OpenSSL downgrade testing

[oerdnj]

This is a placeholder bug to discuss the testing of enforced OpenSSL downgrade to the distribution version.

Here are the more specific instructions:

Ubuntu

1. install your PHP environment as close as to the production as possible
2. add-apt-repository ppa:ondrej/php-qa
3. apt update && apt -y dist-upgrade && apt -y dist-upgrade # the last command should downgrade openssl packages
4. apt-cache policy libssl1.1

Debian

1. install your PHP environment as close as to the production as possible
2. curl -sSL https://packages.sury.org/php-qa/README.txt | bash -x
3. apt update && apt -y dist-upgrade && apt -y dist-upgrade # the last command should downgrade openssl packages
4. apt-cache policy libssl1.1

[sahaqaa]

Hello, What is the plan, and how we will understand that it worked (downgraded) after all?

I understand the first part: 1) Create new fresh Virtual machine from ISO image from Ubuntu website 2) Update all packages (sudo apt update && sudo apt upgrade) 3) Check "apt-cache policy openssl" 4) Reboot 5) Add PPA:ondrej/php 6) Update all packages sudo apt update // to see what will change apt list --upgradable sudo apt upgrade 7) Reboot 8) Check "apt-cache policy openssl"

But how to perform downgrade action?

• Remove mentions of "PPA:ondrej/php" from: /etc/apt/sources.list /etc/apt/sources.list.d/

• Add ppa:ondrej/php-qa

• Update all packages sudo apt update // to see what will change apt list --upgradable sudo apt upgrade

• Check "apt-cache policy openssl"

openssl version

// or

openssl version –a

Am i right?

And this should be done for ubuntu16.04 / ubuntu18.04 / ubuntu20.04 / ubuntu20.10 (for amd64.deb / arm64.deb / i386.deb / armhf.deb / ppc64el.deb ) ?

[oerdnj]

I moved the instructions to the top

[oerdnj]

I mean, I already did test it in clean chroot environment, so I am more interested in “real” world scenarios.

[reinob]

I just quickly (and partially) tested your repo w/ debian buster (up-to-date and with php7.3 installed). I added the php-qa repo from here: https://launchpad.net/~ondrej/+archive/ubuntu/php-qa (I've tested with "bionic" and "xenial" releases).

In both cases, after apt updating I have:

# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1d-0+deb10u5
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1d-0+deb10u5 500
        500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u4 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

which looks fine. The only package it wants to update is php-common, but that's to be expected. I hope that helps. If I have some more time this week I may be able to test it more thoroughly.

Thank you.

[oerdnj]

Actually mixing releases is not really supported, but you gave me an idea how to simplify the preferences file to just have a single file for all the Debian and Ubuntu releases.

Also I’ll cook up a php-qa repository for Debian tomorrow.

[oerdnj]

Ok, so here's the php-qa for Debian with just updated php-common package. If you are testing Debian, use that instead of packages from launchpad.

[reinob]

I'm not sure I understand exactly what you want to test.

If I start with an up-to-date debian buster having the official php7.3 (not from your repo) and add the php-qa repo, then I get the results I posted previously, i.e. php-common wants to be updated, but libssl1.1 is left alone. I tested this again now with the debian php-qa repo instead of like yesterday with the bionic and xenial. Same result.

Now, I also tested adding, to the "clean" debian, your debian (non-qa) repo, and then dist-upgraded, which updated php7.3 (and installed php8.0), and also updated my openssl, i.e.

# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 500
        500 https://packages.sury.org/php buster/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 500
        500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

Then I replaced the php repo with the php-qa repo, in the assumption that it would (1) leave php alone but (2) offer to downgrade libssl1.1.

However when I do "apt upgrade" I get:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
   php-common (2:81+0~20210223.34+debian10~1.gbpf52eb0 => 2:81+z+0~20210303.2+debian10~1.gbpebe486)
   php-gmp (2:8.0+81+0~20210223.34+debian10~1.gbpf52eb0 => 2:8.0+81+z+0~20210303.2+debian10~1.gbpebe486)
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.7 kB of archives.
After this operation, 6,144 B of additional disk space will be used.
Do you want to continue? [Y/n] n

also

# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 500
        500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

which means I keep "your" openssl, but as an orphaned package.

