Re: Changelog unavailable / This change is not coming from a source that supports changelogs

Fri, 01 Jul 2022 10:56:11 -0700 

On 01/07/2022 07:24, Tixy wrote:

On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote:

[...] Is this some sort of Man in The Middle attack or is there an easy 
explanation and a simple way to fix?
# apt changelog openssl

Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 Changelog
   Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 
146.75.94.132 443])
E: Failed to fetch 
https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog
  Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 
146.75.94.132 443])


It just means that version isn't available in the repositories. If you
get a list by pointing a web broswer at last directory in that URL
(https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/)
you see 'u2' is the latest version.

If you go to the package tracker at https://tracker.debian.org
and search for 'openssl' you get to a page that shows under 'news' that
the 'u3' version is 'embargoed'. Which means it's been produced but not
publicly available, this is done when packages have security fixes for
for vulnerabilities that haven't been publicly detailed yet.
There's been at lot of news in recent days about bugs in openssl.

This doesn't answer why your machine is trying to download this 'u3'
version, perhaps it appeared transiently for a time your machine was
trying to update.

Have you tried running 'apt update' to refresh the package list on you
computer.


This package version is out already.

My system updated to this version couple of days ago:
$ zcat history.log.1.gz | grep -B2 -A1 openssl
Start-Date: 2022-06-27  06:17:36
Commandline: /usr/bin/unattended-upgrade
Upgrade: openssl:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3)
End-Date: 2022-06-27  06:17:53


$ apt-cache policy openssl
openssl:
  Installed: 1.1.1n-0+deb11u3
  Candidate: 1.1.1n-0+deb11u3
  Version table:
 *** 1.1.1n-0+deb11u3 500
        500 http://security.debian.org/debian-security
bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1n-0+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

$ apt changelog openssl
openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium

  * CVE-2022-2068 (The c_rehash script allows command injection).
  * Update expired certs.

 -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Fri, 24 Jun
2022 22:22:19 +0200


--
With kindest regards, Piotr.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀⠀⠀

Reply via email to