Debian 10: Why some SSL packages will be downgraded?

Question

I cannot find any informations about it. May someone has some insights to share.

apt suggests to downgrade some SSL packages.

# apt-get update && apt-get dist-upgrade --assume-yes
Reading package lists... Done
Building dependency tree

Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
  libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.

Why this packages would be downgraded? I didn't initiated anything to downgrade them. It's just what happened during my regular daily dist-upgrade.

I assume there's some critical security issue in SSL they cannot fix fast and easy. So they downgrade to the latest version without that issue. But currently I didn't find any information about such thing.

Additional info

Linux <hostname> 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
libssl-dev/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl-dev/stable 1.1.1d-0+deb10u5 amd64
libssl-dev/stable 1.1.1d-0+deb10u4 amd64
libssl-dev/stable 1.1.1d-0+deb10u5 i386
libssl-dev/stable 1.1.1d-0+deb10u4 i386
libssl1.1/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl1.1/stable 1.1.1d-0+deb10u5 amd64
libssl1.1/stable 1.1.1d-0+deb10u4 amd64
libssl1.1/stable 1.1.1d-0+deb10u5 i386
libssl1.1/stable 1.1.1d-0+deb10u4 i386
openssl/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
openssl/stable 1.1.1d-0+deb10u5 amd64
openssl/stable 1.1.1d-0+deb10u4 amd64
openssl/stable 1.1.1d-0+deb10u5 i386
openssl/stable 1.1.1d-0+deb10u4 i386

# apt policy libssl-dev libssl1.1 openssl

libssl-dev:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

openssl:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

# apt policy

Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 https://packages.sury.org/php buster/main i386 Packages
     release o=deb.sury.org,n=buster,c=main,b=i386
     origin packages.sury.org
 500 https://packages.sury.org/php buster/main amd64 Packages
     release o=deb.sury.org,n=buster,c=main,b=amd64
     origin packages.sury.org
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free i386 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free amd64 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main i386 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main amd64 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64
     origin ftp.hosteurope.de
 500 http://security.debian.org/debian-security buster/updates/non-free i386 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=i386
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=amd64
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/main i386 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64
     origin security.debian.org
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64
     origin ftp.hosteurope.de
Pinned packages:
     openssl -> 1.1.1d-0+deb10u5 with priority 1000
     openssl -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000

Solution

Based on the answere of @Louis Thompson ...

The currently installed packages are in fact provided by the inofficial PHP repository maintained by Ondřej Surý.

https://packages.sury.org/php/ https://packages.sury.org/php/dists/buster/main/debian-installer/binary-amd64/Packages

To stay straight with my debian installation I downgraded these packages. By now everything works fine with my PHP installation and my PHP applications whose are using SSL functionality.

Update

Thanks to @William Turrell. I installed apt-listchanges to get informations about a change in the future. Would've made things a lot easier.

@codekandis the various apt upgrade variants are described here. — Stephen Kitt, Mar 14 '21 at 18:10
@Philip more restrictive dependencies would only be applied when upgrading the package that introduces them; here only the three downgraded packages appear in the apt output, nothing else is changing. In any case the default repositories would never force a downgrade, and apt would never consider one by default; it would refuse the corresponding upgrade (downgrades aren’t supported). — Stephen Kitt, Mar 14 '21 at 18:26

score 6 · Accepted Answer · answered Mar 14 '21 at 16:58

6

https://www.debian.org/security/2021/dsa-4855

This, and other package information about openssl in Debian Buster, indicates that 1.1.1d is the current stable version. It looks like you've acquired 1.1.1j from elsewhere (gbp2578a0), and it doesn't have this important security patch

answered Mar 14 '21 at 16:58

Louis Thompson

116

Glad you mentioned that. I searched for gbp2578a0. And in fact the first search results point to Ondřej Surý, who maintains the unoffical PHP PPA at launchpad. And I'm using that one. I made the downgrade. – codekandis Mar 14 '21 at 17:22
This however doesn’t explain why the downgrade was offered. You’re now using the latest version from the Debian 10 repositories, yes, but the fact that apt wanted to downgrade is still somewhat surprising. – Stephen Kitt Mar 14 '21 at 18:04
apt is saying that the Debian repository has no 1.1.1j, therefore has no Feb 2021 security patch for 1.1.1j, therefore the user should downgrade to 1.1.1d which has a brand new security patch for the problem discussed in the recent CVE alert – Louis Thompson Mar 14 '21 at 18:10
@Louis no, apt doesn’t know that 1.1.1d is a security release, or that 1.1.1j is missing a security patch. – Stephen Kitt Mar 14 '21 at 18:11
@Stephen 1.1.1d-0+deb10u5 is in http://security.debian.org/debian-security and it knows nothing about the 1.1.1j from an external repository – Louis Thompson Mar 14 '21 at 18:13
@Louis yes, and that’s significant for humans, but not for apt. Downgrades aren’t supported, so apt will never try them unless configured to do so, which it isn’t by default, even if the currently-installed version comes from somewhere apt no longer knows about. – Stephen Kitt Mar 14 '21 at 18:15

