Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1062930: openssh-client: ssh fails with "Connection corrupted" error when connecting to Oracle Linux systems
332 views
Skip to first unread message
Mike Quin
Feb 3, 2024, 8:30:06 PM2/3/24
to
Package: openssh-client
Version: 1:9.2p1-2+deb12u2
Severity: normal
X-Debbugs-Cc: te...@security.debian.org
Dear Maintainer,
Following the upgrade of the openssh-client and related packages to
1:9.2p1-2+deb12u2, ssh connections to Oracle Linux 8.9 systems running
their openssh server package 8.0p1-19.el8_9.2 have started to fail with:
Bad packet length 2605177462.
ssh_dispatch_run_fatal: Connection to REDACTED port 22: Connection corrupted
The number after "Bad packet length" changes with each connection attempt.
With the u1 version of openssh-client it was possible to connect to these systems.
Specifying that the aes25...@openssh.com cipher be used rather than the
chacha20...@openssh.com works around the problem.
On the Oracle side, the openssh server package has recent changes related to
a couple of CVEs that may be relevant:
- Forbid shell metasymbols in username/hostname
Resolves: CVE-2023-51385
- Fix Terrapin attack
Resolves: CVE-2023-48795
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.134
ii libc6 2.36-9+deb12u4
ii libedit2 3.1-20221030-2
ii libfido2-1 1.12.0-2+b1
ii libgssapi-krb5-2 1.20.1-2+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.11-1~deb12u2
ii passwd 1:4.13+dfsg1-1+b1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- no debconf information
Version: 1:9.2p1-2+deb12u2
Severity: normal
X-Debbugs-Cc: te...@security.debian.org
Dear Maintainer,
Following the upgrade of the openssh-client and related packages to
1:9.2p1-2+deb12u2, ssh connections to Oracle Linux 8.9 systems running
their openssh server package 8.0p1-19.el8_9.2 have started to fail with:
Bad packet length 2605177462.
ssh_dispatch_run_fatal: Connection to REDACTED port 22: Connection corrupted
The number after "Bad packet length" changes with each connection attempt.
With the u1 version of openssh-client it was possible to connect to these systems.
Specifying that the aes25...@openssh.com cipher be used rather than the
chacha20...@openssh.com works around the problem.
On the Oracle side, the openssh server package has recent changes related to
a couple of CVEs that may be relevant:
- Forbid shell metasymbols in username/hostname
Resolves: CVE-2023-51385
- Fix Terrapin attack
Resolves: CVE-2023-48795
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.134
ii libc6 2.36-9+deb12u4
ii libedit2 3.1-20221030-2
ii libfido2-1 1.12.0-2+b1
ii libgssapi-krb5-2 1.20.1-2+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.11-1~deb12u2
ii passwd 1:4.13+dfsg1-1+b1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- no debconf information
Mike Quin
Feb 6, 2024, 7:30:06 AM2/6/24
to
Some discussion of this on Oracle’s GitHub:
They’ve acknowledged a problem on their customer support forums and the faulty openssl-server package has been withdrawn from their repositories.
There may be nothing for Debian to do on this one.
Mike Quin
0 new messages