Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Not every security advisory mentioned on debian.org?

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
Dingir
Posts: 2
Joined: 2017-05-19 15:07

Not every security advisory mentioned on debian.org?

#1 Post by Dingir »

Hello,

recently (2017-05-17) I noticed that login and passwd have been updated (login:amd64 1:4.2-3+deb8u4, passwd:amd64 1:4.2-3+deb8u4), but this doesn't seem to be mentioned on debian.org or debian.org/security.

Noticed such behaviour since several years that not all security advisories seem to be posted/mentioned. But why is that? Security advisories for login and passwd are critical per se, and I am kinda worried if this would not be mentioned on debian.org/security.

Thanks for any enlightenment; and sorry if this is mentioned somewhere, but I didn't find any information in the Debian security FAQ or with a search engine.

bdtc1
Posts: 42
Joined: 2015-01-22 09:00

Re: Not every security advisory mentioned on debian.org?

#2 Post by bdtc1 »

I've been wondering the same.

debiantu
Posts: 18
Joined: 2017-03-18 22:41

Re: Not every security advisory mentioned on debian.org?

#3 Post by debiantu »

I'm wondering about this too!

When I checked the history.log file in /var/log/apt, I do see the following:

Start-Date: 2017-05-17 13:32:42
Commandline: apt upgrade
Upgrade: passwd:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4), login:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4)
End-Date: 2017-05-17 13:33:06

So why doesn't security.debian.org list this?

Cheers!

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Not every security advisory mentioned on debian.org?

#4 Post by pcalvert »

I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

https://packages.debian.org/jessie/login
https://packages.debian.org/jessie/passwd

The link to the change log is under "Debian Resources" on the right-hand side of the page. For both packages, the link to the change log is a dead link. The "Debian Patch Tracker" link is also dead.

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Not every security advisory mentioned on debian.org?

#5 Post by dilberts_left_nut »

https://lists.debian.org/debian-securit ... 00114.html

It was simply a bugfix for the patch for a previous DSA (here https://www.debian.org/security/2017/dsa-3793) so probably isn't a separate one by itself - and is against the shadow source package rather than the binary packages produced from it.
AdrianTM wrote:There's no hacker in my grandma...

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: Not every security advisory mentioned on debian.org?

#6 Post by Thorny »

pcalvert wrote:I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.
If you still have the curiosity, you can read the changelogs for Debian on those packages you have upgraded on your system at:

/usr/share/doc/passwd/changelog.Debian.gz

/usr/share/doc/login/changelog.Debian.gz

Dingir
Posts: 2
Joined: 2017-05-19 15:07

Re: Not every security advisory mentioned on debian.org?

#7 Post by Dingir »

Thanks a lot for the clarification! :)

Post Reply