Hi leloft, leloft writes:
> Hi devs, > > I am having difficulties finding the security update for the openssl1.0 > package (Debian Security Advisory DSA-4158-1 addressing CVE-2018-0739) > > There is no problem with openssl: > Debian package openssl: stretch (libs): 1.1.0f-3+deb9u2 > > Issuing > # apt-cache policy openssl | grep -B 1 ascii > returns > > 1.1.0f-3+deb9u2 500 > 500 http://pkgmaster.devuan.org/merged ascii-security/main > amd64 Packages > 100 http://pkgmaster.devuan.org/merged > ascii-proposed-updates/main amd64 Packages > 1.1.0f-3+deb9u1 500 > 500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages > > > But when I do the same for openssl1.0, I am getting confusing results Eh , there does not appear to be an openssl1.0 binary package, only a source package. From what I recall seeing on the list, you have added deb-src lines to your "CVE checking setup", but are you sure apt-cache policy pays any attention to the Sources files that get downloaded? I don't think it does, for if it did, I would have expected output for openssl with a "Sources" at the end of the line, just like you have the "Packages" at the end of line above. Try searching for libssl1.*, as in apt-cache policy libssl1.* That will probably give you the info you're looking for. FWIW, on my pure ascii system (without deb-sources lines) I get $ apt-cache policy libssl1.* libssl1.0-dev: Installed: (none) Candidate: 1.0.2l-2+deb9u3 Version table: 1.0.2l-2+deb9u3 500 500 http://deb.devuan.org/merged ascii-security/main amd64 Packages 1.0.2l-2+deb9u2 500 500 http://deb.devuan.org/merged ascii/main amd64 Packages libssl1.1: Installed: 1.1.0f-3+deb9u2 Candidate: 1.1.0f-3+deb9u2 Version table: *** 1.1.0f-3+deb9u2 500 500 http://deb.devuan.org/merged ascii-security/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0f-3+deb9u1 500 500 http://deb.devuan.org/merged ascii/main amd64 Packages libssl1.0.0: Installed: 1.0.1t-1+deb8u7 Candidate: 1.0.1t-1+deb8u7 Version table: *** 1.0.1t-1+deb8u7 100 100 /var/lib/dpkg/status libssl1.0.2: Installed: 1.0.2l-2+deb9u3 Candidate: 1.0.2l-2+deb9u3 Version table: *** 1.0.2l-2+deb9u3 500 500 http://deb.devuan.org/merged ascii-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2l-2+deb9u2 500 500 http://deb.devuan.org/merged ascii/main amd64 Packages > [...] Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng