The officially official Devuan Forum!

You are not logged in.

#1 2019-03-04 02:15:35

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

[SOLVED] Security update delays

Is it normal for security updates to take several days to show up in Devuan? I am notified when there are security updates for Debian, and I've noticed that it often takes several days for those updates to show up in Devuan.

For example:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4400-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 28, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2019-1559

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding
oracle attack in OpenSSL.

For the stable distribution (stretch), this problem has been fixed in
version 1.0.2r-1~deb9u1.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


My amd64 Devuan system received that update today, though it might have been available earlier because that system is in a VM and runs only periodically. However, my i386 Devuan system still thinks that 1.0.2q-1~deb9u1 is the latest version of that package:

$ aptitude upgrade libssl1.0.2 -s
libssl1.0.2 is already installed at the latest version (1.0.2q-1~deb9u1), so it will not be upgraded
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Would download/install/remove packages.

Is this normal behavior?

Phil

Last edited by pcalvert (2019-03-06 04:21:48)


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#2 2019-03-04 21:47:05

xinomilo
Member
Registered: 2017-07-02
Posts: 59  

Re: [SOLVED] Security update delays

are you missing -security repos perhaps? what does apt policy libssl1.0.2 say?

other than that, maybe network or mirror error, sync delay, other.. (?)

Offline

#3 2019-03-04 22:05:10

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

Re: [SOLVED] Security update delays

Thanks for the reply. Here's that info:

$ apt policy libssl1.0.2
libssl1.0.2:
  Installed: 1.0.2q-1~deb9u1
  Candidate: 1.0.2q-1~deb9u1
  Version table:
     1.0.2r-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
 *** 1.0.2q-1~deb9u1 990
        990 http://deb.devuan.org/merged ascii/main i386 Packages
        100 /var/lib/dpkg/status

That's an interesting (but puzzling) result.


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#4 2019-03-04 22:10:12

xinomilo
Member
Registered: 2017-07-02
Posts: 59  

Re: [SOLVED] Security update delays

check your /etc/apt/preferences.d/ files. i'd guess some apt pinning is to blame..
proceed with security upgrades first! smile

Offline

#5 2019-03-05 00:00:36

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

Re: [SOLVED] Security update delays

I am not using apt pinning. This directory is empty:

/etc/apt/preferences.d

However, I have this...

// Set ASCII as the default release
APT::Default-Release "ascii";

...in this directory:
/etc/apt/apt.conf.d

Could that be the reason?


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#6 2019-03-05 01:11:01

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,043  

Re: [SOLVED] Security update delays

Setting the default release changes the priority from 500 to 990 on the ascii main version. I just tested it - they were both 500 before I set the default.

I guess you'll need to add '-t ascii-security' to your install command.

Offline

#7 2019-03-05 02:23:28

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

Re: [SOLVED] Security update delays

The reason I set ASCII as the default release was because I am using an MX Linux repo for their adobe-flashplugin package.

Contents of /etc/apt/sources.list.d/mx-17.list:

# MX Community Main and Test Repos

deb http://mxrepo.com/mx/repo/ stretch non-free #main

#deb http://la.mxrepo.com/mx/testrepo/ stretch test

However, with the MX-17 repo enabled, APT tries to pull in other packages:

$ aptitude upgrade -s
The following packages will be upgraded: 
  intel-microcode unrar 
2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,557 kB of archives. After unpacking 9,216 B will be used.

Note: Using 'Simulate' mode.
Do you want to continue? [Y/n/?]

If I lower the priority of the MX-17 repo to 400, will that solve this problem? If so, how do I do that?


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#8 2019-03-05 05:02:23

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,043  

Re: [SOLVED] Security update delays

/etc/apt/preferences.d/mxrepo (or some other file name)

Package: *
Pin: origin "mxrepo.com"
Pin-Priority: 400

I think that will work. The man page for apt_preferences says that origin can match a hostname. I don't know if you need to make a separate entry for la.mxrepo.com or if the one will get both.

Offline

#9 2019-03-05 09:38:14

anonymous
Member
Registered: 2019-03-05
Posts: 3  

Re: [SOLVED] Security update delays

What about openssh security update???

debian- https://security-tracker.debian.org/tracker/DSA-4387-2
stretch (security)    1:7.4p1-10+deb9u6

devuan in security apt policy still has
1:7.4p1-10+deb9u5

Offline

#10 2019-03-05 20:52:12

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

Re: [SOLVED] Security update delays

@fsmithred: That works. Thank-you!

@anonymous: Try running aptitude update or apt-get update and then check again.

Here are my results:

$ apt policy openssh-client
openssh-client:
  Installed: 1:7.4p1-10+deb9u6
  Candidate: 1:7.4p1-10+deb9u6
  Version table:
 *** 1:7.4p1-10+deb9u6 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     1:7.4p1-10+deb9u5 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Phil


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#11 2019-03-18 05:24:04

pcalvert
Member
Registered: 2017-05-15
Posts: 30  

Re: [SOLVED] Security update delays

fsmithred wrote:

/etc/apt/preferences.d/mxrepo (or some other file name)

Package: *
Pin: origin "mxrepo.com"
Pin-Priority: 400

I think that will work. The man page for apt_preferences says that origin can match a hostname. I don't know if you need to make a separate entry for la.mxrepo.com or if the one will get both.


It turned out that a pin priority of 400 is too high. Even 100 is too high. I lowered it to 50 and now it works; 99 probably would have also worked, but I didn't bother testing it since the problem was already solved.

EDIT:

I thought I had this working, but further testing (via routine usage of the system) proved me wrong. I believe I have it working now, though, using this configuration:

Package: adobe-flashplugin
Pin: origin "mxrepo.com"
Pin-Priority: 100

Package: *
Pin: origin "mxrepo.com"
Pin-Priority: 50

Phil

Last edited by pcalvert (2019-04-19 18:14:02)


“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln

Offline

#12 2019-03-18 15:31:29

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,043  

Re: [SOLVED] Security update delays

Something must have changed recently. I have an ascii install that has ascii-backports, beowulf and ceres all pinned to 100, and yesterday I noticed that apt-cache policy was telling me that ceres had the Candidate version.

I just changed those pin priorities to 99 and checked again. Now backports has the candidate, and the backports priority shows as 100 even when I've got it set to 99 in my preferences.

It should be showing me the ascii version as the candidate.

Pin-Priority: 100 (on ascii-backports, beowulf and ceres)

user@ascii:~$ apt-cache policy debootstrap
debootstrap:
  Installed: 1.0.89+devuan2
  Candidate: 1.0.114+devuan1
  Version table:
     1.0.114+devuan1 100
        100 http://deb.devuan.org/merged ceres/main amd64 Packages
     1.0.110+devuan1 100
        100 http://deb.devuan.org/merged beowulf/main amd64 Packages
     1.0.110~bpo9+1 100
        100 http://deb.devuan.org/merged ascii-backports/main amd64 Packages
 *** 1.0.89+devuan2 100
        100 /var/lib/dpkg/status
     1.0.89-devuan2.1 500
        500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages

Pin-Priority: 99 (on ascii-backports, beowulf and ceres)

user@ascii:~$ apt-cache policy debootstrap
debootstrap:
  Installed: 1.0.89+devuan2
  Candidate: 1.0.110~bpo9+1
  Version table:
     1.0.114+devuan1 99
         99 http://deb.devuan.org/merged ceres/main amd64 Packages
     1.0.110+devuan1 99
         99 http://deb.devuan.org/merged beowulf/main amd64 Packages
     1.0.110~bpo9+1 100
        100 http://deb.devuan.org/merged ascii-backports/main amd64 Packages
 *** 1.0.89+devuan2 100
        100 /var/lib/dpkg/status
     1.0.89-devuan2.1 500
        500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages

Pin-Priority: 50 (on ascii-backports, beowulf and ceres)

user@ascii:~$ apt-cache policy debootstrap
debootstrap:
  Installed: 1.0.89+devuan2
  Candidate: 1.0.110~bpo9+1
  Version table:
     1.0.114+devuan1 50
         50 http://deb.devuan.org/merged ceres/main amd64 Packages
     1.0.110+devuan1 50
         50 http://deb.devuan.org/merged beowulf/main amd64 Packages
     1.0.110~bpo9+1 100
        100 http://deb.devuan.org/merged ascii-backports/main amd64 Packages
 *** 1.0.89+devuan2 100
        100 /var/lib/dpkg/status
     1.0.89-devuan2.1 500
        500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages

Offline

#13 2019-03-18 16:14:55

KatolaZ
Member
Registered: 2017-03-11
Posts: 79  

Re: [SOLVED] Security update delays

Hi fsmithred,

nothing has changed in the repo: there was just a mistake in the numbering of the latest version of debootstrap in ascii. It should have been named +devuan2.1 while it has suffix -devuan2.1 (notice the difference between "-" and "+"), As such, version "-devuan2.1" is lower than any of the other versions, hence it is never considered for installation. Also, "~" sorts before anything else :-)

HTH

KatolaZ

Offline

#14 2019-03-29 12:58:08

anonymous
Member
Registered: 2019-03-05
Posts: 3  

Re: [SOLVED] Security update delays

dovecot

debian- https://security-tracker.debian.org/tra … -2019-3814
stretch (security)    1:2.2.27-3+deb9u4

devuan in security apt policy/apt-cache policy still has
1:2.2.27-3+deb9u3

hmmm

Offline

#15 2019-03-29 17:38:15

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,043  

Re: [SOLVED] Security update delays

anonymous wrote:

dovecot

debian- https://security-tracker.debian.org/tra … -2019-3814
stretch (security)    1:2.2.27-3+deb9u4

devuan in security apt policy/apt-cache policy still has
1:2.2.27-3+deb9u3

hmmm

Not anymore. You must have caught it right before the repo updated.

     1:2.2.27-3+deb9u4 0
        500 http://auto.mirror.devuan.org/merged/ ascii-security/main amd64 Packages
        500 http://pkgmaster.devuan.org/merged/ ascii-security/main amd64 Packages
        500 http://deb.devuan.org/merged/ ascii-security/main amd64 Packages
         10 http://security.debian.org/ stretch/updates/main amd64 Packages

Offline

#16 2019-03-31 00:21:57

anonymous
Member
Registered: 2019-03-05
Posts: 3  

Re: [SOLVED] Security update delays

again repo delay?

debian - thunderbird
1:60.6.1-1~deb9u1

devuan - thunderbird
1:60.5.1-1~deb9u1

Offline

Board footer