[oerdnj]

@reinob You need to finish this update first:

php-common (2:81+0~20210223.34+debian10~1.gbpf52eb0 => 2:81+z+0~20210303.2+debian10~1.gbpebe486)

This will install apt_preferences file to /etc/apt/preferences.d/php-common.pref and then run apt dist-upgrade again and it should offer downgrade of libssl1.1

[reinob]

Yup, that did it! :)

#  apt dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
   libssl1.1 (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
   openssl (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded.
Need to get 2,382 kB of archives.
After this operation, 88.1 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u5 [1,539 kB]
Get:2 http://deb.debian.org/debian-security buster/updates/main amd64 openssl amd64 1.1.1d-0+deb10u5 [844 kB]
Fetched 2,382 kB in 0s (11.9 MB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
(Reading database ... 75761 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../openssl_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1d-0+deb10u5) ...
Setting up openssl (1.1.1d-0+deb10u5) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...

[root360-StefanHeitmueller]

Quick test within a docker container:

root@7677b1731ca1:/# apt -y dist-upgrade --allow-downgrades && apt -y dist-upgrade --allow-downgrades 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  libicu60
Use 'apt autoremove' to remove it.
The following packages will be DOWNGRADED:
  libssl1.1 openssl
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded.
Need to get 1915 kB of archives.
After this operation, 153 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libssl1.1 amd64 1.1.1-1ubuntu2.1~18.04.8 [1301 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl amd64 1.1.1-1ubuntu2.1~18.04.8 [614 kB]
Fetched 1915 kB in 0s (4409 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 to 1.1.1-1ubuntu2.1~18.04.8
(Reading database ... 9432 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1-1ubuntu2.1~18.04.8_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.8) over (1.1.1j-1+ubuntu18.04.1+deb.sury.org+3) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 to 1.1.1-1ubuntu2.1~18.04.8
Preparing to unpack .../openssl_1.1.1-1ubuntu2.1~18.04.8_amd64.deb ...
Unpacking openssl (1.1.1-1ubuntu2.1~18.04.8) over (1.1.1j-1+ubuntu18.04.1+deb.sury.org+3) ...
Setting up libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.8) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/loc
al/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Setting up openssl (1.1.1-1ubuntu2.1~18.04.8) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  libicu60
Use 'apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@7677b1731ca1:/# 
root@7677b1731ca1:/# apt-cache policy libssl1.1
libssl1.1:
  Installed: 1.1.1-1ubuntu2.1~18.04.8
  Candidate: 1.1.1-1ubuntu2.1~18.04.8
  Version table:
     1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
 *** 1.1.1-1ubuntu2.1~18.04.8 1000
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.0g-2ubuntu4 1000
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
root@7677b1731ca1:/# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.5 LTS
Release:    18.04
Codename:   bionic

Looks good so far, just had to add --allow-downgrades. Will do another test with unattended-upgrades, not sure how it copes with downgrades.

[root360-StefanHeitmueller]