Stephen Kitt · Answer 2 · 2021-03-16T10:18:19.213

Louis Thompson’s answer explains what the 1.1.1d-0+deb10u5 version corresponds to, and why you should accept the downgrade. But it doesn’t address your question: “Why this packages would be downgraded? I didn't initiated anything to downgrade them.”

apt doesn’t know anything about the contents of the packages, and it doesn’t know that 1.1.1d-0+deb10u5 fixes a security vulnerability, nor does it know whether or not the currently-installed version suffers from that vulnerability. apt is offering to downgrade the packages because it’s been configured to do so. By default, apt will never offer to downgrade packages, and in fact, downgrades aren’t supported in Debian. In your case,

libssl-dev:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

shows that you have non-default pin-priorities for the OpenSSL packages, specifically 1000 (1.1.1d-0+deb10u5 1000). This is confirmed by apt policy:

Pinned packages:
     openssl -> 1.1.1d-0+deb10u5 with priority 1000
     openssl -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000

As explained in man apt_preferences, this means that apt will consider downgrading such packages; since your currently-installed version has a lower pin-priority, apt will downgrade it to the target version.

The fact that the target package (1.1.1d-0+deb10u5) is the latest version in the Debian 10 repositories doesn’t have anything to do with this. Only the pin-priorities matter for a downgrade.

Ahh ... Thank your for explaining that priorities and its shown values. — codekandis, Mar 14 '21 at 18:13
The apt output is ambiguous. It says 3 packages downgraded and lists them, then it says "E: Packages were downgraded and -y was used without --allow-downgrades." contradicting the previous lines. I assumed this means the downgrades didn't happen - but ambiguous. The policy output also indicates that 1.1.1j is still installed, not downgraded — Louis Thompson, Mar 17 '21 at 22:09
@Louis no, the apt output isn’t ambiguous, it’s poorly-phrased. apt always lists everything it’s going to do; here it intended to downgrade three packages, and only that. But downgrading requires extra confirmation, -y on its own isn’t enough, so it aborted the downgrade. The apt policy output does indeed show that 1.1.1j is installed (at the time apt policy was run), but the candidate versions are 1.1.1d which reflects what apt wants to do. — Stephen Kitt, Mar 18 '21 at 06:26

score 2 · Answer 3 · answered May 02 '21 at 14:02

Here (further to the other answers, can't fit this in a comment unfortunately) is the explanation from Ondřej Surý, who runs https://deb.sury.org:

php-defaults (82) unstable; urgency=medium

The custom src:openssl packages were introduced to upgrade the
cryptographic functions for PHP, Apache2 and NGINX, but the situation
have improved greatly since.  Ubuntu 16.04 LTS will reach end-of-life
in April 2021 and it was the last distribution using OpenSSL 1.0.2.
Debian 9 Stretch LTS will reach end-of-life in June 2022 and it is
using OpenSSL 1.1.0 (which just means TLS 1.3).

The php-common package now introduces custom apt_preferences
configuration in /etc/apt/preferences.d/php-common.pref that should
enforce downgrade of the src:openssl packages to the OpenSSL version
provided by the distribution.  After this version of php-common is
installed, the next manual apt-get dist-upgrade run will downgrade the
OpenSSL version, but you are advised to check this manually if the
downgrade has happened.


-- Ondřej Surý <ondrej@debian.org>  Thu, 04 Mar 2021 11:08:54 +0100

(You'll get this on screen or by email if you've installed apt-listchanges)

I upvoted too fast for my old sql server. In fact It works but it had to not to be done blindly with old SQL Server. It launchs: "Microsoft ODBC Driver 17 for SQL Server : SSL Provider ssl_choose_client_version:unsupported protocol". I don't know yet if only the modification of openssl.cnf (MinProtocol = TLSv1.0 and CipherString=DEFAULT@SECLEVEL=1) is enough to fix or if the version of the lib has to be modified too. — phili_b, Jun 04 '21 at 15:59
I've changed the lib too and It works now: wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.9_amd64.deb and sudo dpkg -i libssl1.1_1.1.1-1ubuntu2.1~18.04.9_amd64.deb . — phili_b, Jun 04 '21 at 18:07

Debian 10: Why some SSL packages will be downgraded?

Additional info

Solution

Update

3 Answers3

Linked