Not every security advisory mentioned on debian.org?

If none of the more specific forums is the right place to ask
Post Reply
Message
Author
Dingir
Posts: 2
Joined: 2017-05-19 15:07

Not every security advisory mentioned on debian.org?

#1 Post by Dingir »

Hello,

recently (2017-05-17) I noticed that login and passwd have been updated (login:amd64 1:4.2-3+deb8u4, passwd:amd64 1:4.2-3+deb8u4), but this doesn't seem to be mentioned on debian.org or debian.org/security.

Noticed such behaviour since several years that not all security advisories seem to be posted/mentioned. But why is that? Security advisories for login and passwd are critical per se, and I am kinda worried if this would not be mentioned on debian.org/security.

Thanks for any enlightenment; and sorry if this is mentioned somewhere, but I didn't find any information in the Debian security FAQ or with a search engine.

bdtc1
Posts: 42
Joined: 2015-01-22 09:00

Re: Not every security advisory mentioned on debian.org?

#2 Post by bdtc1 »

I've been wondering the same.

debiantu
Posts: 18
Joined: 2017-03-18 22:41

Re: Not every security advisory mentioned on debian.org?

#3 Post by debiantu »

I'm wondering about this too!

When I checked the history.log file in /var/log/apt, I do see the following:

Start-Date: 2017-05-17 13:32:42
Commandline: apt upgrade
Upgrade: passwd:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4), login:amd64 (4.2-3+deb8u3, 4.2-3+deb8u4)
End-Date: 2017-05-17 13:33:06

So why doesn't security.debian.org list this?

Cheers!

pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Not every security advisory mentioned on debian.org?

#4 Post by pcalvert »

I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.

https://packages.debian.org/jessie/login
https://packages.debian.org/jessie/passwd

The link to the change log is under "Debian Resources" on the right-hand side of the page. For both packages, the link to the change log is a dead link. The "Debian Patch Tracker" link is also dead.

Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

User avatar
dilberts_left_nut
Posts: 5127
Joined: 2009-10-05 07:54
Location: enzed
Been thanked: 1 time

Re: Not every security advisory mentioned on debian.org?

#5 Post by dilberts_left_nut »

https://lists.debian.org/debian-securit ... 00114.html

It was simply a bugfix for the patch for a previous DSA (here https://www.debian.org/security/2017/dsa-3793) so probably isn't a separate one by itself - and is against the shadow source package rather than the binary packages produced from it.
AdrianTM wrote:There's no hacker in my grandma...

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: Not every security advisory mentioned on debian.org?

#6 Post by Thorny »

pcalvert wrote:I've also noticed the same thing. Out of curiosity, I went to look at the change logs for those two packages.
If you still have the curiosity, you can read the changelogs for Debian on those packages you have upgraded on your system at:

/usr/share/doc/passwd/changelog.Debian.gz

/usr/share/doc/login/changelog.Debian.gz

Dingir
Posts: 2
Joined: 2017-05-19 15:07

Re: Not every security advisory mentioned on debian.org?

#7 Post by Dingir »

Thanks a lot for the clarification! :)

Post Reply