apt update; apt-get -y install software-properties-common
LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php -y
apt-get -y install php7.4-cli
LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php-qa -y
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-ondrej-php-qa:bionic";};' > /etc/apt/apt.conf.d/51_php-qa_unattended-upgrades
unattended-upgrades -d

``` root@a0844c702c91:/# unattended-upgrades -d Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security, o=LP-PPA-ondrej-php-qa,a=bionic Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*|^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages Using (^linux-image-5\.11\.0\-051100\-generic$|^linux-headers-5\.11\.0\-051100\-generic$|^linux-image-extra-5\.11\.0\-051100\-generic$|^linux-modules-5\.11\.0\-051100\-generic$|^linux-modules-extra-5\.11\.0\-051100\-generic$|^linux-signed-image-5\.11\.0\-051100\-generic$|^linux-image-unsigned-5\.11\.0\-051100\-generic$|^kfreebsd-image-5\.11\.0\-051100\-generic$|^kfreebsd-headers-5\.11\.0\-051100\-generic$|^gnumach-image-5\.11\.0\-051100\-generic$|^.*-modules-5\.11\.0\-051100\-generic$|^.*-kernel-5\.11\.0\-051100\-generic$|^linux-backports-modules-.*-5\.11\.0\-051100\-generic$|^linux-modules-.*-5\.11\.0\-051100\-generic$|^linux-tools-5\.11\.0\-051100\-generic$|^linux-cloud-tools-5\.11\.0\-051100\-generic$|^linux-buildinfo-5\.11\.0\-051100\-generic$|^linux-source-5\.11\.0\-051100\-generic$|^linux-image-5\.11\.0\-051100\-generic$|^linux-headers-5\.11\.0\-051100\-generic$|^linux-image-extra-5\.11\.0\-051100\-generic$|^linux-modules-5\.11\.0\-051100\-generic$|^linux-modules-extra-5\.11\.0\-051100\-generic$|^linux-signed-image-5\.11\.0\-051100\-generic$|^linux-image-unsigned-5\.11\.0\-051100\-generic$|^kfreebsd-image-5\.11\.0\-051100\-generic$|^kfreebsd-headers-5\.11\.0\-051100\-generic$|^gnumach-image-5\.11\.0\-051100\-generic$|^.*-modules-5\.11\.0\-051100\-generic$|^.*-kernel-5\.11\.0\-051100\-generic$|^linux-backports-modules-.*-5\.11\.0\-051100\-generic$|^linux-modules-.*-5\.11\.0\-051100\-generic$|^linux-tools-5\.11\.0\-051100\-generic$|^linux-cloud-tools-5\.11\.0\-051100\-generic$|^linux-buildinfo-5\.11\.0\-051100\-generic$|^linux-source-5\.11\.0\-051100\-generic$) regexp to find running kernel packages Checking: libaudit-common ([]) adjusting candidate version: libaudit-common=1:2.8.2-1ubuntu1 Checking: libaudit1 ([]) adjusting candidate version: libaudit1=1:2.8.2-1ubuntu1 Checking: libc-bin ([]) adjusting candidate version: libc-bin=2.27-3ubuntu1.2 Checking: libc6 ([]) adjusting candidate version: libc6=2.27-3ubuntu1.2 Checking: libidn2-0 ([]) adjusting candidate version: libidn2-0=2.0.4-1.1ubuntu0.2 Checking: libpcre3 ([]) adjusting candidate version: libpcre3=2:8.39-9 Checking: libsystemd0 ([]) adjusting candidate version: libsystemd0=237-3ubuntu10.38 Checking: libudev1 ([]) adjusting candidate version: libudev1=237-3ubuntu10.38 Checking: libxml2 ([]) adjusting candidate version: libxml2=2.9.4+dfsg1-6.1ubuntu1.3 Checking: libzstd1 ([]) adjusting candidate version: libzstd1=1.3.3+dfsg-2ubuntu1.1 pkgs that look like they should be upgraded: Fetched 0 B in 0s (0 B/s) fetch.run() result: 0 blacklist: [] whitelist: [] No packages found that can be upgraded unattended and no pending auto-removals ```

root@a0844c702c91:/# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1-1ubuntu2.1~18.04.8
  Candidate: 1.1.1-1ubuntu2.1~18.04.8
  Version table:
     1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
 *** 1.1.1-1ubuntu2.1~18.04.8 1000
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.0g-2ubuntu4 1000
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

[oerdnj]

Thanks, so far this looks positive to me.

[root360-StefanHeitmueller]

Ah, had another look, this does not affect bionic, without the QA repo, it was using the upstream version already.

root@cf066fef80cf:/# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1-1ubuntu2.1~18.04.8
  Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3
  Version table:
     1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
 *** 1.1.1-1ubuntu2.1~18.04.8 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.0g-2ubuntu4 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
root@cf066fef80cf:/# 
root@cf066fef80cf:/# apt policy php7.4-cli
php7.4-cli:
  Installed: 7.4.15-7+ubuntu18.04.1+deb.sury.org+1
  Candidate: 7.4.15-7+ubuntu18.04.1+deb.sury.org+1
  Version table:
 *** 7.4.15-7+ubuntu18.04.1+deb.sury.org+1 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status

[root360-StefanHeitmueller]

Focal:

Before:

root@08954e5aee15:/# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1f-1ubuntu2.2
  Candidate: 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3
  Version table:
     1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
 *** 1.1.1f-1ubuntu2.2 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

Update:

``` root@08954e5aee15:/# echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-ondrej-php-qa:focal";};' > /etc/apt/apt.conf.d/51_php-qa_unattended-upgrades root@08954e5aee15:/# unattended-upgrades -d Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery. Running on the development release Starting unattended upgrades script Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security, o=LP-PPA-ondrej-php-qa,a=focal Initial blacklist: Initial whitelist (not strict): Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Applying pinning: PkgFilePin(id=13, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=8, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=7, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=6, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=5, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=4, priority=-32768) Applying pin -32768 to package_file: Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages Using (^linux-.*-5\.11\.0\-051100\-generic$|^linux-.*-5\.11\.0\-051100$|^kfreebsd-.*-5\.11\.0\-051100\-generic$|^kfreebsd-.*-5\.11\.0\-051100$|^gnumach-.*-5\.11\.0\-051100\-generic$|^gnumach-.*-5\.11\.0\-051100$|^.*-modules-5\.11\.0\-051100\-generic$|^.*-modules-5\.11\.0\-051100$|^.*-kernel-5\.11\.0\-051100\-generic$|^.*-kernel-5\.11\.0\-051100$|^linux-.*-5\.11\.0\-051100\-generic$|^linux-.*-5\.11\.0\-051100$|^kfreebsd-.*-5\.11\.0\-051100\-generic$|^kfreebsd-.*-5\.11\.0\-051100$|^gnumach-.*-5\.11\.0\-051100\-generic$|^gnumach-.*-5\.11\.0\-051100$|^.*-modules-5\.11\.0\-051100\-generic$|^.*-modules-5\.11\.0\-051100$|^.*-kernel-5\.11\.0\-051100\-generic$|^.*-kernel-5\.11\.0\-051100$) regexp to find running kernel packages Checking: php-common ([]) pkgs that look like they should be upgraded: php-common Get:1 http://ppa.launchpad.net/ondrej/php-qa/ubuntu focal/main amd64 php-common all 2:81+z+ubuntu20.04.1+deb.sury.org+5 [16.6 kB] Fetched 16.6 kB in 0s (0 B/s) fetch.run() result: 0 check_conffile_prompt(/var/cache/apt/archives/php-common_2%3a81+z+ubuntu20.04.1+deb.sury.org+5_all.deb) found pkg: php-common conffile line: /etc/cron.d/php e6fa2d74078ac0ac6fd730decf3b3736 current md5: e6fa2d74078ac0ac6fd730decf3b3736 conffile /etc/apt/preferences.d/php-common.pref in missing on the system Packages blacklist due to conffile prompts: [] Packages that will be upgraded: php-common Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log applying set ['php-common'] debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 10963 files and directories currently installed.) Preparing to unpack .../php-common_2%3a81+z+ubuntu20.04.1+deb.sury.org+5_all.deb ... Unpacking php-common (2:81+z+ubuntu20.04.1+deb.sury.org+5) over (2:81+ubuntu20.04.1+deb.sury.org+1) ... Setting up php-common (2:81+z+ubuntu20.04.1+deb.sury.org+5) ... Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Marking not allowed with -32768 pin Applying pinning: PkgFilePin(id=13, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=8, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=7, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=6, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=5, priority=-32768) Applying pin -32768 to package_file: Applying pinning: PkgFilePin(id=4, priority=-32768) Applying pin -32768 to package_file: left to upgrade set() All upgrades installed InstCount=0 DelCount=0 BrokenCount=0 Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2021-03-04 10:26:01 ```

root@08954e5aee15:/# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3
  Candidate: 1.1.1f-1ubuntu2.2
  Version table:
 *** 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2.2 1000
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1.1.1f-1ubuntu2 1000
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

Shows the proper candidate but still has current version installed, looks like UU does not downgrade on it's own.

[oerdnj]

Shows the proper candidate but still has current version installed, looks like UU does not downgrade on it's own.

I would definitely not want to mangle the UU configuration from php-common.

When you have UU configured, do you have apt-listchanges mailing the NEWS.Debian to you?

[root360-StefanHeitmueller]

Nope, no mail and nothing in the logs. Is there any flag to enable in UU?

[heuri]

Debian Buster on dev vagrant box, hope it helps.

root@debian-10:~# apt update && apt -y dist-upgrade && apt -y dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  php-common php-xml
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.4 kB of archives.
After this operation, 7,168 B of additional disk space will be used.
Get:1 https://packages.sury.org/php-qa buster/main amd64 php-common all 2:81+z+0~20210304.3+debian10~1.gbp922229 [17.3 kB]
Get:2 https://packages.sury.org/php-qa buster/main amd64 php-xml all 2:8.0+81+z+0~20210304.3+debian10~1.gbp922229 [7,064 B]
Fetched 24.4 kB in 0s (83.4 kB/s)
apt-listchanges: Reading changelogs...
apt-listchanges: News
---------------------

php-defaults (81+z) unstable; urgency=medium

  * The custom src:openssl packages were introduced to upgrade the
    cryptographic functions for PHP, Apache2 and NGINX, but the situation
    have improved greatly since.  Ubuntu 16.04 LTS will read end-of-life
    in April 2021 and it was the last distribution using OpenSSL 1.0.2.
    Debian 9 Stretch LTS will reach end-of-line in June 2022 and it is
    using OpenSSL 1.1.0 (which just means TLS 1.3).

  * The php-common package now introduces custom apt_preferences
    configuration in /etc/apt/preferences.d/php-common.pref that should
    enforce downgrade of the src:openssl packages to the OpenSSL version
    provided by the distribution.  After this version of php-common is
    installed, the next manual apt-get dist-upgrade run will downgrade the
    OpenSSL version, but you are advised to check this manually if the
    downgrade has happened.

