Closed oerdnj closed 3 years ago
Hello, What is the plan, and how we will understand that it worked (downgraded) after all?
But how to perform downgrade action?
Remove mentions of "PPA:ondrej/php" from: /etc/apt/sources.list /etc/apt/sources.list.d/
Add ppa:ondrej/php-qa
Update all packages sudo apt update // to see what will change apt list --upgradable sudo apt upgrade
Check "apt-cache policy openssl"
// or
Am i right?
And this should be done for ubuntu16.04 / ubuntu18.04 / ubuntu20.04 / ubuntu20.10 (for amd64.deb / arm64.deb / i386.deb / armhf.deb / ppc64el.deb ) ?
I moved the instructions to the top
I mean, I already did test it in clean chroot environment, so I am more interested in “real” world scenarios.
I just quickly (and partially) tested your repo w/ debian buster (up-to-date and with php7.3 installed). I added the php-qa repo from here: https://launchpad.net/~ondrej/+archive/ubuntu/php-qa (I've tested with "bionic" and "xenial" releases).
In both cases, after apt updating I have:
# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1d-0+deb10u5
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1d-0+deb10u5 500
500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u4 500
500 http://deb.debian.org/debian buster/main amd64 Packages
which looks fine. The only package it wants to update is php-common, but that's to be expected. I hope that helps. If I have some more time this week I may be able to test it more thoroughly.
Thank you.
Actually mixing releases is not really supported, but you gave me an idea how to simplify the preferences file to just have a single file for all the Debian and Ubuntu releases.
Also I’ll cook up a php-qa repository for Debian tomorrow.
Ok, so here's the php-qa for Debian with just updated php-common package. If you are testing Debian, use that instead of packages from launchpad.
I'm not sure I understand exactly what you want to test.
If I start with an up-to-date debian buster having the official php7.3 (not from your repo) and add the php-qa repo, then I get the results I posted previously, i.e. php-common wants to be updated, but libssl1.1 is left alone. I tested this again now with the debian php-qa repo instead of like yesterday with the bionic and xenial. Same result.
Now, I also tested adding, to the "clean" debian, your debian (non-qa) repo, and then dist-upgraded, which updated php7.3 (and installed php8.0), and also updated my openssl, i.e.
# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 500
500 https://packages.sury.org/php buster/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 500
500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 500
500 http://deb.debian.org/debian buster/main amd64 Packages
Then I replaced the php repo with the php-qa repo, in the assumption that it would (1) leave php alone but (2) offer to downgrade libssl1.1.
However when I do "apt upgrade" I get:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
php-common (2:81+0~20210223.34+debian10~1.gbpf52eb0 => 2:81+z+0~20210303.2+debian10~1.gbpebe486)
php-gmp (2:8.0+81+0~20210223.34+debian10~1.gbpf52eb0 => 2:8.0+81+z+0~20210303.2+debian10~1.gbpebe486)
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.7 kB of archives.
After this operation, 6,144 B of additional disk space will be used.
Do you want to continue? [Y/n] n
also
# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 500
500 http://deb.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 500
500 http://deb.debian.org/debian buster/main amd64 Packages
which means I keep "your" openssl, but as an orphaned package.
@reinob You need to finish this update first:
php-common (2:81+0~20210223.34+debian10~1.gbpf52eb0 => 2:81+z+0~20210303.2+debian10~1.gbpebe486)
This will install apt_preferences file to /etc/apt/preferences.d/php-common.pref
and then run apt dist-upgrade
again and it should offer downgrade of libssl1.1
Yup, that did it! :)
# apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
libssl1.1 (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
openssl (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded.
Need to get 2,382 kB of archives.
After this operation, 88.1 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u5 [1,539 kB]
Get:2 http://deb.debian.org/debian-security buster/updates/main amd64 openssl amd64 1.1.1d-0+deb10u5 [844 kB]
Fetched 2,382 kB in 0s (11.9 MB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
(Reading database ... 75761 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../openssl_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1d-0+deb10u5) ...
Setting up openssl (1.1.1d-0+deb10u5) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
Quick test within a docker container:
root@7677b1731ca1:/# apt -y dist-upgrade --allow-downgrades && apt -y dist-upgrade --allow-downgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
libicu60
Use 'apt autoremove' to remove it.
The following packages will be DOWNGRADED:
libssl1.1 openssl
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded.
Need to get 1915 kB of archives.
After this operation, 153 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libssl1.1 amd64 1.1.1-1ubuntu2.1~18.04.8 [1301 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl amd64 1.1.1-1ubuntu2.1~18.04.8 [614 kB]
Fetched 1915 kB in 0s (4409 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 to 1.1.1-1ubuntu2.1~18.04.8
(Reading database ... 9432 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1-1ubuntu2.1~18.04.8_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.8) over (1.1.1j-1+ubuntu18.04.1+deb.sury.org+3) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 to 1.1.1-1ubuntu2.1~18.04.8
Preparing to unpack .../openssl_1.1.1-1ubuntu2.1~18.04.8_amd64.deb ...
Unpacking openssl (1.1.1-1ubuntu2.1~18.04.8) over (1.1.1j-1+ubuntu18.04.1+deb.sury.org+3) ...
Setting up libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.8) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/loc
al/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Setting up openssl (1.1.1-1ubuntu2.1~18.04.8) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
libicu60
Use 'apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@7677b1731ca1:/#
root@7677b1731ca1:/# apt-cache policy libssl1.1
libssl1.1:
Installed: 1.1.1-1ubuntu2.1~18.04.8
Candidate: 1.1.1-1ubuntu2.1~18.04.8
Version table:
1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
*** 1.1.1-1ubuntu2.1~18.04.8 1000
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4 1000
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
root@7677b1731ca1:/# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
Looks good so far, just had to add --allow-downgrades
. Will do another test with unattended-upgrades, not sure how it copes with downgrades.
apt update; apt-get -y install software-properties-common
LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php -y
apt-get -y install php7.4-cli
LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php-qa -y
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-ondrej-php-qa:bionic";};' > /etc/apt/apt.conf.d/51_php-qa_unattended-upgrades
unattended-upgrades -d
root@a0844c702c91:/# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1-1ubuntu2.1~18.04.8
Candidate: 1.1.1-1ubuntu2.1~18.04.8
Version table:
1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
*** 1.1.1-1ubuntu2.1~18.04.8 1000
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4 1000
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Thanks, so far this looks positive to me.
Ah, had another look, this does not affect bionic, without the QA repo, it was using the upstream version already.
root@cf066fef80cf:/# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1-1ubuntu2.1~18.04.8
Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3
Version table:
1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
*** 1.1.1-1ubuntu2.1~18.04.8 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
root@cf066fef80cf:/#
root@cf066fef80cf:/# apt policy php7.4-cli
php7.4-cli:
Installed: 7.4.15-7+ubuntu18.04.1+deb.sury.org+1
Candidate: 7.4.15-7+ubuntu18.04.1+deb.sury.org+1
Version table:
*** 7.4.15-7+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
Focal:
Before:
root@08954e5aee15:/# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1f-1ubuntu2.2
Candidate: 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3
Version table:
1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
*** 1.1.1f-1ubuntu2.2 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1f-1ubuntu2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Update:
root@08954e5aee15:/# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3
Candidate: 1.1.1f-1ubuntu2.2
Version table:
*** 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1f-1ubuntu2.2 1000
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1.1.1f-1ubuntu2 1000
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Shows the proper candidate but still has current version installed, looks like UU does not downgrade on it's own.
Shows the proper candidate but still has current version installed, looks like UU does not downgrade on it's own.
I would definitely not want to mangle the UU configuration from php-common
.
When you have UU configured, do you have apt-listchanges
mailing the NEWS.Debian to you?
Nope, no mail and nothing in the logs. Is there any flag to enable in UU?
Debian Buster on dev vagrant box, hope it helps.
root@debian-10:~# apt update && apt -y dist-upgrade && apt -y dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
php-common php-xml
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.4 kB of archives.
After this operation, 7,168 B of additional disk space will be used.
Get:1 https://packages.sury.org/php-qa buster/main amd64 php-common all 2:81+z+0~20210304.3+debian10~1.gbp922229 [17.3 kB]
Get:2 https://packages.sury.org/php-qa buster/main amd64 php-xml all 2:8.0+81+z+0~20210304.3+debian10~1.gbp922229 [7,064 B]
Fetched 24.4 kB in 0s (83.4 kB/s)
apt-listchanges: Reading changelogs...
apt-listchanges: News
---------------------
php-defaults (81+z) unstable; urgency=medium
* The custom src:openssl packages were introduced to upgrade the
cryptographic functions for PHP, Apache2 and NGINX, but the situation
have improved greatly since. Ubuntu 16.04 LTS will read end-of-life
in April 2021 and it was the last distribution using OpenSSL 1.0.2.
Debian 9 Stretch LTS will reach end-of-line in June 2022 and it is
using OpenSSL 1.1.0 (which just means TLS 1.3).
* The php-common package now introduces custom apt_preferences
configuration in /etc/apt/preferences.d/php-common.pref that should
enforce downgrade of the src:openssl packages to the OpenSSL version
provided by the distribution. After this version of php-common is
installed, the next manual apt-get dist-upgrade run will downgrade the
OpenSSL version, but you are advised to check this manually if the
downgrade has happened.
-- Ondrej Surý <ondrej@debian.org> Thu, 04 Mar 2021 11:08:54 +0100
(Reading database ... 58812 files and directories currently installed.)
Preparing to unpack .../php-common_2%3a81+z+0~20210304.3+debian10~1.gbp922229_all.deb ...
Unpacking php-common (2:81+z+0~20210304.3+debian10~1.gbp922229) over (2:81+0~20210223.34+debian10~1.gbpf52eb0) ...
Preparing to unpack .../php-xml_2%3a8.0+81+z+0~20210304.3+debian10~1.gbp922229_all.deb ...
Unpacking php-xml (2:8.0+81+z+0~20210304.3+debian10~1.gbp922229) over (2:8.0+81+0~20210223.34+debian10~1.gbpf52eb0) ...
Setting up php-common (2:81+z+0~20210304.3+debian10~1.gbp922229) ...
Setting up php-xml (2:8.0+81+z+0~20210304.3+debian10~1.gbp922229) ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.
root@debian-10:~# apt-cache policy libssl1.1
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
500 https://packages.sury.org/php buster/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://httpredir.debian.org/debian buster/main amd64 Packages
root@debian-10:~# apt -y dist-upgrade --allow-downgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
Need to get 4,176 kB of archives.
After this operation, 59.4 kB of additional disk space will be used.
Get:1 http://security.debian.org/debian-security buster/updates/main amd64 libssl-dev amd64 1.1.1d-0+deb10u5 [1,794 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u5 [1,539 kB]
Get:3 http://security.debian.org/debian-security buster/updates/main amd64 openssl amd64 1.1.1d-0+deb10u5 [844 kB]
Fetched 4,176 kB in 1s (3,318 kB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl-dev:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
(Reading database ... 58814 files and directories currently installed.)
Preparing to unpack .../libssl-dev_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
dpkg: warning: downgrading openssl from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5
Preparing to unpack .../openssl_1.1.1d-0+deb10u5_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1d-0+deb10u5) ...
Setting up libssl-dev:amd64 (1.1.1d-0+deb10u5) ...
Setting up openssl (1.1.1d-0+deb10u5) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian-10:~# apt-cache policy libssl1.1
libssl1.1:
Installed: 1.1.1d-0+deb10u5
Candidate: 1.1.1d-0+deb10u5
Version table:
1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
500 https://packages.sury.org/php buster/main amd64 Packages
*** 1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u4 1000
500 http://httpredir.debian.org/debian buster/main amd64 Packages
Does the text that I added to php-common.NEWS
makes sense?
Does the text that I added to
php-common.NEWS
makes sense?
LGTM
Minor corrections to the text: "Ubuntu 16.04 LTS will read end-of-life" s/read/reach/ "Debian 9 Stretch LTS will reach end-of-line" s/line/life/
Other than that, it's clear and understandable :)
Hello, Tried it on clone of production server:
No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic
Before:
openssl: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
After steps (in Placeholder):
openssl: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 1000 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
I.e. --> Nothing changed for me.
Also im not sure that content of php-common.pref is correct. What i mean? I not sure that you need to provide section "Pin-Priority: 1000". I guess only "Pin-Priority: -1" will be ok to downgrade. Because with "Pin-Priority: 1000" we "messing around" with priorities of target systems.
If PPA ondrej/php only changing preferences for openssl packages, than "Pin-Priority: -1" will revert it back to default values of Distro. And maybe no need to add extra "Pin-Priority: 1000".
Got it. Added:
Package: openssl Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl1.1 Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl-dev Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl-doc Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
And now it's ok:
openssl: Installed: 1.1.1-1ubuntu2.1~18.04.8 Candidate: 1.1.1-1ubuntu2.1~18.04.8 Version table: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages *** 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
I guess only "
Pin-Priority: -1
" will be ok to downgrade.
It won't. It would affect only systems without the package already installed. The priorities < 1000
won't cause the package downgrade. And the default priority is 500
.
You can test that by installing the libssl1.1
from php
, then php-common
from php-qa
and then removing everything from /etc/apt/preferences.d/php-common.pref
except:
Package: openssl
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: openssl
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl1.1
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl1.1
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libcrypto1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libcrypto1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl-dev
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl-dev
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl-doc
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl-doc
Pin: origin "packages.sury.org"
Pin-Priority: -1
libssl1.1:
Installed: 1.1.1j-1
Candidate: 1.1.1j-1
Version table:
1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
500 https://packages.sury.org/php bullseye/main amd64 Packages
*** 1.1.1j-1 1000
500 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status
[...]
Removing libssl-dev:amd64 (1.1.1j-1) ...
(Reading database ... 308291 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) over (1.1.1j-1) ...
Setting up libssl1.1:amd64 (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) ...
Processing triggers for libc-bin (2.31-9) ...
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
Candidate: 1.1.1j-1
Version table:
*** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
500 https://packages.sury.org/php bullseye/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1j-1 1000
500 http://deb.debian.org/debian bullseye/main amd64 Packages
Package: openssl
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: openssl
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl1.1
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl1.1
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libcrypto1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libcrypto1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl1.1-udeb
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl1.1-udeb
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl-dev
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl-dev
Pin: origin "packages.sury.org"
Pin-Priority: -1
Package: libssl-doc
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: -1
Package: libssl-doc
Pin: origin "packages.sury.org"
Pin-Priority: -1
EOF
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
Candidate: (none)
Version table:
*** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
500 https://packages.sury.org/php bullseye/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1j-1 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0
Candidate: 1.1.1j-1
Version table:
*** 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 -1
500 https://packages.sury.org/php bullseye/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1j-1 1000
500 http://deb.debian.org/debian bullseye/main amd64 Packages
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
python3-ubuntutools ubuntu-dev-tools
The following packages will be DOWNGRADED:
libssl1.1
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 2 not upgraded.
Need to get 1,554 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian bullseye/main amd64 libssl1.1 amd64 1.1.1j-1 [1,554 kB]
Fetched 1,554 kB in 0s (6,974 kB/s)
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0 to 1.1.1j-1
(Reading database ... 307894 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1j-1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1j-1) over (1.1.1j-1+0~20210301.25+debian11~1.gbp2578a0) ...
Setting up libssl1.1:amd64 (1.1.1j-1) ...
Processing triggers for libc-bin (2.31-9) ...
Yep, right :-) Just tested it, and checked "man apt_preferences".
@sahaqaa See the Candidate: (none)
, that's the problem and that's why I need to mess with preferences globally. I know it's bad, that's why I asked for more thorough testing.
One thing that's missing is perhaps a mention that if you don't want the preferences file to be installed, you should remove it right after the php-common
is upgraded, or right before an empty file should be installed.
At lease we know now about PPA ondrej-apache2 --> it has also openssl packages, and next lines should be added into "php-common.pref" :
Package: openssl Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl1.1 Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl-dev Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
Package: libssl-doc Pin: release o=LP-PPA-ondrej-apache2 Pin-Priority: -1
And text message when installing "ondrej/php-qa" should be edited, with mention of "ppa:ondrej/apache2"
This is area for experimenting with future releases of PHP and future release of packaging.
You need both ppa:ondrej/php and ppa:ondrej/php-qa, e.g.:
Also when end user has ppa:ondrej/php and ppa:ondrej/apache2 in the same time --> adding of ppa:ondrej/php-qa (php-common.pref) does nothing, as version from ppa:ondrej/apache2 is still has more priority
libssl1.1: Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Candidate: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 Version table: *** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 1000 500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 1.1.1-1ubuntu2.1~18.04.8 1000 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 1000 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Also when end user has ppa:ondrej/php and ppa:ondrej/apache2 in the same time --> adding of ppa:ondrej/php-qa (php-common.pref) does nothing, as version from ppa:ondrej/apache2 is still has more priority
Good catch!
This in fact needed more tweaking and pin the original priorities to origin Ubuntu (or Debian) (e.g. release o=Ubuntu
or release o=Debian
) and the n=<codename>
needed glob (e.g. n=bionic*
).
The updated +8
package should have better preferences rules now.
Could I ask for a retest with today's version?
81+z+0~20210305.6+debian9~1.gbp7518f4
81+z+0~20210305.6+debian10~1.gbp7518f4
81+z+0~20210305.6+debian11~1.gbp7518f4
81+z+ubuntu16.04.1+deb.sury.org+9
(this should not install the preferences file)81+z+ubuntu18.04.1+deb.sury.org+9
81+z+ubuntu20.04.1+deb.sury.org+9
81+z+ubuntu20.10.1+deb.sury.org+9
Hello,
Tested with Ubuntu 18.04 and 20.04. I had two added ( ppa:ondrej/php
; ppa:ondrej/apache2
)
After i added ppa:ondrej/php-qa
i was proposed to downgrade packages, and after "apt upgrade -y":
apt-cache policy libssl1.1
libssl1.1:
Installed: 1.1.1-1ubuntu2.1~18.04.8
Candidate: 1.1.1-1ubuntu2.1~18.04.8
Version table:
1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages
1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
*** 1.1.1-1ubuntu2.1~18.04.8 1000
500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4 1000
500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
apt-cache policy libssl1.1
libssl1.1:
Installed: 1.1.1f-1ubuntu2.2
Candidate: 1.1.1f-1ubuntu2.2
Version table:
1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/apache2/ubuntu focal/main amd64 Packages
1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 -1
500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
*** 1.1.1f-1ubuntu2.2 1000
500 http://europe-west4-a.gce.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1f-1ubuntu2 1000
500 http://europe-west4-a.gce.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages
Output from Ubuntu 18.04 apt policy
:
Pinned packages:
openssl -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
openssl -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
openssl -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
openssl -> 1.1.0g-2ubuntu4 with priority 1000
libssl-dev -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl-dev -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl-dev -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
libssl-dev -> 1.1.0g-2ubuntu4 with priority 1000
libssl-doc -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl-doc -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl-doc -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
libssl-doc -> 1.1.0g-2ubuntu4 with priority 1000
libssl1.1 -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl1.1 -> 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 with priority -1
libssl1.1 -> 1.1.1-1ubuntu2.1~18.04.8 with priority 1000
libssl1.1 -> 1.1.0g-2ubuntu4 with priority 1000
Ubuntu 20.04 apt policy
:
Pinned packages:
openssl -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
openssl -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
openssl -> 1.1.1f-1ubuntu2.2 with priority 1000
openssl -> 1.1.1f-1ubuntu2 with priority 1000
libssl-dev -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl-dev -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl-dev -> 1.1.1f-1ubuntu2.2 with priority 1000
libssl-dev -> 1.1.1f-1ubuntu2 with priority 1000
libssl-doc -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl-doc -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl-doc -> 1.1.1f-1ubuntu2.2 with priority 1000
libssl-doc -> 1.1.1f-1ubuntu2 with priority 1000
libssl1.1 -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl1.1 -> 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 with priority -1
libssl1.1 -> 1.1.1f-1ubuntu2.2 with priority 1000
libssl1.1 -> 1.1.1f-1ubuntu2 with priority 1000
Thanks, that looks like correct. I think that the most sane thing to do now is to copy the preferences file to apache2-data
and nginx-common
packages as those repositories have smaller audience and thus the impact will be more limited.
Probably yes, but there is at least 2 moments to consider:
1) There should be a way to inform end-users about changes beforehand, just in case 2) (I might be wrong here) If end-users have running applications using OpenSSL, after it will be "Downgraded" to distro version -> system reboot might be required, or restarting each application that rely on OpenSSL, so applications / system will use latest OpenSSL binary
There should be a way to inform end-users about changes beforehand, just in case
If you have apt-listchanges
configured correctly, you will be informed via NEWS.Debian
file and you would be able to abort the update.
(I might be wrong here) If end-users have running applications using OpenSSL, after it will be "Downgraded" to distro version -> system reboot might be required, or restarting each application that rely on OpenSSL, so applications / system will use latest OpenSSL binary
It's the same as when upgrading the library. It's ok, the system will keep the old library in memory as long as the process have the library loaded. I don't think this will cause any problems.
Installed the key & repo in Debian 10 Buster.
First apt dist-upgrade
upgraded php-common from 2:81+0~20210223.34+debian10~1.gbpf52eb0
to 2:81+z+0~20210305.6+debian10~1.gbp7518f4
.
Second apt dist-upgrade
downgraded these packages:
libssl1.1 (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
openssl (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 => 1.1.1d-0+deb10u5)
needrestart reported a lot of service in need of a restart. Did that and a reboot to be on the safe side.
Testing our websites with Apache, PHP-FPM and external connections (vial guzzle/curl/wget) works flawlessly.
So thumbs-up and a massive thanks from me!
Cant test salt-ssh though because we switched to the master+minion version of saltstack because of the ssl-problems a long time ago.
FTR the custom apt preferences file has been used in the nginx 1.19.8 update just now. I'll wait couple of days and continue with apache2 and nginx-stable.
[Go easy on me, I'm a n00b.]
We've been running your PHP 7.4 on Debian 10 buster for the last year and taking your updates to PHP and ssl. My clone has /etc/apt/sources.list.d/php.list
pointing to deb https://packages.sury.org/php/ buster main
and your "README.txt" adds
/etc/apt/sources.list.d/php-qa.list
pointing to deb https://packages.sury.org/php-qa/ buster main
I run the commands above, adding --allow-downgrades
on the second dist-upgrade
Good news:
# apt policy libssl1.1
libssl1.1:
Installed: 1.1.1d-0+deb10u5
Candidate: 1.1.1d-0+deb10u5
Version table:
1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 -1
500 https://packages.sury.org/php buster/main amd64 Packages
*** 1.1.1d-0+deb10u5 1000
500 http://security.debian.org buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u4 1000
500 http://deb.debian.org/debian buster/main amd64 Packages
# dpkg -l '*php8*' | grep ^.i
ii php8.0-common 8.0.3-1+0~20210305.17+debian10~1.gbp899a74 amd64 documentation, examples and common module for PHP
ii php8.0-xml 8.0.3-1+0~20210305.17+debian10~1.gbp899a74 amd64 DOM, SimpleXML, XML, and XSL module for PHP
After I then
# apt install php8.0-cli
# php -v
PHP 8.0.3 (cli) (built: Mar 5 2021 08:38:30) ( NTS )
Looks good to me, thanks guys. As always, your work is greatly appreciated.
FTR A version with the preferences file has been uploaded to apache2 and nginx-stable repositories.
And the last piece of puzzle (php-defaults_82
) has been uploaded to both Debian and Ubuntu PHP repositories.
Hm... on frontend proxies things went well (Buster). On stretch app servers not so well...
The following packages were automatically installed and are no longer required: libnginx-mod-http-echo nginx-common Use 'sudo apt autoremove' to remove them. The following packages will be **REMOVED**: nginx nginx-light The following packages will be DOWNGRADED: libssl1.1 0 upgraded, 0 newly installed, 1 downgraded, 2 to remove and 0 not upgraded.
And the other:
The following packages were automatically installed and are no longer required: apache2-data libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libjansson4 liblua5.2-0 libnginx-mod-http-echo nginx-common ssl-cert Use 'sudo apt autoremove' to remove them. The following packages will be **REMOVED**: apache2 apache2-bin libapache2-mod-wsgi libapache2-svn nginx-light The following packages will be DOWNGRADED: libssl1.1 0 upgraded, 0 newly installed, 1 downgraded, 5 to remove and 0 not upgraded.
Distributor ID: Debian Description: Debian GNU/Linux 9.13 (stretch) Release: 9.13 Codename: stretch
I don't think it makes sense to remove nginx and apache just to downgrade libssl. Both are from deb.sury.org.
@bytesplit It seems like a rebuild was needed. nginx
is already rebuilt, but there was some hiccup in re-building apache2
on stretch, but I've cherry-picked the patch, so it should be rebuilt soon.
@bytesplit Should be resolved for amd64, and it will be quickly resolved for the rest of the architectures. Thanks for the quick feedback.
@oerdnj I confirm after another update the dist-upgrade now went smooth. OpenSSL has been downgraded. All services working fine. Thank you!
Debian Stretch here: Downgrade of openssl works, but the php*-mongodb packages got uninstalled.
And installing them don't work, they depend on the newer (now uninstalled) version of libssl1.1 ...
php7.4-mongodb : depends on: libssl1.1 (>= 1.1.1) but 1.1.0l-1~deb9u3 should be installed
Suggestions?
I issued rebuild
It works again, Thank you very much.
Im not sure with that downgrade. When i make a dependency check then i get this.
:~# apt-rdepends libapache2-mod-php7.4 Reading package lists... Done Building dependency tree Reading state information... Done libapache2-mod-php7.4 Depends: apache2-api-20120211 Depends: apache2-bin (>= 2.4.16) Depends: libargon2-1 (>= 0~20171227) Depends: libc6 (>= 2.27) Depends: libmagic1 Depends: libpcre2-8-0 (>= 10.32) Depends: libsodium23 (>= 1.0.14) Depends: libssl1.1 (>= 1.1.0)
Thats not only this dependency. There are more. Im afraid that i brake my system with the downgrade. So why mention it to the users that use this repository? For me it sounds dangerous and unnecassery. But maybe im wrong or am i?
This is a placeholder bug to discuss the testing of enforced OpenSSL downgrade to the distribution version.
Here are the more specific instructions:
Ubuntu
add-apt-repository ppa:ondrej/php-qa
apt update && apt -y dist-upgrade && apt -y dist-upgrade
# the last command should downgrade openssl packagesapt-cache policy libssl1.1
Debian
curl -sSL https://packages.sury.org/php-qa/README.txt | bash -x
apt update && apt -y dist-upgrade && apt -y dist-upgrade
# the last command should downgrade openssl packagesapt-cache policy libssl1.1