[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061556: marked as done (bullseye-pu: package dropbear/2020.81-3+deb11u1)

Your message dated Sat, 10 Feb 2024 13:02:58 +0000
with message-id <E1rYn0U-002xtG-Su@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1061556,
regarding bullseye-pu: package dropbear/2020.81-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061556
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear

[ Reason ]

dropbear 2020.81-3 is vulnerable to CVE-2021-36369 and CVE-2023-48795
(terrapin attack).

The security team argued these issues didn't warrant a CVE, and
suggested to go via s-pu instead.

[ Impact ]

Bullseye users will remain vulnerable to CVE-2021-36369 and
CVE-2023-48795.  For the latter, details about what that entails has
been discussed on the upstream bug tracker at
https://github.com/mkj/dropbear/issues/270 , where one the terrapin
finders wrote that

| While it is true that not sending server-sig-algs does not prevent the
| client from trying SHA2-based RSA signatures, we observed the suggested
| behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing)
| in a wide variety of SSH clients.  Also, the order of algorithms in
| server-sig-algs is used by some clients in case multiple private keys
| are present, potentially leading to downgrades as well.
|
| However, we do not consider this application of the Terrapin attack to
| have a significant impact.  Instead, our main concern is the combination
| of Terrapin with implementation bugs, as seen in AsyncSSH.  We evaluated
| only a handful of SSH implementations, where one already allowed for
| in-session man-in-the-middle attacks.  Given the wide variety of SSH
| implementations, one can estimate with sufficient probability that other
| implementations face similar issues.

[ Tests ]

I manually checked the updated dropbear SSHd/dbclient against the
Terrapin scanner, and also the new -oDisableTrivialAuth=yes option on
the client.

[ Risks ]

Risk is low: all patches come from upstream and applied cleanly.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Add option -oDisableTrivialAuth=yes to mitigate CVE-2021-36369.
  * Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack).
  * d/t/on-lvm-and-luks: Target bullseye not sid.
  * d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was
    too small for bullseye-security updates (kernel etc.).
  * Salsa CI: Target bullseye and disable lintian job.

-- 
Guilhem.

diffstat for dropbear-2020.81 dropbear-2020.81

 changelog                    |   18 +++
 patches/CVE-2021-36369.patch |  182 +++++++++++++++++++++++++++++++++
 patches/CVE-2023-48795.patch |  232 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 salsa-ci.yml                 |    8 +
 tests/on-lvm-and-luks        |   16 +-
 6 files changed, 448 insertions(+), 10 deletions(-)

diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog
--- dropbear-2020.81/debian/changelog	2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/changelog	2024-01-26 12:00:26.000000000 +0100
@@ -1,3 +1,21 @@
+dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
+
+  * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available
+    authentication methods in the client-side SSH code, it is possible for an
+    SSH server to change the login process in its favor.
+  * Fix CVE-2023-48795 (terrapin attack): The SSH transport protocol with
+    certain OpenSSH extensions allows remote attackers to bypass integrity
+    checks such that some packets are omitted (from the extension negotiation
+    message), and a client and server may consequently end up with a
+    connection for which some security features have been downgraded or
+    disabled, aka a Terrapin attack. (Closes: #1059001)
+  * d/t/on-lvm-and-luks: Target bullseye not sid.
+  * d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was
+    too small for bullseye-security updates (kernel etc.).
+  * Salsa CI: Target bullseye and disable lintian job.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 26 Jan 2024 12:00:26 +0100
+
 dropbear (2020.81-3) unstable; urgency=medium
 
