The following packages will be DOWNGRADED
On Ubuntu 18.04.5 LTS (server) with LAMP stack I got a prompt to confirm package degradation:
The following packages will be DOWNGRADED:
libssl1.1 openssl
This two packages are:
dpkg --list "libssl*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-====================-====================-==================================================================
ii libssl1.0.0:amd64 1.0.2n-1ubuntu5.6 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.1j-1+ubuntu18.04 amd64 Secure Sockets Layer toolkit - shared libraries
dpkg --list "openssl*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-====================-====================-==================================================================
ii openssl 1.1.1j-1+ubuntu18.04 amd64 Secure Sockets Layer toolkit - cryptographic utility
un openssl-blacklist <none> <none> (no description available)
It seems like I cannot proceed with regular apt-get upgrade
and not to choose to downgrade this pkgs.
My question is: is there a way to configure apt not to enforce this degradation / how?
Special thanks to answer that will clarify if this degradation is perhaps a sane decision (I doubt that, but still) and how to find which component might be responsible for this.
EDIT: apt policy per pkgs output:
apt policy libssl1.1 openssl
libssl1.1:
Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3
Candidate: 1.1.1-1ubuntu2.1~18.04.8
Version table:
*** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 100
100 /var/lib/dpkg/status
1.1.1-1ubuntu2.1~18.04.8 1000
500 http://rs.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://rs.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
1.1.0g-2ubuntu4 1000
500 http://rs.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
openssl:
Installed: 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3
Candidate: 1.1.1-1ubuntu2.1~18.04.8
Version table:
*** 1.1.1j-1+ubuntu18.04.1+deb.sury.org+3 100
100 /var/lib/dpkg/status
1.1.1-1ubuntu2.1~18.04.8 1000
500 http://rs.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://rs.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
1.1.0g-2ubuntu4 1000
500 http://rs.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
You installed openssl from another source than the Ubuntu 18.04 repositories(?) or have held back openssl and your installed version does not include an important security patch. The 18.04 version then gets priority over your version regardless of the version number.
Please add to the question results of
apt policy libssl1.1 openssl
That will show more information about the packages. Including where it came from :)
Accept the package downgrade. It will install improved version over the one you use now.
From https://www.patreon.com/posts/enforced-openssl-48703169:
custom src:openssl packages were introduced to upgrade the cryptographic functions for PHP, Apache2 and NGINX, but the situation have improved greatly since.
With Ubuntu 16.04 LTS reaching end-of-life in about 2 weeks (April 2021), the openssl packages can now be "downgraded" to the version provided by the distribution. Run apt upgrade --allow-downgrades
to proceed.
I thought I'd expand on @M1ke's comment on Roger Dueck's response: This message is typical if you've got your system configured to use additional repositories which may include OpenSSL + related packages; these may not be as up-to-date as they should be despite superficially higher version numbers in their package identifiers.
The link Roger posted gives a bit more detail; from there: "The custom src:openssl packages were introduced to upgrade the cryptographic functions for PHP, Apache2 and NGINX". Note that that article is written by Ondřej Surý, the very person who provides the additional repositories used by many Ubuntu users for PHP / Apache / nginx. Ondřej points to a page where he provides more detail (esp. if that's the repository you're using).
Personally I tend to use apt-get upgrade --dry-run
before any upgrade; this is helpful to show you what's going on (apt policy
as suggested by @Rinzwind does the same in more detail): Here's the output from one system prior to the requested 'downgrade',
# apt-get upgrade --dry-run
[...snip...]
The following packages will be DOWNGRADED:
libssl-dev libssl1.1 openssl
0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 12 not upgraded.
Inst libssl-dev [1.1.1i-1+ubuntu18.04.1+deb.sury.org+4] (1.1.1-1ubuntu2.1~18.04.9 Ubuntu:18.04/bionic-updates, Ubuntu:18.04/bionic-security [amd64]) []
Inst libssl1.1 [1.1.1i-1+ubuntu18.04.1+deb.sury.org+4] (1.1.1-1ubuntu2.1~18.04.9 Ubuntu:18.04/bionic-updates, Ubuntu:18.04/bionic-security [amd64])
Inst openssl [1.1.1i-1+ubuntu18.04.1+deb.sury.org+4] (1.1.1-1ubuntu2.1~18.04.9 Ubuntu:18.04/bionic-updates, Ubuntu:18.04/bionic-security [amd64])
[...snip...]
in particular note the currently-installed package name: 1.1.1i-1+ubuntu18.04.1+deb.sury.org+4
which helpfully includes deb.sury.org
to indicate where it's likely to have come from (in this case Ondřej Surý's repo as mentioned above), and the replacement package name 1.1.1-1ubuntu2.1~18.04.9
and repo (main Ubuntu repos).
Once I'm comfortable with the changes proposed I re-run the apt-get upgrade
without the --dry-run
flag to actually do the upgrade.