I cannot find any informations about it. May someone has some insights to share.
apt suggests to downgrade some SSL packages.
# apt-get update && apt-get dist-upgrade --assume-yes
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be DOWNGRADED:
libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded.
E: Packages were downgraded and -y was used without --allow-downgrades.
Why this packages would be downgraded? I didn't initiated anything to downgrade them. It's just what happened during my regular daily dist-upgrade.
I assume there's some critical security issue in SSL they cannot fix fast and easy. So they downgrade to the latest version without that issue. But currently I didn't find any information about such thing.
Additional info
Linux <hostname> 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
libssl-dev/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl-dev/stable 1.1.1d-0+deb10u5 amd64
libssl-dev/stable 1.1.1d-0+deb10u4 amd64
libssl-dev/stable 1.1.1d-0+deb10u5 i386
libssl-dev/stable 1.1.1d-0+deb10u4 i386
libssl1.1/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
libssl1.1/stable 1.1.1d-0+deb10u5 amd64
libssl1.1/stable 1.1.1d-0+deb10u4 amd64
libssl1.1/stable 1.1.1d-0+deb10u5 i386
libssl1.1/stable 1.1.1d-0+deb10u4 i386
openssl/now 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 amd64 [installed,local]
openssl/stable 1.1.1d-0+deb10u5 amd64
openssl/stable 1.1.1d-0+deb10u4 amd64
openssl/stable 1.1.1d-0+deb10u5 i386
openssl/stable 1.1.1d-0+deb10u4 i386
# apt policy libssl-dev libssl1.1 openssl
libssl-dev:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
libssl1.1:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
openssl:
Installed: 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0
Candidate: 1.1.1d-0+deb10u5
Version table:
*** 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 100
100 /var/lib/dpkg/status
1.1.1d-0+deb10u5 1000
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
1.1.1d-0+deb10u4 1000
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
# apt policy
Package files:
100 /var/lib/dpkg/status
release a=now
500 https://packages.sury.org/php buster/main i386 Packages
release o=deb.sury.org,n=buster,c=main,b=i386
origin packages.sury.org
500 https://packages.sury.org/php buster/main amd64 Packages
release o=deb.sury.org,n=buster,c=main,b=amd64
origin packages.sury.org
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free i386 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/non-free amd64 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=non-free,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main i386 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster-updates/main amd64 Packages
release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64
origin ftp.hosteurope.de
500 http://security.debian.org/debian-security buster/updates/non-free i386 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=i386
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=non-free,b=amd64
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/main i386 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386
origin security.debian.org
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64
origin security.debian.org
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/contrib amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=contrib,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/non-free amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=non-free,b=amd64
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main i386 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386
origin ftp.hosteurope.de
500 http://ftp.hosteurope.de/mirror/ftp.debian.org/debian buster/main amd64 Packages
release v=10.8,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64
origin ftp.hosteurope.de
Pinned packages:
openssl -> 1.1.1d-0+deb10u5 with priority 1000
openssl -> 1.1.1d-0+deb10u4 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u5 with priority 1000
libssl-dev -> 1.1.1d-0+deb10u4 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u5 with priority 1000
libssl-doc -> 1.1.1d-0+deb10u4 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u5 with priority 1000
libssl1.1 -> 1.1.1d-0+deb10u4 with priority 1000
Solution
Based on the answere of @Louis Thompson …
The currently installed packages are in fact provided by the inofficial PHP repository maintained by Ondřej Surý.
https://packages.sury.org/php/
https://packages.sury.org/php/dists/buster/main/debian-installer/binary-amd64/Packages
To stay straight with my debian installation I downgraded these packages. By now everything works fine with my PHP installation and my PHP applications whose are using SSL functionality.
Update
Thanks to @William Turrell. I installed apt-listchanges
to get informations about a change in the future. Would've made things a lot easier.
Best Answer
https://www.debian.org/security/2021/dsa-4855
This, and other package information about openssl in Debian Buster, indicates that 1.1.1d is the current stable version. It looks like you've acquired 1.1.1j from elsewhere (gbp2578a0), and it doesn't have this important security patch