Kapitel 5. Problemområden att känna till för utgåvan stretch

Innehållsförteckning

5.1. Upgrade specific items for Stretch
5.1.1. Late mounting of /usr is no longer supported
5.1.2. FTP access to Debian hosted mirrors will be removed
5.1.3. Noteworthy obsolete packages
5.1.4. Deprecated components for Stretch
5.1.5. Things to do post upgrade before rebooting
5.1.6. Executables are now compiled as position independent executables (PIE) by default
5.1.7. Most LSB compatibility packages have been removed
5.2. Limitations in security support
5.2.1. Säkerhetsläget för webbläsare
5.2.2. Lack of security support for the ecosystem around libv8 and Node.js
5.3. Package specific issues
5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default
5.3.2. Possible backwards incompatible changes to APT
5.3.3. The Xorg server is no longer setuid root by default
5.3.4. Upstart removed
5.3.5. HP mv2120
5.3.6. The debhelper tool now generates dbgsym packages by default
5.3.7. OpenSSL related changes
5.3.8. Perl changes that may break third-party software
5.3.9. PostgreSQL PL/Perl incompatibility
5.3.10. net-tools will be deprecated in favor of iproute2

Ibland innebär förändringar i en ny utgåva att sidoeffekter vi inte kunnat undvika uppstår, i vissa fall skapas nya fel någon annanstans. Här dokumenterar vi problem som vi känner till. Vänligen läs ävan erratan, dokumentationen för aktuella paket, felrapporter och annan information som nämns i Avsnitt 6.1, ”Ytterligare läsning”.

5.1. Upgrade specific items for Stretch

This section covers items related to the upgrade from Jessie to Stretch

5.1.1. Late mounting of /usr is no longer supported

[Notera]Notera

This section only applies to systems using a custom kernel, where /usr is on a separate mount point from /. If you use the kernel packages provided by Debian, you are unaffected by this issue.

Mounting of /usr using only tools found in / is no longer supported. This has only worked for a few specific configurations in the past, and now they are explicitly unsupported.

This means that for stretch all systems where /usr is a separate partition need to use an initramfs generator that will mount /usr. All initramfs generators in Stretch do so.

5.1.2. FTP access to Debian hosted mirrors will be removed

Debian hosted mirrors will stop providing FTP access. If you have been using the ftp protocol in your sources.list, please migrate to http. Please consider the following example for migrating:

deb http://deb.debian.org/debian          stretch         main
deb http://deb.debian.org/debian-security stretch/updates main

# tor variant (requires apt-transport-tor)
# deb  tor+http://vwakviie2ienjx6t.onion/debian          stretch            main
# deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates    main

The above examples do not include non-free and contrib. Please remember to include these if you require those components enabled.

For more information, please refer to the announcement: Shutting down public FTP services.

5.1.3. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Avsnitt 4.8, ”Föråldrade paket” for a description).

The list of obsolete packages includes:

5.1.4. Deprecated components for Stretch

With the next release of Debian 10 (codenamed Buster) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to 10.

This includes the following features:

  • TODO: Add items if any

5.1.5. Things to do post upgrade before rebooting

When apt-get dist-upgrade has finished, the formal upgrade is complete, but there are some other things that should be taken care of before the next reboot.


      add list of items here
      
    

5.1.6. Executables are now compiled as position independent executables (PIE) by default

By default, the GNU GCC 6 compiler provided by Debian stretch will compile all executables as position independent. This provides a mitigation for an entire class of vulnerabilities.

Unfortunately, the Linux kernel provided in Debian 8 (up to 8.7) has an issue that can cause some programs compiled as position independent executables to crash with a non-descriptive issue like segmentation fault. This issue is solved in the linux version provided in 8.8 (version 3.16.43 or later) and in the kernel provided in Debian 9 (version 4.9 or later).

We recommend that you upgrade your kernel to a fixed version and then reboot before starting the upgrade to stretch. If you are running the kernel Debian 8.8 or newer, you are not affected by this issue.

If you are running an affected version of the kernel during the upgrade, we highly recommend that you perform a reboot into the stretch kernel right after the upgrade to avoid hitting this

5.1.6.1. Behaviour changes of PIE for system administrators and developers

[Notera]Notera

This section is mainly intended for developers or system administrators. Desktop users are unlikely to be affected by this section.

The above also leads to some changes that are worth being aware of.

  • The file tool (among other) will classify such binaries as "shared object" rather than an "executable". If you have filters based on binary files, these may need to be updated (e.g. spamfilters).

  • Static libraries being compiled into an executable now also need to be compiled as position independent code. The following error message from the linker is a symptom of this:

    relocation ... against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC
    

  • Historically, position independent executables have been associated with performance loss on some hardware. Notably the Debian architecture i386 (32-bit Intel machines). While GCC 5 and GCC 6 have greatly improved performance for position independent executables on 32-bit Intel, this optimisation may not be applicable to all architectures. Please consider evaluating the performance of your code if you are targetting machine architectures with very limited number of registers.

5.1.7. Most LSB compatibility packages have been removed

Due to lack of interest and testability, Debian has removed the vast majority of the Linux Standard Base (LSB) compatibility packages.

Debian will still provide a selected few key LSB utilities used internally and externally, such as lsb-release and the sysvinit init functions in lsb-base. Furthermore, Debian is still firmly standing by the Filesystem Hierarchy Standard (FHS) version 2.3 with the minor alterations described in the Debian Policy Manual.

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

Note that the package debian-security-support helps to track security support status of installed packages.

5.2.1. Säkerhetsläget för webbläsare

Debian 9 innehåller flera webbläsarmotorer som påverkas av en strid ström av säkerhetshål. Den stora mängden fel och den partiella bristen på stöd uppströms i form av långsiktiga utvecklingsgrenar gör det mycket svårt att ha stöd för dessa webbläsare med bakåtporterade säkerhetslagningar. Dessutom gör biblioteksberoenden det omöjligt att uppdatera dessa till nyare versioner. Webbläsare utvecklade på webkit, qtwebkit- och khtml-motorerna ingår i Stretch men täcks inte av säkerhetsstödet. Dessa webbläsare ska inte användas tillsammans med webbplatser du inte litar på.

För generell webbsurfning rekommenderar vi Firefox eller Chromium.

Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Firefox and Thunderbird will also be kept up-to-date by rebuilding the current ESR releases for stable.

5.2.2. Lack of security support for the ecosystem around libv8 and Node.js

The Node.js platform is built on top of libv8-3.14, which experiences a high volume of security issues, but there are currently no volunteers within the project or the security team sufficiently interested and willing to spend the large amount of time required to stem those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet.

In addition, these packages will not receive any security updates during the lifetime of the Stretch release.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between Jessie and Stretch. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default

The OpenSSH 7 release has disabled some older ciphers and the SSH1 protocol by default. Please be careful when upgrading machines, where you only have SSH access.

Please refer to the OpenSSH documentation for more information.

5.3.2. Possible backwards incompatible changes to APT

This section covers some of the incompatible changes to APT that may affect your system.

5.3.2.1. APT now fetches files with an unprivileged user ("_apt")

APT will now attempt to discard all root privileges before fetching files from mirrors. APT can detect some common cases where this will fail and fallback to fetching things as root with a warning. However, it may fail to detect some exotic setups (e.g. uid-specific firewall rules).

If you experience issues with this feature, please change to the "_apt" user and check that it:

  • has read access to files in /var/lib/apt/lists and /var/cache/apt/archives.

  • has read access to the APT trust store (/etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/)

  • can resolve DNS names and download files. Example methods for testing:

    # From the dnsutils package (if using tor, please check with tor-resolve instead).
    $ nslookup debian.org >/dev/null || echo "Cannot resolve debian.org"
    $ wget -q https://debian.org/ -O- > /dev/null || echo "Cannot download index page of debian.org"
    

    For DNS issues, please check that /etc/resolv.conf is readable.

5.3.2.2. New APT pinning engine

APT 1.1 introduced a new pinning engine that now matches the description in the manual page.

The old engine assigned one pin priority per package, the new one assigns pin priorities per version. It then picks the version with the highest pin that is not a downgrade or that has a pin > 1000.

This changes the effect of some pins, especially negative ones. Previously, pinning a version to -1 effectively prevented the package from being installed (the package pin was -1), it now only prevents the version of this package from being installed.

5.3.2.3. New requirements for APT repository

[Notera]Notera

This section only applies if you have (or intend to use) third-party repositories enabled or if you maintain an APT repository.

To improve the download stability and ensure security of the downloaded content, APT now requires the following from an APT repository:

  • The InRelease file must be available

  • All metadata must include at least SHA256 checksums of all items. This includes the gpg signature of the InRelease file.

  • Signatures on the InRelease file should be done with a key at the size of 2048 bit or larger.

If you rely on a third-party repository that cannot comply with the above, please urge them to upgrade their repository. More information about the InRelease file can be found on the Debian Wiki.

5.3.3. The Xorg server is no longer setuid root by default

[Notera]Notera

This change only applies if your X Display Manager supports running X as rootless (or if you start X manually via startx). Currently the only known display manager supporting this is gdm. Other display managers simply start X as root regardless of this change.

This reduces the risk of privilege escalation via bugs in the X server. However, it has some requirements for working:

  • It needs logind and libpam-systemd.

  • It needs a kernel video driver (as Xorg cannot talk directly to the hardware anymore).

  • It needs to run on the virtual console it was started from.

When run as a regular user, the Xorg log will be available from ~/.local/share/xorg/.

If these requirements are not possible, please install the xserver-xorg-legacy package to reinstate the setuid Xorg.

5.3.4. Upstart removed

Due to the lack of upstream maintainers, the Upstart init system has been removed from Stretch. If your system relies on this package, you should note that it will not be updated during the lifetime of Debian 9, and starting from Debian 10 (Buster), upstart jobs could be removed from packages.

Please consider switching to a supported init system, like systemd or openrc.

5.3.5. HP mv2120

The default u-boot settings from HP no longer work with Debian Stretch. Before you can upgrade to Debian 9, you have to change some settings in the u-boot configuration. The new settings are compatible with Debian 8 and Debian 9, so it's recommended to make the changes before the upgrade. If you have serial console access to the mv2120, you can run some commands in u-boot. Simply interrupt the boot process by pressing a key and type the following:

      setenv loadAddr 0x0600000
      setenv bootcmd 'bootext2 0,1:1,2 0x0600000 /boot/uImage /dev/sda /dev/sdb'
      saveenv
    

If you don't have a serial console, you can make the changes from within Debian. Run the following commands:

      cat > /etc/fw_env.config <<EOF
      /dev/mtd0           0x00000         0x1000     0x20000
     EOF
  
     fw_setenv loadAddr 0x0600000
     fw_setenv bootcmd "bootext2 0,1:1,2 0x0600000 /boot/uImage /dev/sda /dev/sdb"
    

This creates a config file so the u-boot environment can be modified and uses fw_setenv to update two boot variables.

Please note that Debian 9 will be the last release to support the HP mv2120.

5.3.6. The debhelper tool now generates dbgsym packages by default

[Notera]Notera

This section is mainly intended for developers or organizations that build their own debian packages.

The debhelper tool suite will now generate "dbgsym" packages by default for ELF binaries. If you develop and package binaries, please check that your tooling supports these extra auto-generated packages.

If you use reprepro, you want to upgrade it to at least version 4.17.0. For aptly, you will need at least version 1.0.0, which is unfortunately not available in Debian stretch.

Should your tooling be unable to cope with these gracefully, you can ask debhelper to disable this feature by adding "noautodbgsym" in the DEB_BUILD_OPTIONS variable of your build service. Please see the dh_strip manpage for more information

5.3.7. OpenSSL related changes

The openssl application expects option arguments before non-option arguments. For example, this does not work anymore:

openssl dsaparam 2048 -out file

while this still does:

openssl dsaparam -out file 2048

The openssl enc command changed the default digest (used to create the key from passphrase) from MD5 to SHA256. The digest can be specified with the -md option in case old files need to be decrypted with newer openssl (or the other way around).

The 3DES and RC4 ciphers are no longer available for TLS/SSL communication. Servers linked against openssl can't offer them and clients can't connect to servers which offer only those. This means that openssl and Windows XP share no common cipher.

The package libssl-dev provides header files to compile against openssl 1.1.0. The API changed a lot and it is possible that the software won't compile anymore. There is an overview of the changes. If you can't update your software, there is also libssl1.0-dev which provides headers against openssl 1.0.2.

5.3.8. Perl changes that may break third-party software

[Notera]Notera

This section applies to code maintained outside Debian 9 - local, third-party or legacy Perl scripts and modules.

  • Some modules have been removed from Perl core and are now shipped in separate packages. Notable examples are CGI, available in the libcgi-pm-perl package, and Module::Build, available in the libmodule-build-perl package.

  • The current working directory (.) has been removed from the default list of include directories, @INC. This may affect usage of require(), do() etc., where the arguments are files in the current directory.

  • The full list of changes in Perl since the version in Debian 8 is available in perl522delta and perl524delta.

5.3.9. PostgreSQL PL/Perl incompatibility

The PostgreSQL PL/Perl procedural language package in jessie is incompatible with the Perl version in stretch. The postgresql-plperl-9.4 package will be removed during the update, rendering server-side Perl procedures dysfunctional. Upgrading to PostgreSQL 9.6 should be unaffected, the procedures will work in the new PostgreSQL cluster if the postgresql-plperl-9.6 package is installed. If unsure, take a backup of your PostgreSQL 9.4 clusters before upgrading to stretch.

5.3.10. net-tools will be deprecated in favor of iproute2

The net-tools package is no longer part of new installations by default, since it's priority has been lowered from important to optional. Users are instead advised to use the modern iproute2 toolset (which has been part of new installs for several releases already). If you still prefer to continue using the net-tools programs you can simply install it via

apt install net-tools

Here is a summary of the net-tools commands, together with their iproute2 equivalent:

legacy net-tools commandsiproute2 replacement commands
arpip n (ip neighbor)
ifconfigip a (ip addr), ip link, ip -s (ip -stats)
iptunnelip tunnel
nameifip link
netstatss, ip route (for netstat -r), ip -s link (for netstat -i), ip maddr (for netstat -g)
routeip r (ip route)