Package: openssh-server
Version: 1:9.2p1-2+deb12u5
Severity: important
X-Debbugs-Cc: t...@security.debian.org
Dear Maintainer,
Security update for CVE-2025-26466, version 1:9.2p1-2+deb12u5, depends
on libssl3 >= 3.0.15, but that package is not available in Debian
Security. Therefore, the unattended upgrader, which is configured to
only install security updates, cannot install it:
# unattended-upgrade -v
Checking if system is running on battery is skipped. Please install
powermgmt-base package to check power status and skip installing updates when
the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bookworm,label=Debian-Security,
origin=Debian,codename=bookworm-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
package openssh-sftp-server upgradable but fails to be marked for upgrade
(E:Unable to correct problems, you have held broken packages.)
package openssh-sftp-server upgradable but fails to be marked for upgrade
(E:Unable to correct problems, you have held broken packages.)
No packages found that can be upgraded unattended and no pending auto-removals
Package openssh-client is kept back because a related package is kept back or
due to local apt_preferences(5).
Package openssh-server is kept back because a related package is kept back or
due to local apt_preferences(5).
Package openssh-sftp-server is kept back because a related package is kept back
or due to local apt_preferences(5).
# apt-cache policy libssl3
libssl3:
Installed: 3.0.14-1~deb12u2
Candidate: 3.0.15-1~deb12u1
Version table:
3.0.15-1~deb12u1 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
*** 3.0.14-1~deb12u2 500
500 http://security.debian.org/debian-security bookworm-security/main
amd64 Packages
100 /var/lib/dpkg/status
I worked around it by just doing 'apt install openssh-server', but that
doesn't scale.
Regards,
Wiebe Cazemier
-- System Information:
Debian Release: 12.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-26-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.134
ii debconf [debconf-2.0] 1.5.82
ii init-system-helpers 1.65.2
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u8
ii libcom-err2 1.47.0-2
ii libcrypt1 1:4.4.33-2
ii libgssapi-krb5-2 1.20.1-2+deb12u2
ii libkrb5-3 1.20.1-2+deb12u2
ii libpam-modules 1.5.2-6+deb12u1
ii libpam-runtime 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.15-1~deb12u1
ii libsystemd0 252.26-1~deb12u2
ii libwrap0 7.6.q-32
ii lsb-base 11.6
ii openssh-client 1:9.2p1-2+deb12u5
ii openssh-sftp-server 1:9.2p1-2+deb12u5
ii procps 2:4.0.2-3
ii runit-helper 2.15.2
ii sysvinit-utils [lsb-base] 3.06-4
ii ucf 3.0043+nmu1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 252.26-1~deb12u2
ii ncurses-term 6.4-4
ii xauth 1:1.1.2-1
Versions of packages openssh-server suggests:
ii molly-guard 0.7.2
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>
-- Configuration Files:
/etc/pam.d/sshd changed [not included]
-- debconf information excluded
