When sshing to a machine with glibc 2.31 you'll receive the following message: Connection closed by ... This is because openssh requires clock_nanosleep & clock_gettime64 added to the sandbox https://anongit.mindrot.org/openssh.git/log/?h=V_8_1 has the patches https://launchpad.net/ubuntu/+source/openssh/1:8.1p1-5 is what Ubuntu have done I can confirm applying the patches allows me to ssh back into my machines Reproducible: Always
Sounds pretty serious.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aac6323197fdf15ee5d8ace28d31883a2099c9b commit 1aac6323197fdf15ee5d8ace28d31883a2099c9b Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2020-02-05 01:44:55 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-02-05 01:53:58 +0000 net-misc/openssh-8.1_p1-r2: revbump, patch for glibc-2.31, HPN 14.20 Bug: https://bugs.gentoo.org/703016 Closes: https://bugs.gentoo.org/708224 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.87, Repoman-2.3.20 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-misc/openssh/Manifest | 4 + .../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 +++++ .../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 +++++ .../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 + .../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 ++ net-misc/openssh/openssh-8.1_p1-r2.ebuild | 467 +++++++++++++++++++++ 6 files changed, 732 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71cfbaaa8feb9925ae64b9a689a1859d9bf14862 commit 71cfbaaa8feb9925ae64b9a689a1859d9bf14862 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2020-04-23 19:27:53 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2020-04-23 19:30:54 +0000 sys-libs/glibc: Block too-old openssh in 2.31 and later, bug 708224 Bug: https://bugs.gentoo.org/708224 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/glibc-2.31-r2.ebuild | 3 +++ sys-libs/glibc/glibc-9999.ebuild | 3 +++ 2 files changed, 6 insertions(+)
(In reply to Larry the Git Cow from comment #3) ... > sys-libs/glibc: Block too-old openssh in 2.31 and later, bug 708224 The problem is that you need to rebuild openssh (even if it's new enough) after glibc update. So the blocker will not help.
(In reply to Alexander Tsoy from comment #4) > The problem is that you need to rebuild openssh (even if it's new enough) > after glibc update. So the blocker will not help. Right. I was blocked out of my server just now because of that. Oh well... Glibc update to 2.31 should force rebuild of openssh.
I did a @world upgrade on several machines where it included the glibc upgrade, but the openssh rebuild wasn't necessary, it just worked. Openssh-8.1_p1-r3 was installed in 03/2020.
(In reply to Tomáš Mózes from comment #6) This affects 32-bit arm with relatively new kernel.
(In reply to Alexander Tsoy from comment #7) > (In reply to Tomáš Mózes from comment #6) > This affects 32-bit arm with relatively new kernel. Ok, I tested on amd64.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3ddee3a0c95e932481d494930a05f6f34938c1e commit a3ddee3a0c95e932481d494930a05f6f34938c1e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-17 14:29:28 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-17 14:32:33 +0000 net-misc/openssh: depend on >=sys-kernel/linux-headers-5.1 In >=sys-libs/glibc-2.31 we are already forcing an upgrade of net-misc/openssh. However, sandbox code in OpenSSH [Link 1] is guarded by "#ifdef" so an upgrade of OpenSSH before glibc upgrade won't fix the problem if system is using old linux-headers without __NR_clock_nanosleep{,_time64}. Forcing >=linux-headers-5.1 will ensure that OpenSSH's sandbox supports __NR_clock_nanosleep{,_time64} and will therefore work with >=glibc-2.31. Link 1: https://github.com/openssh/openssh-portable/blob/V_8_3/sandbox-seccomp-filter.c#L252-L257 Bug: https://bugs.gentoo.org/708224 Closes: https://bugs.gentoo.org/737604 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../openssh/{openssh-8.1_p1-r3.ebuild => openssh-8.1_p1-r4.ebuild} | 3 ++- .../openssh/{openssh-8.2_p1-r6.ebuild => openssh-8.2_p1-r7.ebuild} | 3 ++- .../openssh/{openssh-8.3_p1-r4.ebuild => openssh-8.3_p1-r5.ebuild} | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-)
(In reply to Alexander Tsoy from comment #4) > The problem is that you need to rebuild openssh (even if it's new enough) > after glibc update. So the blocker will not help. It turned out that openssh was built against linux-headers-4.19 on my arm system and that was the problem. =/
Does it mean that we want openssh to force linux-headers >= 5.1 on all architectures, that essentially means 5.4, 5.5, 5.6, 5.7 and 5.8 due to the active builds? Asking as sys-kernel/linux-header still offers 3.18, 4.4, 4.9, 4.14 and 4.19 and it seems this only impact arm?
Yes, we are forcing recent linux-headers to all openssh users. No, this don't just affect arm. And no, this isn't a problem: Even if you stick to LTS kernels older than 5.1 you should use recent linux-headers. Linux-headers and used kernel sources don't have to stay in sync. See bug 551248 where this was explained before.