   * Initramfs: Use 10 placeholders in ~root template.
diff -Nru dropbear-2020.81/debian/patches/CVE-2021-36369.patch dropbear-2020.81/debian/patches/CVE-2021-36369.patch
--- dropbear-2020.81/debian/patches/CVE-2021-36369.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/CVE-2021-36369.patch	2024-01-26 12:00:26.000000000 +0100
@@ -0,0 +1,182 @@
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: Added option to disable trivial auth methods
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+Origin: https://github.com/mkj/dropbear/commit/210a9833496ed2a93b8da93924874938127ce0b5
+Origin: https://github.com/mkj/dropbear/commit/b2b94acc97254c7fffcb375120eea26c42c65292
+Bug: https://github.com/mkj/dropbear/pull/128
+Debian-Bug: https://security-tracker.debian.org/tracker/CVE-2021-36369
+---
+ cli-auth.c         |  3 +++
+ cli-authinteract.c |  1 +
+ cli-authpasswd.c   |  2 +-
+ cli-authpubkey.c   |  1 +
+ cli-runopts.c      |  7 +++++++
+ cli-session.c      |  1 +
+ dbclient.1         | 20 +++++++++++++++++++-
+ runopts.h          |  1 +
+ session.h          |  1 +
+ 9 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+ 	TRACE(("received msg_userauth_success"))
++	if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++		dropbear_exit("trivial authentication not allowed");
++	}
+ 	/* Note: in delayed-zlib mode, setting authdone here 
+ 	 * will enable compression in the transport layer */
+ 	ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ 	m_free(instruction);
+ 
+ 	for (i = 0; i < num_prompts; i++) {
++		cli_ses.is_trivial_auth = 0;
+ 		unsigned int response_len = 0;
+ 		prompt = buf_getstring(ses.payload, NULL);
+ 		cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+ 	encrypt_packet();
+ 	m_burn(password, strlen(password));
+-
++	cli_ses.is_trivial_auth = 0;
+ 	TRACE(("leave cli_auth_password"))
+ }
+ #endif	/* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
+ 		buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ 		cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+ 		buf_free(sigbuf); /* Nothing confidential in the buffer */
++		cli_ses.is_trivial_auth = 0;
+ 	}
+ 
+ 	encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	cli_opts.exit_on_fwd_failure = 0;
+ #endif
++	cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ 	cli_opts.localfwds = list_new();
+ 	opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 			"\tExitOnForwardFailure\n"
+ #endif
++			"\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ 			"\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+ 		return;
+ 	}
+ 
++	if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++		cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++		return;
++	}
++
+ 	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ 	/* Auth */
+ 	cli_ses.lastprivkey = NULL;
+ 	cli_ses.lastauthtype = 0;
++	cli_ses.is_trivial_auth = 1;
+ 
+ 	/* For printing "remote host closed" for the user */
+ 	ses.remoteclosed = cli_remoteclosed;
+diff --git a/dbclient.1 b/dbclient.1
+index 1516e7c..0f6828a 100644
+--- a/dbclient.1
++++ b/dbclient.1
+@@ -94,7 +94,18 @@ is performed at all, this is usually undesirable.
+ .B \-A
+ Forward agent connections to the remote host. dbclient will use any
+ OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for
+-public key authentication.  Forwarding is only enabled if -A is specified.
++public key authentication.  Forwarding is only enabled if \fI-A\fR is specified.
++
++Beware that a forwarded agent connection will allow the remote server to have
++the same authentication credentials as you have used locally. A compromised
++remote server could use that to log in to other servers. 
++
++In many situations Dropbear's multi-hop mode is a better and more secure alternative
++to agent forwarding, avoiding having to trust the intermediate server.
++
++If the SSH agent program is set to prompt when a key is used, the 
++\fI-o DisableTrivialAuth\fR option can prevent UI confusion.
++
+ .TP
+ .B \-W \fIwindowsize
+ Specify the per-channel receive window buffer size. Increasing this 
+@@ -153,6 +164,13 @@ Specifies whether dbclient should terminate the connection if it cannot set up a
+ .TP
+ .B UseSyslog
+ Send dbclient log messages to syslog in addition to stderr.
++.TP
++.B DisableTrivialAuth
++Disallow a server immediately
++giving successful authentication (without presenting any password/pubkey prompt).
++This avoids a UI confusion issue where it may appear that the user is accepting
++a SSH agent prompt from their local machine, but are actually accepting a prompt
++sent immediately by the remote server. 
+ .RE
+ .TP
+ .B \-s 
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	int exit_on_fwd_failure;
+ #endif
++	int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ 	m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
++++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+ 
+ 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ 						 for the last type of auth we tried */
++	int is_trivial_auth;
+ 	int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ 	int auth_interact_failed; /* flag whether interactive auth can still
diff -Nru dropbear-2020.81/debian/patches/CVE-2023-48795.patch dropbear-2020.81/debian/patches/CVE-2023-48795.patch
--- dropbear-2020.81/debian/patches/CVE-2023-48795.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/CVE-2023-48795.patch	2024-01-26 12:00:26.000000000 +0100
@@ -0,0 +1,232 @@
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 20 Nov 2023 14:02:47 +0800
+Subject: Implement Strict KEX mode
+
+As specified by OpenSSH with kex-strict-c-v00@openssh.com and
+kex-strict-s-v00@openssh.com.
+
+Origin: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
+Bug-Debian: https://bugs.debian.org/1059001
+---
+ cli-session.c    | 11 +++++++++++
+ common-algo.c    |  6 ++++++
+ common-kex.c     | 26 +++++++++++++++++++++++++-
+ kex.h            |  3 +++
+ process-packet.c | 34 +++++++++++++++++++---------------
+ ssh.h            |  4 ++++
+ svr-session.c    |  3 +++
+ 7 files changed, 71 insertions(+), 16 deletions(-)
+
+diff --git a/cli-session.c b/cli-session.c
+index afb54a1..a2e4e3f 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN;
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+ 
+ struct clientsession cli_ses; /* GLOBAL */
+ 
+@@ -114,6 +115,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
+ 	}
+ 
+ 	chaninitialise(cli_chantypes);
++	cli_algos_initialise();
+ 
+ 	/* Set up cli_ses vars */
+ 	cli_session_init(proxy_cmd_pid);
+@@ -473,3 +475,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) {
+ 	fflush(stderr);
+ }
+ 
++static void cli_algos_initialise(void) {
++	algo_type *algo;
++	for (algo = sshkex; algo->name; algo++) {
++		if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++			algo->usable = 0;
++		}
++	}
++}
++
+diff --git a/common-algo.c b/common-algo.c
+index f3961c2..c71b52c 100644
+--- a/common-algo.c
++++ b/common-algo.c
+@@ -332,6 +332,12 @@ algo_type sshkex[] = {
+ 	/* Set unusable by svr_algos_initialise() */
+ 	{SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
++#endif
++#if DROPBEAR_CLIENT
++	{SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++	{SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+ #endif
+ 	{NULL, 0, NULL, 0, NULL}
+ };
+diff --git a/common-kex.c b/common-kex.c
+index 39d916b..e041348 100644
+--- a/common-kex.c
++++ b/common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+ 	gen_new_keys();
+ 	switch_keys();
+ 
++	if (ses.kexstate.strict_kex) {
++		ses.transseq = 0;
++	}
++
+ 	TRACE(("leave send_msg_newkeys"))
+ }
+ 
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+ 
+ 	ses.kexstate.recvnewkeys = 1;
+ 	switch_keys();
+-	
++
++	if (ses.kexstate.strict_kex) {
++		ses.recvseq = 0;
++	}
++
+ 	TRACE(("leave recv_msg_newkeys"))
+ }
+ 
+@@ -551,6 +559,10 @@ void recv_msg_kexinit() {
+ 
+ 	ses.kexstate.recvkexinit = 1;
+ 
++	if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
++		dropbear_exit("First packet wasn't kexinit");
++	}
++
+ 	TRACE(("leave recv_msg_kexinit"))
+ }
+ 
+@@ -861,6 +873,18 @@ static void read_kex_algos() {
+ 	}
+ #endif
+ 
++	if (!ses.kexstate.donefirstkex) {
++		const char* strict_name;
++		if (IS_DROPBEAR_CLIENT) {
++			strict_name = SSH_STRICT_KEX_S;
++		} else {
++			strict_name = SSH_STRICT_KEX_C;
++		}
++		if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
++			ses.kexstate.strict_kex = 1;
++		}
++	}
++
+ 	algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
