[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Changelog unavailable / This change is not coming from a source that supports changelogs

On Fri 01 Jul 2022 at 07:24:29 (+0100), Tixy wrote:
> On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote:
> > [...] Is this some sort of Man in The Middle attack or is there an easy explanation and a simple way to fix?
> > # apt changelog openssl

(You shouldn't need root for that.)

> > Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 Changelog
> >   Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 146.75.94.132 443])
> > E: Failed to fetch https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog ; Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 146.75.94.132 443])
> 
> It just means that version isn't available in the repositories. If you
> get a list by pointing a web broswer at last directory in that URL
> (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/)
> you see 'u2' is the latest version.
> 
> If you go to the package tracker at https://tracker.debian.org
> and search for 'openssl' you get to a page that shows under 'news' that
> the 'u3' version is 'embargoed'. Which means it's been produced but not
> publicly available, this is done when packages have security fixes for
> for vulnerabilities that haven't been publicly detailed yet.
> There's been at lot of news in recent days about bugs in openssl.
> 
> This doesn't answer why your machine is trying to download this 'u3'
> version, perhaps it appeared transiently for a time your machine was
> trying to update.

Considering it's July, that's very odd:

$ zgrep -A2 -B2 openssl /var/log/apt/history.log.1.gz 
Start-Date: 2022-06-27  08:26:52
Commandline: apt-get upgrade
Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3), openssl:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3)
End-Date: 2022-06-27  08:27:08

$ apt changelog openssl | head

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 store: openssl 1.1.1n-0+deb11u3 Changelog
openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium

  * CVE-2022-2068 (The c_rehash script allows command injection).
  * Update expired certs.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 24 Jun 2022 22:22:19 +0200

openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium

E: Sub-process pager received signal 13.
$ 

> Have you tried running 'apt update' to refresh the package list on you
> computer.

Or rather, always run update before carrying out these sorts of operations.
Never having not done so, I wouldn't know what symptoms to expect in this case.

Cheers,
David.
Reply to: