Debian
Debian 10:為什麼某些 SSL 軟體包會降級?
我找不到任何關於它的資訊。可能有人有一些見解可以分享。
apt 建議降級一些 SSL 軟體包。
# apt-get update && apt-get dist-upgrade --assume-yes Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be DOWNGRADED: libssl-dev libssl1.1 openssl 0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded. E: Packages were downgraded and -y was used without --allow-downgrades.為什麼這個包會被降級?我沒有發起任何降級它們的事情。這正是我日常的 dist 升級過程中發生的事情。
我認為 SSL 中存在一些關鍵的安全問題,它們無法快速輕鬆地解決。所以他們降級到最新版本沒有這個問題。但目前我沒有找到任何關於這種事情的資訊。
附加資訊
Linux <hostname> 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux libssl-dev/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local] libssl-dev/stable 1.1.1d-0+deb10u5 amd64 libssl-dev/stable 1.1.1d-0+deb10u4 amd64 libssl-dev/stable 1.1.1d-0+deb10u5 i386 libssl-dev/stable 1.1.1d-0+deb10u4 i386 libssl1.1/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local] libssl1.1/stable 1.1.1d-0+deb10u5 amd64 libssl1.1/stable 1.1.1d-0+deb10u4 amd64 libssl1.1/stable 1.1.1d-0+deb10u5 i386 libssl1.1/stable 1.1.1d-0+deb10u4 i386 openssl/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local] openssl/stable 1.1.1d-0+deb10u5 amd64 openssl/stable 1.1.1d-0+deb10u4 amd64 openssl/stable 1.1.1d-0+deb10u5 i386 openssl/stable 1.1.1d-0+deb10u4 i386# apt policy libssl-dev libssl1.1 openssl libssl-dev: Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 Candidate: 1.1.1d-0+deb10u5 Version table: *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100 100 /var/lib/dpkg/status 1.1.1d-0+deb10u5 1000 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages 1.1.1d-0+deb10u4 1000 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages libssl1.1: Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 Candidate: 1.1.1d-0+deb10u5 Version table: *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100 100 /var/lib/dpkg/status 1.1.1d-0+deb10u5 1000 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages 1.1.1d-0+deb10u4 1000 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages openssl: Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 Candidate: 1.1.1d-0+deb10u5 Version table: *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100 100 /var/lib/dpkg/status 1.1.1d-0+deb10u5 1000 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages 1.1.1d-0+deb10u4 1000 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages# apt policy Package files: 100 /var/lib/dpkg/status release a=now 500 https://packages.sury.org/php buster/main i386 Packages release o=deb.sury.org,n=buster,c=main,b=i386 origin packages.sury.org 500 https://packages.sury.org/php buster/main amd64 Packages release o=deb.sury.org,n=buster,c=main,b=amd64 origin packages.sury.org 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free i386 Packages release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=i386 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free amd64 Packages release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=amd64 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main i386 Packages release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main amd64 Packages release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64 origin ftp.hosteurope.de 500 http://security.debian.org/debian-security buster/updates/non-free i386 Packages release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=i386 origin security.debian.org 500 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=amd64 origin security.debian.org 500 http://security.debian.org/debian-security buster/updates/main i386 Packages release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386 origin security.debian.org 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64 origin security.debian.org 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib i386 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=i386 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib amd64 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=amd64 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free i386 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=i386 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free amd64 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=amd64 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main i386 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386 origin ftp.hosteurope.de 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64 origin ftp.hosteurope.de Pinned packages: openssl -> 1.1.1d-0+deb10u5 with priority 1000 openssl -> 1.1.1d-0+deb10u4 with priority 1000 libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000 libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000 libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000 libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000 libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000 libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000解決方案
基於@Louis Thompson 的回答…
目前安裝的軟體包實際上是由 Ondřej Surý 維護的非官方 PHP 儲存庫提供的。
https://packages.sury.org/php/ https://packages.sury.org/php/dists/buster/main/debian-installer/binary-amd64/Packages
為了直接使用我的 debian 安裝,我降級了這些軟體包。到目前為止,我的 PHP 安裝和使用 SSL 功能的 PHP 應用程序一切正常。
更新
感謝@William Turrell。我安裝
apt-listchanges以獲取有關將來更改的資訊。會讓事情變得容易得多。
https://www.debian.org/security/2021/dsa-4855
這以及 Debian Buster 中有關 openssl 的其他軟體包資訊表明 1.1.1d 是目前的穩定版本。看起來你從其他地方獲得了 1.1.1j (gbp2578a0),它沒有這個重要的安全更新檔
Louis Thompson 的回答解釋了 1.1.1d-0+deb10u5 版本對應什麼,以及為什麼你應該接受降級。但這並沒有解決你的問題:“為什麼這個包會被降級?我沒有發起任何降級的事情。”
apt對包的內容一無所知,也不知道 1.1.1d-0+deb10u5 修復了一個安全漏洞,也不知道目前安裝的版本是否存在該漏洞。apt提供降級軟體包,因為它已被配置為這樣做。預設情況下,apt永遠不會提供降級軟體包,事實上,Debian 不支持降級。在你的情況下,libssl-dev: Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 Candidate: 1.1.1d-0+deb10u5 Version table: *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100 100 /var/lib/dpkg/status 1.1.1d-0+deb10u5 1000 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages 1.1.1d-0+deb10u4 1000 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages表明您有 OpenSSL 包的非預設 pin 優先級,特別是 1000 (
1.1.1d-0+deb10u5 1000)。這得到了證實apt policy:Pinned packages: openssl -> 1.1.1d-0+deb10u5 with priority 1000 openssl -> 1.1.1d-0+deb10u4 with priority 1000 libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000 libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000 libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000 libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000 libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000 libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000如 中所述
man apt_preferences,這意味著apt將考慮降級此類軟體包;由於您目前安裝的版本具有較低的 pin 優先級,apt因此會將其降級為目標版本。目標包 (1.1.1d-0+deb10u5) 是 Debian 10 儲存庫中的最新版本這一事實與此無關。只有引腳優先級對降級很重要。