summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2024-07-01 10:59:36 +0100
committerSam James <sam@gentoo.org>2024-07-01 11:22:02 +0100
commitb9aab3ef968b7a6d58fa215223d116b98af7d399 (patch)
treebb7314edc600718705130ae6a493d745818caa1c /net-misc
parentnet-misc/openssh: backport CVE-2024-6387 fix to 9.6_p1-r5, 9.7_p1-r6 (diff)
downloadgentoo-b9aab3ef968b7a6d58fa215223d116b98af7d399.tar.gz
gentoo-b9aab3ef968b7a6d58fa215223d116b98af7d399.tar.bz2
gentoo-b9aab3ef968b7a6d58fa215223d116b98af7d399.zip
net-misc/openssh: restart sshd on major version upgrades
openssh-9.8_p1 again breaks cross-version compatibility, meaning that a running sshd with 9.7_p1 will no longer be able to accept connections after upgrading to 9.8_p1. We tried doing a news item on this in the past (bug #709748) and it ended up being insufficient and poorly coordinated (as you really need it again when stabling). Nobody is going to thank us for leaving their sshd broken, so pick the lesser evil and attempt to restart sshd on major version upgrades. This is especially important as people may be racing to upgrade to 9.8_p1 for the CVE-2024-6387 fix (although we have backported a fix to older versions). I also note there's precedent here with e.g. the systemd rebuild where it's done to avoid immediate breakage of user sessions. Thanks to kerframil who proposed a snippet for this some time ago whose work I've lifted here. Bug: https://bugs.gentoo.org/709748 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/openssh/openssh-9.8_p1-r1.ebuild (renamed from net-misc/openssh/openssh-9.8_p1.ebuild)33
1 files changed, 33 insertions, 0 deletions
diff --git a/net-misc/openssh/openssh-9.8_p1.ebuild b/net-misc/openssh/openssh-9.8_p1-r1.ebuild
index 4d382b9b6ac6..9a15dd231570 100644
--- a/net-misc/openssh/openssh-9.8_p1.ebuild
+++ b/net-misc/openssh/openssh-9.8_p1-r1.ebuild
@@ -395,4 +395,37 @@ pkg_postinst() {
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
+
+ openssh_maybe_restart
+}
+
+openssh_maybe_restart() {
+ local ver
+ declare -a versions
+ read -ra versions <<<"${REPLACING_VERSIONS}"
+ for ver in "${versions[@]}"; do
+ # Exclude 9.8_p1 because it didn't have the safety check
+ [[ ${ver} == 9.8_p1 ]] && break
+
+ if [[ ${ver%_*} == "${PV%_*}" ]]; then
+ # No major version change has occurred
+ return
+ fi
+ done
+
+ if [[ ${ROOT} ]]; then
+ return
+ elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
+ ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
+ ewarn "bricking the running instance. See bug #709748."
+ ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
+ systemctl try-restart sshd
+ eend $?
+ elif [[ -d /run/openrc ]]; then
+ ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
+ ewarn "bricking the running instance. See bug #709748."
+ ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
+ rc-service -q --ifstarted --nodeps sshd restart
+ eend $?
+ fi
}