Not every security advisory mentioned on debian.org?

If none of the more specific forums is the right place to ask

Not every security advisory mentioned on debian.org?

Postby Dingir » 2017-05-19 15:34

Hello,

recently (2017-05-17) I noticed that login and passwd have been updated (login:amd64 1:4.2-3+deb8u4, passwd:amd64 1:4.2-3+deb8u4), but this doesn't seem to be mentioned on debian.org or debian.org/security.

Noticed such behaviour since several years that not all security advisories seem to be posted/mentioned. But why is that? Security advisories for login and passwd are critical per se, and I am kinda worried if this would not be mentioned on debian.org/security.

Thanks for any enlightenment; and sorry if this is mentioned somewhere, but I didn't find any information in the Debian security FAQ or with a search engine.
Dingir
 
Posts: 2
Joined: 2017-05-19 15:07

Re: Not every security advisory mentioned on debian.org?

Postby bdtc1 » 2017-05-20 01:50

I've been wondering the same.
bdtc1
 
Posts: 25
Joined: 2015-01-22 09:00

Re: Not every security advisory mentioned on debian.org?

Postby debiantu » 2017-05-24 13:07

I'm wondering about this too!

When I checked the history.log file in /var/log/apt, I do see the following:

Start-Date: 2017-05-17 13:32:42
Commandline: apt upgrade
Upgrade: passwd:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4), login:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4)
End-Date: 2017-05-17 13:33:06

So why doesn't security.debian.org list this?

Cheers!
debiantu
 
Posts: 17
Joined: 2017-03-18 22:41

Re: Not every security advisory mentioned on debian.org?

Postby pcalvert » 2017-05-25 06:03

I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

https://packages.debian.org/jessie/login
https://packages.debian.org/jessie/passwd

The link to the change log is under "Debian Resources" on the right-hand side of the page. For both packages, the link to the change log is a dead link. The "Debian Patch Tracker" link is also dead.

Phil
pcalvert
 
Posts: 1728
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Not every security advisory mentioned on debian.org?

Postby dilberts_left_nut » 2017-05-25 08:35

https://lists.debian.org/debian-securit ... 00114.html

It was simply a bugfix for the patch for a previous DSA (here https://www.debian.org/security/2017/dsa-3793) so probably isn't a separate one by itself - and is against the shadow source package rather than the binary packages produced from it.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4642
Joined: 2009-10-05 07:54
Location: enzed

Re: Not every security advisory mentioned on debian.org?

Postby Thorny » 2017-05-25 11:24

pcalvert wrote:I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

If you still have the curiosity, you can read the changelogs for Debian on those packages you have upgraded on your system at:

/usr/share/doc/passwd/changelog.Debian.gz

/usr/share/doc/login/changelog.Debian.gz
Thorny
 
Posts: 318
Joined: 2011-02-27 13:40

Re: Not every security advisory mentioned on debian.org?

Postby Dingir » 2017-05-30 18:22

Thanks a lot for the clarification! :)
Dingir
 
Posts: 2
Joined: 2017-05-19 15:07


Return to General Questions

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable