Debian User Forums

Skip to content

Not every security advisory mentioned on debian.org?

If none of the more specific forums is the right place to ask
Post a reply

Not every security advisory mentioned on debian.org?

Postby Dingir » 2017-05-19 15:34

Hello,

recently (2017-05-17) I noticed that login and passwd have been updated (login:amd64 1:4.2-3+deb8u4, passwd:amd64 1:4.2-3+deb8u4), but this doesn't seem to be mentioned on debian.org or debian.org/security.

Noticed such behaviour since several years that not all security advisories seem to be posted/mentioned. But why is that? Security advisories for login and passwd are critical per se, and I am kinda worried if this would not be mentioned on debian.org/security.

Thanks for any enlightenment; and sorry if this is mentioned somewhere, but I didn't find any information in the Debian security FAQ or with a search engine.
Dingir
 
Posts: 2
Joined: 2017-05-19 15:07
Top

Re: Not every security advisory mentioned on debian.org?

Postby bdtc1 » 2017-05-20 01:50

I've been wondering the same.
bdtc1
 
Posts: 42
Joined: 2015-01-22 09:00
Top

Re: Not every security advisory mentioned on debian.org?

Postby debiantu » 2017-05-24 13:07

I'm wondering about this too!

When I checked the history.log file in /var/log/apt, I do see the following:

Start-Date: 2017-05-17 13:32:42
Commandline: apt upgrade
Upgrade: passwd:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4), login:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4)
End-Date: 2017-05-17 13:33:06

So why doesn't security.debian.org list this?

Cheers!
debiantu
 
Posts: 18
Joined: 2017-03-18 22:41
Top

Re: Not every security advisory mentioned on debian.org?

Postby pcalvert » 2017-05-25 06:03

I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

https://packages.debian.org/jessie/login
https://packages.debian.org/jessie/passwd

The link to the change log is under "Debian Resources" on the right-hand side of the page. For both packages, the link to the change log is a dead link. The "Debian Patch Tracker" link is also dead.

Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1861
Joined: 2006-04-21 11:19
Location: Sol Sector
Top

Re: Not every security advisory mentioned on debian.org?

Postby dilberts_left_nut » 2017-05-25 08:35

https://lists.debian.org/debian-securit ... 00114.html

It was simply a bugfix for the patch for a previous DSA (here https://www.debian.org/security/2017/dsa-3793) so probably isn't a separate one by itself - and is against the shadow source package rather than the binary packages produced from it.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5020
Joined: 2009-10-05 07:54
Location: enzed
Top

Re: Not every security advisory mentioned on debian.org?

Postby Thorny » 2017-05-25 11:24

pcalvert wrote:I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

If you still have the curiosity, you can read the changelogs for Debian on those packages you have upgraded on your system at:

/usr/share/doc/passwd/changelog.Debian.gz

/usr/share/doc/login/changelog.Debian.gz
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40
Top

Re: Not every security advisory mentioned on debian.org?

Postby Dingir » 2017-05-30 18:22

Thanks a lot for the clarification! :)
Dingir
 
Posts: 2
Joined: 2017-05-19 15:07
Top
Post a reply

Return to General Questions

Who is online

Users browsing this forum: No registered users and 13 guests

fashionable
Powered by phpBB® Forum Software © phpBB Group