 -- Ondrej Surý <ondrej@debian.org>  Thu, 04 Mar 2021 11:08:54 +0100

(Reading database ... 58812 files and directories currently installed.)
Preparing to unpack .../php-common_2%3a81+z+0~20210304.3+debian10~1.gbp922229_all.deb ...
Unpacking php-common (2:81+z+0~20210304.3+debian10~1.gbp922229) over (2:81+0~20210223.34+debian10~1.gbpf52eb0) ...
Preparing to unpack .../php-xml_2%3a8.0+81+z+0~20210304.3+debian10~1.gbp922229_all.deb ...
Unpacking php-xml (2:8.0+81+z+0~20210304.3+debian10~1.gbp922229) over (2:8.0+81+0~20210223.34+debian10~1.gbpf52eb0) ...
Setting up php-common (2:81+z+0~20210304.3+debian10~1.gbp922229) ...
Setting up php-xml (2:8.0+81+z+0~20210304.3+debian10~1.gbp922229) ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
  libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.
root@debian-10:~# apt-cache policy libssl1.1
libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
        500 https://packages.sury.org/php buster/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://httpredir.debian.org/debian buster/main amd64 Packages
root@debian-10:~# apt -y dist-upgrade --allow-downgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
  libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
Need to get 4,176 kB of archives.
After this operation, 59.4 kB of additional disk space will be used.
Get:1 http://security.debian.org/debian-security buster/updates/main amd64 libssl-dev amd64 1.1.1d-0+deb10u5 [1,794 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u5 [1,539 kB]
Get:3 http://security.debian.org/debian-security buster/updates/main amd64 openssl amd64 1.1.1d-0+deb10u5 [844 kB]
Fetched 4,176 kB in 1s (3,318 kB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl-dev:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
(Reading database ... 58814 files and directories currently installed.)
Preparing to unpack .../libssl-dev_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../openssl_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1d-0+deb10u5) ...
Setting up libssl-dev:amd64 (1.1.1d-0+deb10u5) ...
Setting up openssl (1.1.1d-0+deb10u5) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian-10:~# apt-cache policy libssl1.1
libssl1.1:
  Installed: 1.1.1d-0+deb10u5
  Candidate: 1.1.1d-0+deb10u5
  Version table:
     1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
        500 https://packages.sury.org/php buster/main amd64 Packages
 *** 1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u4 1000
        500 http://httpredir.debian.org/debian buster/main amd64 Packages

[oerdnj]

Does the text that I added to php-common.NEWS makes sense?

[root360-StefanHeitmueller]

Does the text that I added to php-common.NEWS makes sense?

LGTM

[reinob]

Minor corrections to the text: "Ubuntu 16.04 LTS will read end-of-life" s/read/reach/ "Debian 9 Stretch LTS will reach end-of-line" s/line/life/

Other than that, it's clear and understandable :)

[sahaqaa]

Hello, Tried it on clone of production server:

lsb_release -a

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic

Before:

apt-cache policy openssl

openssl: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

After steps (in Placeholder):

apt-cache policy openssl

openssl: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 1000 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

I.e. --> Nothing changed for me.

Also im not sure that content of php-common.pref is correct. What i mean? I not sure that you need to provide section "Pin-Priority: 1000". I guess only "Pin-Priority: -1" will be ok to downgrade. Because with "Pin-Priority: 1000" we "messing around" with priorities of target systems.

If PPA ondrej/php only changing preferences for openssl packages, than "Pin-Priority: -1" will revert it back to default values of Distro. And maybe no need to add extra "Pin-Priority: 1000".

[sahaqaa]

Got it. Added:

Package: openssl Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl1.1 Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl-dev Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl-doc Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

And now it's ok:

apt-cache policy openssl

openssl: Installed: 1.1.1-1ubuntu2.1~18.04.8 Candidate: 1.1.1-1ubuntu2.1~18.04.8 Version table: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages *** 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

[oerdnj]

I guess only "Pin-Priority: -1" will be ok to downgrade.

It won't. It would affect only systems without the package already installed. The priorities < 1000 won't cause the package downgrade. And the default priority is 500.

[oerdnj]

You can test that by installing the libssl1.1 from php, then php-common from php-qa and then removing everything from /etc/apt/preferences.d/php-common.pref except:

Package: openssl
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: openssl
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl1.1
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl1.1
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libcrypto1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libcrypto1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl-dev
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl-dev
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl-doc
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl-doc
Pin: origin "packages.sury.org"
Pin-Priority: -1

[oerdnj]

apt-cache policy libssl1.1

libssl1.1:
  Installed: 1.1.1j-1
  Candidate: 1.1.1j-1
  Version table:
     1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
        500 https://packages.sury.org/php bullseye/main amd64 Packages
 *** 1.1.1j-1 1000
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status

apt-get install libssl1.1=1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0

[...]
Removing libssl-dev:amd64 (1.1.1j-1) ...
(Reading database ... 308291 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) over (1.1.1j-1) ...
Setting up libssl1.1:amd64 (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) ...
Processing triggers for libc-bin (2.31-9) ...

apt-cache policy libssl1.1

libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
  Candidate: 1.1.1j-1
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
        500 https://packages.sury.org/php bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1j-1 1000
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

cp /etc/apt/preferences.d/php-common.pref /tmp

cat > /etc/apt/preferences.d/php-common.pref << EOF

Package: openssl
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: openssl
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl1.1
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl1.1
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libcrypto1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libcrypto1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl-dev
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl-dev
Pin: origin "packages.sury.org"
Pin-Priority: -1

Package: libssl-doc
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1

Package: libssl-doc
Pin: origin "packages.sury.org"
Pin-Priority: -1
EOF

apt-cache policy libssl1.1

libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
  Candidate: (none)
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
        500 https://packages.sury.org/php bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1j-1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

apt-get dist-upgrade

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

cp /tmp/php-common.pref /etc/apt/preferences.d/

apt-cache policy libssl1.1

libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
  Candidate: 1.1.1j-1
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
        500 https://packages.sury.org/php bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1j-1 1000
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

apt-get dist-upgrade

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  python3-ubuntutools ubuntu-dev-tools
The following packages will be DOWNGRADED:
  libssl1.1
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 2 not upgraded.
Need to get 1,554 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian bullseye/main amd64 libssl1.1 amd64 1.1.1j-1 [1,554 kB]
Fetched 1,554 kB in 0s (6,974 kB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 to 1.1.1j-1
(Reading database ... 307894 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1j-1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1j-1) over (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1j-1) ...
Processing triggers for libc-bin (2.31-9) ...

[sahaqaa]

Yep, right :-) Just tested it, and checked "man apt_preferences".

[oerdnj]

@sahaqaa See the Candidate: (none), that's the problem and that's why I need to mess with preferences globally. I know it's bad, that's why I asked for more thorough testing.

[oerdnj]

One thing that's missing is perhaps a mention that if you don't want the preferences file to be installed, you should remove it right after the php-common is upgraded, or right before an empty file should be installed.

[sahaqaa]

At lease we know now about PPA ondrej-apache2 --> it has also openssl packages, and next lines should be added into "php-common.pref" :

Package: openssl Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl1.1 Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl-dev Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

Package: libssl-doc Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1

[sahaqaa]

And text message when installing "ondrej/php-qa" should be edited, with mention of "ppa:ondrej/apache2"

sudo add-apt-repository --remove ppa:ondrej/php-qa

This is area for experimenting with future releases of PHP and future release of packaging.

You need both ppa:ondrej/php and ppa:ondrej/php-qa, e.g.:

apt-get install -y language-pack-en-base

LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php-qa

---

Also when end user has ppa:ondrej/php and ppa:ondrej/apache2 in the same time --> adding of ppa:ondrej/php-qa (php-common.pref) does nothing, as version from ppa:ondrej/apache2 is still has more priority

apt-cache policy libssl1.1

libssl1.1: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 1000 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

[oerdnj]

Also when end user has ppa:ondrej/php and ppa:ondrej/apache2 in the same time --> adding of ppa:ondrej/php-qa (php-common.pref) does nothing, as version from ppa:ondrej/apache2 is still has more priority

Good catch!

This in fact needed more tweaking and pin the original priorities to origin Ubuntu (or Debian) (e.g. release o=Ubuntu or release o=Debian) and the n=<codename> needed glob (e.g. n=bionic*).

The updated +8 package should have better preferences rules now.

[oerdnj]

Could I ask for a retest with today's version?