+ 	allgood &= goodguess;
+ 	if (algo == NULL || algo->data == NULL) {
+diff --git a/kex.h b/kex.h
+index 77cf21a..7fcc3c2 100644
+--- a/kex.h
++++ b/kex.h
+@@ -83,6 +83,9 @@ struct KEXState {
+ 
+ 	unsigned our_first_follows_matches : 1;
+ 
++	/* Boolean indicating that strict kex mode is in use */
++	unsigned int strict_kex;
++
+ 	time_t lastkextime; /* time of the last kex */
+ 	unsigned int datatrans; /* data transmitted since last kex */
+ 	unsigned int datarecv; /* data received since last kex */
+diff --git a/process-packet.c b/process-packet.c
+index 9454160..133a152 100644
+--- a/process-packet.c
++++ b/process-packet.c
+@@ -44,6 +44,7 @@ void process_packet() {
+ 
+ 	unsigned char type;
+ 	unsigned int i;
++	unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
+ 	time_t now;
+ 
+ 	TRACE2(("enter process_packet"))
+@@ -54,22 +55,24 @@ void process_packet() {
+ 	now = monotonic_now();
+ 	ses.last_packet_time_keepalive_recv = now;
+ 
+-	/* These packets we can receive at any time */
+-	switch(type) {
+ 
+-		case SSH_MSG_IGNORE:
+-			goto out;
+-		case SSH_MSG_DEBUG:
+-			goto out;
++	if (type == SSH_MSG_DISCONNECT) {
++		/* Allowed at any time */
++		dropbear_close("Disconnect received");
++	}
+ 
+-		case SSH_MSG_UNIMPLEMENTED:
+-			/* debugging XXX */
+-			TRACE(("SSH_MSG_UNIMPLEMENTED"))
+-			goto out;
+-			
+-		case SSH_MSG_DISCONNECT:
+-			/* TODO cleanup? */
+-			dropbear_close("Disconnect received");
++	/* These packets may be received at any time,
++	   except during first kex with strict kex */
++	if (!first_strict_kex) {
++		switch(type) {
++			case SSH_MSG_IGNORE:
++				goto out;
++			case SSH_MSG_DEBUG:
++				goto out;
++			case SSH_MSG_UNIMPLEMENTED:
++				TRACE(("SSH_MSG_UNIMPLEMENTED"))
++				goto out;
++		}
+ 	}
+ 
+ 	/* Ignore these packet types so that keepalives don't interfere with
+@@ -98,7 +101,8 @@ void process_packet() {
+ 			if (type >= 1 && type <= 49
+ 				&& type != SSH_MSG_SERVICE_REQUEST
+ 				&& type != SSH_MSG_SERVICE_ACCEPT
+-				&& type != SSH_MSG_KEXINIT)
++				&& type != SSH_MSG_KEXINIT
++				&& !first_strict_kex)
+ 			{
+ 				TRACE(("unknown allowed packet during kexinit"))
+ 				recv_unimplemented();
+diff --git a/ssh.h b/ssh.h
+index ee4a960..44acd51 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -100,6 +100,10 @@
+ #define SSH_EXT_INFO_C "ext-info-c"
+ #define SSH_SERVER_SIG_ALGS "server-sig-algs"
+ 
++/* OpenSSH strict KEX feature */
++#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com"
++#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com"
++
+ /* service types */
+ #define SSH_SERVICE_USERAUTH "ssh-userauth"
+ #define SSH_SERVICE_USERAUTH_LEN 12
+diff --git a/svr-session.c b/svr-session.c
+index 6c3147f..ca2178c 100644
+--- a/svr-session.c
++++ b/svr-session.c
+@@ -342,6 +342,9 @@ static void svr_algos_initialise(void) {
+ 			algo->usable = 0;
+ 		}
+ #endif
++		if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
++			algo->usable = 0;
++		}
+ 	}
+ }
+ 
diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series
--- dropbear-2020.81/debian/patches/series	2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/patches/series	2024-01-26 12:00:26.000000000 +0100
@@ -1 +1,3 @@
 local-options.patch
+CVE-2021-36369.patch
+CVE-2023-48795.patch
diff -Nru dropbear-2020.81/debian/salsa-ci.yml dropbear-2020.81/debian/salsa-ci.yml
--- dropbear-2020.81/debian/salsa-ci.yml	2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/salsa-ci.yml	2024-01-26 12:00:26.000000000 +0100
@@ -1,4 +1,8 @@
 ---
 include:
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bullseye'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1
diff -Nru dropbear-2020.81/debian/tests/on-lvm-and-luks dropbear-2020.81/debian/tests/on-lvm-and-luks
--- dropbear-2020.81/debian/tests/on-lvm-and-luks	2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/tests/on-lvm-and-luks	2024-01-26 12:00:26.000000000 +0100
@@ -88,12 +88,12 @@
 	--customize-hook='echo host > "$1/etc/hostname"' \
 	--customize-hook='echo "127.0.0.1 localhost host" > "$1/etc/hosts"' \
 	--customize-hook='echo "/dev/vda1 / auto errors=remount-ro 0 1" > "$1/etc/fstab"' \
-	unstable debian-unstable-setup.tar
+	bullseye debian-bullseye-setup.tar
 
