我找不到任何有关它的信息。可能有人有一些见解可以分享。
apt 建议降级一些 SSL 软件包。
# apt-get update && apt-get dist-upgrade --assume-yes
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.
为什么这个包会被降级?我没有发起任何降级它们的事情。这正是我日常的分布式升级期间发生的事情。
我认为 SSL 中存在一些关键的安全问题,他们无法快速轻松地修复。因此他们降级到最新版本没有这个问题。但目前我没有找到任何有关此类事情的信息。
附加信息
Linux <hostname> 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
libssl-dev/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl-dev/stable 1.1.1d-0+deb10u5 amd64
libssl-dev/stable 1.1.1d-0+deb10u4 amd64
libssl-dev/stable 1.1.1d-0+deb10u5 i386
libssl-dev/stable 1.1.1d-0+deb10u4 i386
libssl1.1/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl1.1/stable 1.1.1d-0+deb10u5 amd64
libssl1.1/stable 1.1.1d-0+deb10u4 amd64
libssl1.1/stable 1.1.1d-0+deb10u5 i386
libssl1.1/stable 1.1.1d-0+deb10u4 i386
openssl/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
openssl/stable 1.1.1d-0+deb10u5 amd64
openssl/stable 1.1.1d-0+deb10u4 amd64
openssl/stable 1.1.1d-0+deb10u5 i386
openssl/stable 1.1.1d-0+deb10u4 i386
# apt policy libssl-dev libssl1.1 openssl
libssl-dev:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
openssl:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
# apt policy
Package files:
100 /var/lib/dpkg/status
release a=now
500 https://packages.sury.org/php buster/main i386 Packages
release o=deb.sury.org,n=buster,c=main,b=i386
origin packages.sury.org
500 https://packages.sury.org/php buster/main amd64 Packages
release o=deb.sury.org,n=buster,c=main,b=amd64
origin packages.sury.org
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free i386 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free amd64 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main i386 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main amd64 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64
origin ftp.hosteurope.de
500 http://security.debian.org/debian-security buster/updates/non-free i386 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=i386
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=amd64
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/main i386 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64
origin security.debian.org
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64
origin ftp.hosteurope.de
Pinned packages:
openssl -> 1.1.1d-0+deb10u5 with priority 1000
openssl -> 1.1.1d-0+deb10u4 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000
解决方案
基于@Louis Thompson 的回答......
当前安装的软件包实际上是由 Ondřej Surý 维护的非官方 PHP 存储库提供的。
https://packages.sury.org/php/ https://packages.sury.org/php/dists/buster/main/debian-installer/binary-amd64/Packages
为了保持我的 Debian 安装顺利,我降级了这些软件包。到目前为止,我的 PHP 安装和使用 SSL 功能的 PHP 应用程序一切正常。
更新
感谢@William Turrell。我安装它apt-listchanges是为了获取有关未来更改的信息。会让事情变得容易很多。
答案1
https://www.debian.org/security/2021/dsa-4855
此信息以及 Debian Buster 中有关 openssl 的其他软件包信息表明 1.1.1d 是当前的稳定版本。看起来您已经从其他地方获取了 1.1.1j (gbp2578a0),并且它没有这个重要的安全补丁
答案2
路易斯·汤普森的回答解释了 1.1.1d-0+deb10u5 版本对应的内容以及为什么应该接受降级。但它没有解决您的问题:“为什么这个软件包会被降级?我没有发起任何事情来降低它们的评级。”
apt对...一无所知内容它不知道 1.1.1d-0+deb10u5 修复了安全漏洞,也不知道当前安装的版本是否存在该漏洞。apt正在提议降级软件包,因为它已被配置为这样做。默认情况下,apt将绝不提供降级软件包,事实上,Debian 不支持降级。就你而言,
libssl-dev:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
显示您对 OpenSSL 包有非默认 pin 优先级,特别是 1000 ( 1.1.1d-0+deb10u5 1000)。这得到了证实apt policy:
Pinned packages:
openssl -> 1.1.1d-0+deb10u5 with priority 1000
openssl -> 1.1.1d-0+deb10u4 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000
正如中所解释的man apt_preferences,这意味着apt将考虑降级此类软件包;由于您当前安装的版本具有较低的 pin 优先级,apt因此会将其降级到目标版本。
目标包 (1.1.1d-0+deb10u5) 是 Debian 10 存储库中的最新版本这一事实与此无关。只有 pin 优先级对于降级很重要。
答案3
这里(除了其他答案之外,不幸的是无法将其放入评论中)是 Ondřej Surý 的解释,他运行https://deb.sury.org:
php-defaults (82) unstable; urgency=medium
* The custom src:openssl packages were introduced to upgrade the
cryptographic functions for PHP, Apache2 and NGINX, but the situation
have improved greatly since. Ubuntu 16.04 LTS will reach end-of-life
in April 2021 and it was the last distribution using OpenSSL 1.0.2.
Debian 9 Stretch LTS will reach end-of-life in June 2022 and it is
using OpenSSL 1.1.0 (which just means TLS 1.3).
* The php-common package now introduces custom apt_preferences
configuration in /etc/apt/preferences.d/php-common.pref that should
enforce downgrade of the src:openssl packages to the OpenSSL version
provided by the distribution. After this version of php-common is
installed, the next manual apt-get dist-upgrade run will downgrade the
OpenSSL version, but you are advised to check this manually if the
downgrade has happened.
-- Ondřej Surý <[email protected]> Thu, 04 Mar 2021 11:08:54 +0100
(如果您已安装,您将在屏幕上或通过电子邮件收到此信息apt 列表更改)