• Debian 9 - 81+z+0~20210305.6+debian9~1.gbp7518f4
• Debian 10 - 81+z+0~20210305.6+debian10~1.gbp7518f4
• Debian 11 - 81+z+0~20210305.6+debian11~1.gbp7518f4
• Ubuntu 16.04 - 81+z+ubuntu16.04.1+deb.sury.org+9 (this should not install the preferences file)
• Ubuntu 18.04 - 81+z+ubuntu18.04.1+deb.sury.org+9
• Ubuntu 20.04 - 81+z+ubuntu20.04.1+deb.sury.org+9
• Ubuntu 20.10 - 81+z+ubuntu20.10.1+deb.sury.org+9

[sahaqaa]

Hello, Tested with Ubuntu 18.04 and 20.04. I had two added ( ppa:ondrej/php ; ppa:ondrej/apache2)

After i added ppa:ondrej/php-qa i was proposed to downgrade packages, and after "apt upgrade -y":

Ubuntu 18.04

apt-cache policy libssl1.1
libssl1.1:
  Installed: 1.1.1-1ubuntu2.1~18.04.8
  Candidate: 1.1.1-1ubuntu2.1~18.04.8
  Version table:
     1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages
     1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
 *** 1.1.1-1ubuntu2.1~18.04.8 1000
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.0g-2ubuntu4 1000
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Ubuntu 20.04

apt-cache policy libssl1.1
libssl1.1:
  Installed: 1.1.1f-1ubuntu2.2
  Candidate: 1.1.1f-1ubuntu2.2
  Version table:
     1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/apache2/ubuntu focal/main amd64 Packages
     1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
        500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
 *** 1.1.1f-1ubuntu2.2 1000
        500 http://europe-west4-a.gce.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2 1000
        500 http://europe-west4-a.gce.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

[sahaqaa]

Output from Ubuntu 18.04 apt policy:

Pinned packages:
     openssl -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     openssl -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     openssl -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
     openssl -> 1.1.0g-2ubuntu4 with priority 1000
     libssl-dev -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl-dev -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl-dev -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
     libssl-dev -> 1.1.0g-2ubuntu4 with priority 1000
     libssl-doc -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl-doc -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl-doc -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
     libssl-doc -> 1.1.0g-2ubuntu4 with priority 1000
     libssl1.1 -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl1.1 -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
     libssl1.1 -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
     libssl1.1 -> 1.1.0g-2ubuntu4 with priority 1000

Ubuntu 20.04 apt policy:

Pinned packages:
     openssl -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     openssl -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     openssl -> 1.1.1f-1ubuntu2.2 with priority 1000
     openssl -> 1.1.1f-1ubuntu2 with priority 1000
     libssl-dev -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl-dev -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl-dev -> 1.1.1f-1ubuntu2.2 with priority 1000
     libssl-dev -> 1.1.1f-1ubuntu2 with priority 1000
     libssl-doc -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl-doc -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl-doc -> 1.1.1f-1ubuntu2.2 with priority 1000
     libssl-doc -> 1.1.1f-1ubuntu2 with priority 1000
     libssl1.1 -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl1.1 -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
     libssl1.1 -> 1.1.1f-1ubuntu2.2 with priority 1000
     libssl1.1 -> 1.1.1f-1ubuntu2 with priority 1000

[oerdnj]

Thanks, that looks like correct. I think that the most sane thing to do now is to copy the preferences file to apache2-data and nginx-common packages as those repositories have smaller audience and thus the impact will be more limited.

[sahaqaa]

Probably yes, but there is at least 2 moments to consider:

1) There should be a way to inform end-users about changes beforehand, just in case 2) (I might be wrong here) If end-users have running applications using OpenSSL, after it will be "Downgraded" to distro version -> system reboot might be required, or restarting each application that rely on OpenSSL, so applications / system will use latest OpenSSL binary

[oerdnj]

There should be a way to inform end-users about changes beforehand, just in case

If you have apt-listchanges configured correctly, you will be informed via NEWS.Debian file and you would be able to abort the update.

(I might be wrong here) If end-users have running applications using OpenSSL, after it will be "Downgraded" to distro version -> system reboot might be required, or restarting each application that rely on OpenSSL, so applications / system will use latest OpenSSL binary

It's the same as when upgrading the library. It's ok, the system will keep the old library in memory as long as the process have the library loaded. I don't think this will cause any problems.

[MatthiasKuehneEllerhold]

Installed the key & repo in Debian 10 Buster.

First apt dist-upgrade upgraded php-common from 2:81+0~20210223.34+debian10~1.gbpf52eb0 to 2:81+z+0~20210305.6+debian10~1.gbp7518f4.

Second apt dist-upgrade downgraded these packages:

libssl1.1 (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
openssl (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)

needrestart reported a lot of service in need of a restart. Did that and a reboot to be on the safe side.

Testing our websites with Apache, PHP-FPM and external connections (vial guzzle/curl/wget) works flawlessly.

So thumbs-up and a massive thanks from me!

Cant test salt-ssh though because we switched to the master+minion version of saltstack because of the ssl-problems a long time ago.

[oerdnj]

FTR the custom apt preferences file has been used in the nginx 1.19.8 update just now. I'll wait couple of days and continue with apache2 and nginx-stable.

[satphil]

[Go easy on me, I'm a n00b.]

We've been running your PHP 7.4 on Debian 10 buster for the last year and taking your updates to PHP and ssl. My clone has /etc/apt/sources.list.d/php.list pointing to deb https://packages.sury.org/php/ buster main and your "README.txt" adds /etc/apt/sources.list.d/php-qa.list pointing to deb https://packages.sury.org/php-qa/ buster main

I run the commands above, adding --allow-downgrades on the second dist-upgrade

Good news:

# apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1d-0+deb10u5
  Candidate: 1.1.1d-0+deb10u5
  Version table:
     1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
        500 https://packages.sury.org/php buster/main amd64 Packages
 *** 1.1.1d-0+deb10u5 1000
        500 http://security.debian.org buster/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u4 1000
        500 http://deb.debian.org/debian buster/main amd64 Packages

# dpkg -l '*php8*' | grep ^.i
ii  php8.0-common         8.0.3-1+0~20210305.17+debian10~1.gbp899a74   amd64        documentation, examples and common module for PHP
ii  php8.0-xml            8.0.3-1+0~20210305.17+debian10~1.gbp899a74   amd64        DOM, SimpleXML, XML, and XSL module for PHP

After I then

# apt install php8.0-cli
# php -v
PHP 8.0.3 (cli) (built: Mar  5 2021 08:38:30) ( NTS )

Looks good to me, thanks guys. As always, your work is greatly appreciated.

[oerdnj]

FTR A version with the preferences file has been uploaded to apache2 and nginx-stable repositories.

[oerdnj]

And the last piece of puzzle (php-defaults_82) has been uploaded to both Debian and Ubuntu PHP repositories.

[bytesplit]

Hm... on frontend proxies things went well (Buster). On stretch app servers not so well...

The following packages were automatically installed and are no longer required: libnginx-mod-http-echo nginx-common Use 'sudo apt autoremove' to remove them. The following packages will be **REMOVED**: nginx nginx-light The following packages will be DOWNGRADED: libssl1.1 0 upgraded, 0 newly installed, 1 downgraded, 2 to remove and 0 not upgraded.

And the other: The following packages were automatically installed and are no longer required: apache2-data libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libjansson4 liblua5.2-0 libnginx-mod-http-echo nginx-common ssl-cert Use 'sudo apt autoremove' to remove them. The following packages will be **REMOVED**: apache2 apache2-bin libapache2-mod-wsgi libapache2-svn nginx-light The following packages will be DOWNGRADED: libssl1.1 0 upgraded, 0 newly installed, 1 downgraded, 5 to remove and 0 not upgraded.

Distributor ID: Debian Description: Debian GNU/Linux 9.13 (stretch) Release: 9.13 Codename: stretch

I don't think it makes sense to remove nginx and apache just to downgrade libssl. Both are from deb.sury.org.

[oerdnj]

@bytesplit It seems like a rebuild was needed. nginx is already rebuilt, but there was some hiccup in re-building apache2 on stretch, but I've cherry-picked the patch, so it should be rebuilt soon.

[oerdnj]

@bytesplit Should be resolved for amd64, and it will be quickly resolved for the rest of the architectures. Thanks for the quick feedback.

[bytesplit]

@oerdnj I confirm after another update the dist-upgrade now went smooth. OpenSSL has been downgraded. All services working fine. Thank you!

[linuxuser424]

Debian Stretch here: Downgrade of openssl works, but the php*-mongodb packages got uninstalled. And installing them don't work, they depend on the newer (now uninstalled) version of libssl1.1 ... php7.4-mongodb : depends on: libssl1.1 (>= 1.1.1) but 1.1.0l-1~deb9u3 should be installed Suggestions?

[oerdnj]

I issued rebuild

[linuxuser424]

It works again, Thank you very much.

[FuelKubitox]

Im not sure with that downgrade. When i make a dependency check then i get this.

:~# apt-rdepends libapache2-mod-php7.4 Reading package lists... Done Building dependency tree Reading state information... Done libapache2-mod-php7.4 Depends: apache2-api-20120211 Depends: apache2-bin (>= 2.4.16) Depends: libargon2-1 (>= 0~20171227) Depends: libc6 (>= 2.27) Depends: libmagic1 Depends: libpcre2-8-0 (>= 10.32) Depends: libsodium23 (>= 1.0.14) Depends: libssl1.1 (>= 1.1.0)

Thats not only this dependency. There are more. Im afraid that i brake my system with the downgrade. So why mention it to the users that use this repository? For me it sounds dangerous and unnecassery. But maybe im wrong or am i?