Comment 15 for bug 1979244

Also, the recommended advice does not work/apply. Adding this to /etc/apt/apt.conf does not relieve the problem (I tried all these permutations, since apt_preferences(5) is not clear what syntax is truly wanted, and web searches turn up varying opinions depending on if you're using Update Manager or not, alongside questioning why there is a Never and an Always, re: tri-state switch):

Update-Manager::Always-Include-Phased-Updates "0";
Update-Manager::Always-Include-Phased-Updates "False";
Update-Manager::Always-Include-Phased-Updates False;
Update-Manager::Never-Include-Phased-Updates "1";
Update-Manager::Never-Include-Phased-Updates "True";
Update-Manager::Never-Include-Phased-Updates True;
APT::Get::Always-Include-Phased-Updates "0";
APT::Get::Always-Include-Phased-Updates "False";
APT::Get::Always-Include-Phased-Updates False;
APT::Get::Never-Include-Phased-Updates "1";
APT::Get::Never-Include-Phased-Updates "True";
APT::Get::Never-Include-Phased-Updates True;

I believe the answer is easily overlooked in the initial post from juliank: "Note that this does not apply to fresh package installs".

Next, I tried the other workaround, by force-pinning a version. Note that the original recommendation was "apt install libssl-dev=3.0.2-0ubuntu1.4", which will not work; "apt install libssl3=3.0.2-0ubuntu1.4" did work (understandably) -- except not really.

Forced pinning get us no further than before, because package libssl-dev explicitly depends on a specific version of libssl3 (note equals, not greater-than-equals or tilde):

# dpkg -l | grep libssl3
ii libssl3:amd64 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - shared libraries

# apt-get install libmysqlclient-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.

# apt-cache show libssl-dev
...
Depends: libssl3 (= 3.0.2-0ubuntu1)
...

So either libssl-dev needs to be updated alongside this, and somehow these two packages (libssl-dev and libssl3) need to be "tied together" when it comes to phased updates (I don't even know if that's possible), or there is further packaging work (version bumping) that needs to happen.

Additionally, I suspect what all this implies is that phased updates were enabled by default on the latest AWS AMI when it was made by Canonical, and now there is (effectively) no way to "opt out" of them. This is not a good system, folks. Please CC whoever is responsible for this model so they can witness real-world failure of it (and how getting out of this situation doesn't seem possible).