 # we prepare a second tarball now instead of later inside qemu because
 # running mmdebstrap without kvm just wastes cpu cycles
 crypt_pkgs="$common_pkgs,mount,console-setup,cryptsetup-initramfs,dropbear-initramfs,grub2"
-mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs unstable debian-unstable-crypt.tar
+mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs bullseye debian-bullseye-crypt.tar
 
 # extlinux config to boot from /dev/vda1 with predictable network interface
 # naming and a serial console for logging
@@ -139,13 +139,13 @@
 	part-disk /dev/sda mbr : \
 	mkfs ext2 /dev/sda1 : \
 	mount /dev/sda1 / : \
-	tar-in debian-unstable-setup.tar / : \
+	tar-in debian-bullseye-setup.tar / : \
 	mkdir /root/.ssh : \
 	upload id_rsa.pub /root/.ssh/authorized_keys : \
 	chown 0 0 /root/.ssh/authorized_keys : \
 	copy-in extlinux.conf / : \
 	copy-in interfaces /etc/network : \
-	copy-in debian-unstable-crypt.tar / : \
+	copy-in debian-bullseye-crypt.tar / : \
 	upload /usr/lib/SYSLINUX/mbr.bin /mbr.bin : \
 	copy-file-to-device /mbr.bin /dev/sda size:440 : \
 	rm /mbr.bin : \
@@ -156,7 +156,7 @@
 	shutdown
 
 # an empty disk image for the crypt system
-fallocate -l 2G crypt.img
+fallocate -l 4G crypt.img
 
 # certain qemu options remain the same for when we run the setup system as well
 # as the crypt system
@@ -291,7 +291,7 @@
 mkswap /dev/myvg/swap
 swapon /dev/myvg/swap
 # A volume group for the system
-lvcreate --name root --size 1G myvg
+lvcreate --name root --size 3G myvg
 # Create ext4 filesystem on the root volume group and ext2 for /boot
 mkfs.ext4 /dev/myvg/root
 mkfs.ext2 /dev/vdb2
@@ -305,7 +305,7 @@
 mount /dev/myvg/root /mnt
 
 # ...and unpack the tarball we created initially into it
-tar -C /mnt -xf /debian-unstable-crypt.tar
+tar -C /mnt -xf /debian-bullseye-crypt.tar
 
 # Set grub defaults
 # The ip option takes care of acquiring an ip address from dhcp for the
@@ -471,6 +471,6 @@
 trap - EXIT
 
 # remove all temporary files
-for f in crypt.img setup.img debian-unstable-setup.tar debian-unstable-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do
+for f in crypt.img setup.img debian-bullseye-setup.tar debian-bullseye-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do
 	rm "$f"
 done

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: