diff -Nru openssh-9.0p1/debian/changelog openssh-9.0p1/debian/changelog --- openssh-9.0p1/debian/changelog 2022-09-26 17:55:14.000000000 -0400 +++ openssh-9.0p1/debian/changelog 2022-10-25 11:57:43.000000000 -0400 @@ -1,3 +1,15 @@ +openssh (1:9.0p1-1ubuntu8) kinetic; urgency=medium + + * debian/openssh-server.postinst: Fix handling of ListenAddress when a port + is specified (LP: #1993478): + - Strip port before converting hostnames to numerical addresses. + - Only append ports when the ListenAddress does not already specify a + port. + - Revert socket migration on upgrade if a previous version did the + migration when it should not have. + + -- Nick Rosbrook Tue, 25 Oct 2022 11:57:43 -0400 + openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium * Update list of stock sshd_config checksums to include those from diff -Nru openssh-9.0p1/debian/openssh-server.postinst openssh-9.0p1/debian/openssh-server.postinst --- openssh-9.0p1/debian/openssh-server.postinst 2022-09-26 17:55:14.000000000 -0400 +++ openssh-9.0p1/debian/openssh-server.postinst 2022-10-25 11:57:43.000000000 -0400 @@ -50,23 +50,58 @@ hostnames_to_addresses() { addresses="$1" for address in $addresses; do - if echo $address | grep -q '^[0-9.]\+$'; then + address_no_port="$(address_strip_port $address)" + if echo "$address_no_port" | grep -q '^[0-9a-f:]\+$\|^[0-9.]\+$'; then numeric_addresses="$numeric_addresses $address" - elif echo $address | grep -q '^[0-9a-f:]\+$'; then - numeric_addresses="$numeric_addresses [$address]" else - new_addresses=$( (getent ahostsv4 $address; - getent ahostsv6 $address) \ + new_addresses=$( (getent ahostsv4 $address_no_port; + getent ahostsv6 $address_no_port) \ | awk '$1 ~ /^::ffff:/ || $2 != "STREAM" { next; } $1 ~ /:/ { print "[" $1 "]"; next; } { print $1 }' \ | sort -u) + port="$(port_from_address $address)" + if [ -n "$port" ]; then + new_addresses="$(for addr in $new_addresses; do echo $addr:$port; done)" + fi numeric_addresses="$numeric_addresses $new_addresses" fi done echo "$numeric_addresses" } +port_from_address() { + address="$1" + if echo $address | grep -q '^\[[0-9a-f:]*\]:'; then + # This is an IPv6 address with a port. + port="$(echo $address | awk -F':' '{print $NF}')" + elif echo $addrss | grep -q '^\[[0-9a-f:]*\]\+$\|^[0-9a-f:]\+$'; then + # This is an IPv6 address without a port. + port="" + else + # This is an IPv4 address or hostname, where the port + # may or may not be specified. + port="$(echo $address | awk -F':' '{print $2}')" + fi + echo "$port" +} + +address_strip_port() { + address="$1" + if echo $address | grep -q '^\[[0-9a-f:]*\]\+$\|^\[[0-9a-f:]*\]:'; then + # This is an IPv6 address in brackets, with or without a port. + address_no_port="$(echo $address | awk -F '[][]' '{print $2}')" + elif echo $address | grep -q '^[0-9a-f:]\+$'; then + # This is an IPv6 address with no brackets and no port. + address_no_port="$address" + else + # This is an IPv4 address or hostname, where the port + # may or may not be specified. + address_no_port="$(echo $address | awk -F':' '{print $1}')" + fi + echo "$address_no_port" +} + host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then @@ -193,7 +228,7 @@ # which we now move back into place. mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli fi - if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ + if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~ then # migrate to systemd socket activation. addresses=$(get_config_option_all ListenAddress) @@ -211,16 +246,22 @@ count=0 for address in $addresses; do count=$((count+1)) - for port in $ports; do - echo "ListenStream=$address:$port" \ - >> "$override_dir"/addresses.conf.new - done + port_from_address="$(port_from_address $address)" + if [ -z "$port_from_address" ]; then + for port in $ports; do + echo "ListenStream=$address:$port" \ + >> "$override_dir"/addresses.conf.new + done + else + echo "ListenStream=$address" \ + >> "$override_dir"/addresses.conf.new + fi done if [ $count -gt 1 ]; then db_input critical openssh-server/listenstream-may-fail || true db_go || true rm -f "$override_dir"/addresses.conf.new - rmdir "$override_dir" + rmdir --ignore-fail-on-non-empty "$override_dir" NO_SOCKET_MIGRATION=1 fi elif [ -n "$ports" ]; then @@ -255,6 +296,28 @@ fi fi fi + if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~ && [ -n "$NO_SOCKET_MIGRATION" ]; then + # Revert socket migration if a previous version did the + # migration erroneously. + if [ -f /etc/systemd/system/ssh.socket.d/addresses.conf ]; then + rm /etc/systemd/system/ssh.socket.d/addresses.conf + rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d + DO_RELOAD=1 + fi + if [ -f /etc/systemd/system/ssh.service.d/00-socket.conf ]; then + rm /etc/systemd/system/ssh.service.d/00-socket.conf + rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d + DO_RELOAD=1 + fi + if [ -n "$DO_RELOAD" ]; then + if [ -d /run/systemd/system ]; then + systemctl daemon-reload + systemctl disable ssh.socket + systemctl stop ssh.socket + systemctl enable ssh.service + fi + fi + fi fi #DEBHELPER#