ -1,3 +1,11 @@ +openssh (1:7.9p1-10) unstable; urgency=medium + + * Temporarily revert IPQoS defaults to pre-7.8 values until issues with + "iptables -m tos" and VMware have been fixed (closes: #923879, #926229; + LP: #1822370). + + -- Colin Watson <cjwat...@debian.org> Mon, 08 Apr 2019 11:13:04 +0100 + openssh (1:7.9p1-9) unstable; urgency=medium * Apply upstream patch to make scp handle shell-style brace expansions diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch --- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 2019-04-08 11:51:26.000000000 +0200 @@ -0,0 +1,93 @@ +From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwat...@debian.org> +Date: Mon, 8 Apr 2019 10:46:29 +0100 +Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP + AF21 for" + +This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. + +The IPQoS default changes have some unfortunate interactions with +iptables (see https://bugs.debian.org/923880) and VMware, so I'm +temporarily reverting them until those have been fixed. + +Bug-Debian: https://bugs.debian.org/923879 +Bug-Debian: https://bugs.debian.org/926229 +Bug-Ubuntu: https://bugs.launchpad.net/1822370 +Last-Update: 2019-04-08 + +Patch-Name: revert-ipqos-defaults.patch +--- + readconf.c | 4 ++-- + servconf.c | 4 ++-- + ssh_config.5 | 6 ++---- + sshd_config.5 | 6 ++---- + 4 files changed, 8 insertions(+), 12 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 661b8bf40..6d046f063 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -2133,9 +2133,9 @@ fill_default_options(Options * options) + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; ++ options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +- options->ip_qos_bulk = IPTOS_DSCP_CS1; ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->request_tty == -1) + options->request_tty = REQUEST_TTY_AUTO; + if (options->proxy_use_fdpass == -1) +diff --git a/servconf.c b/servconf.c +index c5dd617ef..bf2669147 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options) + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; ++ options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +- options->ip_qos_bulk = IPTOS_DSCP_CS1; ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(""); + if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) +diff --git a/ssh_config.5 b/ssh_config.5 +index 1a8e24bd1..f6c1b3b33 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally. + If two values are specified, the first is automatically selected for + interactive sessions and the second for non-interactive sessions. + The default is +-.Cm af21 +-(Low-Latency Data) ++.Cm lowdelay + for interactive sessions and +-.Cm cs1 +-(Lower Effort) ++.Cm throughput + for non-interactive sessions. + .It Cm KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. +diff --git a/sshd_config.5 b/sshd_config.5 +index ba50a30f1..03f813e72 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally. + If two values are specified, the first is automatically selected for + interactive sessions and the second for non-interactive sessions. + The default is +-.Cm af21 +-(Low-Latency Data) ++.Cm lowdelay + for interactive sessions and +-.Cm cs1 +-(Lower Effort) ++.Cm throughput + for non-interactive sessions. + .It Cm KbdInteractiveAuthentication + Specifies whether to allow keyboard-interactive authentication. diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series --- openssh-7.9p1/debian/patches/series 2019-03-01 10:57:53.000000000 +0100 +++ openssh-7.9p1/debian/patches/series 2019-04-08 11:51:26.000000000 +0200 @@ -31,3 +31,4 @@ fix-key-type-check.patch request-rsa-sha2-cert-signatures.patch scp-handle-braces.patch +revert-ipqos-defaults.patch Thanks, -- Colin Watson [cjwat...@debian.org]
