[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Changelog unavailable / This change is not coming from a source that supports changelogs

Hello David,

Thank you for correcting my bad habit of using root to fetch changelogs. :D
Thank you for the additional work in helping me. Thanks to this thread I have learned a lot.

Jul 1, 2022, 09:08 by deblis@lionunicorn.co.uk:

> On Fri 01 Jul 2022 at 07:24:29 (+0100), Tixy wrote:
>
>> On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote:
>> > [...] Is this some sort of Man in The Middle attack or is there an easy explanation and a simple way to fix?
>> > # apt changelog openssl
>>
>
> (You shouldn't need root for that.)
>
>> > Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 Changelog
>> >   Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 146.75.94.132 443])
>> > E: Failed to fetch https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog ; Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404  Not Found [IP: 146.75.94.132 443])
>>
>> It just means that version isn't available in the repositories. If you
>> get a list by pointing a web broswer at last directory in that URL
>> (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/)
>> you see 'u2' is the latest version.
>>
>> If you go to the package tracker at https://tracker.debian.org
>> and search for 'openssl' you get to a page that shows under 'news' that
>> the 'u3' version is 'embargoed'. Which means it's been produced but not
>> publicly available, this is done when packages have security fixes for
>> for vulnerabilities that haven't been publicly detailed yet.
>> There's been at lot of news in recent days about bugs in openssl.
>>
>> This doesn't answer why your machine is trying to download this 'u3'
>> version, perhaps it appeared transiently for a time your machine was
>> trying to update.
>>
>
> Considering it's July, that's very odd:
>
> $ zgrep -A2 -B2 openssl /var/log/apt/history.log.1.gz 
> Start-Date: 2022-06-27  08:26:52
> Commandline: apt-get upgrade
> Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3), openssl:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3)
> End-Date: 2022-06-27  08:27:08
>
> $ apt changelog openssl | head
>
> WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
>
> Get:1 store: openssl 1.1.1n-0+deb11u3 Changelog
> openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium
>
>  * CVE-2022-2068 (The c_rehash script allows command injection).
>  * Update expired certs.
>
>  -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 24 Jun 2022 22:22:19 +0200
>
> openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium
>
> E: Sub-process pager received signal 13.
> $ 
>
>> Have you tried running 'apt update' to refresh the package list on you
>> computer.
>>
>
> Or rather, always run update before carrying out these sorts of operations.
> Never having not done so, I wouldn't know what symptoms to expect in this case.
>
> Cheers,
> David.
>
Reply to: