Debian 10 – Why Some SSL Packages Are Downgraded

aptdebiandist-upgrade

I cannot find any informations about it. May someone has some insights to share.

apt suggests to downgrade some SSL packages.

# apt-get update && apt-get dist-upgrade --assume-yes

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
  libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.

Why this packages would be downgraded? I didn't initiated anything to downgrade them. It's just what happened during my regular daily dist-upgrade.

I assume there's some critical security issue in SSL they cannot fix fast and easy. So they downgrade to the latest version without that issue. But currently I didn't find any information about such thing.

Additional info

Linux <hostname> 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux

libssl-dev/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl-dev/stable 1.1.1d-0+deb10u5 amd64
libssl-dev/stable 1.1.1d-0+deb10u4 amd64
libssl-dev/stable 1.1.1d-0+deb10u5 i386
libssl-dev/stable 1.1.1d-0+deb10u4 i386

libssl1.1/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl1.1/stable 1.1.1d-0+deb10u5 amd64
libssl1.1/stable 1.1.1d-0+deb10u4 amd64
libssl1.1/stable 1.1.1d-0+deb10u5 i386
libssl1.1/stable 1.1.1d-0+deb10u4 i386

openssl/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
openssl/stable 1.1.1d-0+deb10u5 amd64
openssl/stable 1.1.1d-0+deb10u4 amd64
openssl/stable 1.1.1d-0+deb10u5 i386
openssl/stable 1.1.1d-0+deb10u4 i386

# apt policy libssl-dev libssl1.1 openssl

libssl-dev:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

libssl1.1:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

openssl:
  Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
  Candidate: 1.1.1d-0+deb10u5
  Version table:
 *** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u5 1000
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     1.1.1d-0+deb10u4 1000
        500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages

# apt policy

Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 https://packages.sury.org/php buster/main i386 Packages
     release o=deb.sury.org,n=buster,c=main,b=i386
     origin packages.sury.org
 500 https://packages.sury.org/php buster/main amd64 Packages
     release o=deb.sury.org,n=buster,c=main,b=amd64
     origin packages.sury.org
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free i386 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free amd64 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main i386 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main amd64 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64
     origin ftp.hosteurope.de
 500 http://security.debian.org/debian-security buster/updates/non-free i386 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=i386
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=amd64
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/main i386 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386
     origin security.debian.org
 500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64
     origin security.debian.org
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=amd64
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main i386 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386
     origin ftp.hosteurope.de
 500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
     release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64
     origin ftp.hosteurope.de
Pinned packages:
     openssl -> 1.1.1d-0+deb10u5 with priority 1000
     openssl -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
     libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
     libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000

Solution

Based on the answere of @Louis Thompson …

The currently installed packages are in fact provided by the inofficial PHP repository maintained by Ondřej Surý.

https://packages.sury.org/php/
https://packages.sury.org/php/dists/buster/main/debian-installer/binary-amd64/Packages

To stay straight with my debian installation I downgraded these packages. By now everything works fine with my PHP installation and my PHP applications whose are using SSL functionality.

Update

Thanks to @William Turrell. I installed apt-listchanges to get informations about a change in the future. Would've made things a lot easier.

Best Answer

https://www.debian.org/security/2021/dsa-4855

This, and other package information about openssl in Debian Buster, indicates that 1.1.1d is the current stable version. It looks like you've acquired 1.1.1j from elsewhere (gbp2578a0), and it doesn't have this important security patch

Related Solutions

Debian – Trouble migrating from Yum to apt-get

About your requirements, Iceweasel is the supported Firefox derivative (fork), I'm currently running debian as my desktop OS at work and use iceweasel every day, no problem. Gnome3, I think it'll be available on the next stable release, BTW what release are you running? Squeeze? If so I think (IIRC) Wheezy will have it. And finally, about graphics performance/quality, that depends a lot on your graphics card and its driver, but if you think of it like having transparencies, windows closing with fancy effects and so on, you'll need a moderm desktop or compiz (work with gnome2) which I think its available on stable (wheeze).

I have modified a bit your sources.list for wheeze, do you mind to test it and report back?

deb http://http.us.debian.org/debian/ squeeze contrib non-free main
deb-src http://http.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main non-free contrib
deb-src http://http.us.debian.org/debian/ squeeze/updates main

# squeeze-updates, previously known as 'volatile'
deb http://mirror.cse.iitk.ac.in/debian/ squeeze-updates main non-free contrib
deb-src http://mirror.cse.iitk.ac.in/debian/ squeeze-updates main non-free contrib

# 3rd party repositories
deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all
deb http://www.deb-multimedia.org squeeze main non-free

If you happen to be using wheezy or sid you'll have to change all squeeze ocurrences for the one you're using.

Please, backup your sources.list before replacing it, then test it as follows:

Refresh caches

# apt-get update

Search package

# apt-cache vlc

Install package

# apt-get install <package_name>

If find trouble, please report back with output for those three commands, or at least for the first and last.

Also, if you are already using Wheezy or sid, forget what I said about Gnome3 not being available, it should be there but wheezy is yet to be release and sid is always the development branch.

Debian – Understanding Apt Pinning Priority Restrictions

I don't understand why you are doing here. Why do you have a preferences setting for stable at all if you are running a stable system? As far I know, no preferences setting is necessary for stable in that case.

You don't explicitly say whether you are running a stable system (you really should say so), but if you are not, then I really have no idea what you are doing.

And if the release is on stable, then the usual thing to do for testing and unstable is to set their preferences to less than 100. I usually use 50.

And if you want to downgrade to stable, just do the following (assuming sane settings like the ones above) to downgrade pkgname1 and pkgname2:

apt-get install pkgname1/stable pkgname2/stable

This sets the specified packages to the target release stable.

Incidentally, mixing testing and/or unstable packages with an unstable system is generally a bad idea unless you know what you are doing. Some of the time it is Ok, but most of the time you need to use backports, either from Debian, or self-made.