Chapitre 5. Problèmes à connaître pour Jessie

Table des matières

5.1. État de sécurité des navigateurs web
5.2. Puppet 2.7 / 3.7 compatibility
5.3. PHP 5.6 upgrade has behavioural changes
5.4. Stricter handling of failing mounts during boot
5.5. Manual migration of disks encrypted with LUKS whirlpool (non-standard setup)

Parfois, des changements ont des effets de bord que nous ne pouvons pas raisonnablement éviter sans nous exposer à des bogues à un autre endroit. Cette section documente les problèmes que nous connaissons. Veuillez également lire l'errata, la documentation des paquets concernés, les rapports de bogues et les autres sources d'informations mentionnées en Section 6.1, « Lectures pour aller plus loin ».

5.1. État de sécurité des navigateurs web

Debian 8 inclut plusieurs moteurs de navigateur web qui sont affectés par un flot continu de vulnérabilités de sécurité. Ce taux élevé de vulnérabilités ainsi que le manque partiel de prise en charge amont sous la forme de branches maintenues à long terme rendent difficiles les corrections de sécurité rétroportées. De plus, les interdépendances des bibliothèques rendent impossible la mise à niveau vers une nouvelle version. Par conséquent les navigateurs basés sur les moteurs webkit, qtwebkit et khtml sont inclus dans Jessie mais ne sont pas couverts par une prise en charge complète de la sécurité. Ces navigateurs ne devraient pas être utilisés sur des sites web non fiables.

Pour un usage général de navigation web, nous recommandons les navigateurs basés sur le moteur xulrunner de Mozilla (Iceweasel et Iceape) et Chromium.

Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Iceweasel, Iceape and Icedove will also be kept up-to-date by rebuilding the current ESR releases for stable.

5.2. Puppet 2.7 / 3.7 compatibility

If you are using Puppet, please be aware that Puppet 3.7 is not backwards compatible with Puppet 2.7. Among other things, the scoping rules have changed and many deprecated constructs have been removed.

It is recommended that you check the log files of the puppetmaster for deprecation warnings and resolve all of these before proceeding with the upgrade. Alternatively, testing the manifests with a tool like Puppet catelog test may also find potential issues prior to the upgrade.

When upgrading a Puppet managed system from wheezy to jessie, you must ensure that the corresponding puppetmaster runs at least Puppet version 3.7. If the master is running wheezy's puppetmaster, the managed jessie system will not be able to connect to it.

For more information on incompatability changes, please have a look at Telly upgrade issues and "The Angry Guide to Puppet 3"

5.3. PHP 5.6 upgrade has behavioural changes

The upgrade to Jessie includes an upgrade of PHP from 5.4 to 5.6. This may affect any local PHP scripts and you are advised to check those scripts before upgrading. Below are a selected subset of these issues:

  • To prevent man-in-the-middle attacks against encrypted transfers client streams now verify peer certificates by default.

    As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. file_get_contents(), fsockopen(), stream_socket_client()) may no longer connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting.

    For more information about this particular issue, please read this document

  • PHP changes the handling of caseinsenstive in many cases:

    • All internal case insensitivity handling for class, function and constant names is done according to ASCII rules. Current locale settings are ignored.

    • The keywords "self", "parent" and "static" are now always case insensitive.

    • The json_decode() function no longer accepts non-lowercase variants of "boolean" values.

  • The logo GUID functions (e.g. php_logo_guid()) have been removed.

  • It is no longer possible to overwrite keys in static scalar arrays. Please see PHP bug 66015 for an example and more information about this particular issue.

  • The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no longer accept keys or IVs with incorrect sizes. Furthermore an IV is now required if the used block cipher mode requires it.

For more information or the full list of potential issues, please have a look at upstream's list of backwards incompatible changes for PHP 5.5 and 5.6.

5.4. Stricter handling of failing mounts during boot

The systemd init system has a stricter handling of failing "auto" mounts during boot compared to sysvinit. If it fails to mount an "auto" mount (without the "nofail" option), SystemD will drop to an emergency shell rather than continuing the boot.

We recommend that all removable or "optional" mount points (e.g. non-critical network drives) listed in /etc/fstab either have the "noauto" or the "nofail" option.

5.5. Manual migration of disks encrypted with LUKS whirlpool (non-standard setup)


This section is only for people have set up such disks themselves. The debian-installer never supported creating such disks.

If you have manually setup an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:

    # /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool

For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.


If you have such a disk, cryptsetup will refuse to decrypt it by default. If your rootdisk or other system disks (e.g. /usr) are encrypted with whirlpool, you should migrate them prior to the first reboot after upgrading cryptsetup.