Changelog unavailable / This change is not coming from a source that supports changelogs
= Using: Debian GNU/Linux 11 (bullseye) I've begun to see the following error messages whenever I try to upgrade new packages. I wait a few days but they don't go away. No changelog is available. It's not limited to the following attempt at upgrading openssl but now happens to all new packages available. Is this some sort of Man in The Middle attack or is there an easy explanation and a simple way to fix? I had no problems when I used Sid, I never received an error message for changelogs. But now, on a Stable install, after having it installed for awhile and every package upgrade worked, just suddenly I have these warnings and I'm afraid to update before asking here. My apt sources list isn't bizarre, using official Debian repositories. If this doesn't stop I'll have no choice but to return to using Sid, which I would rather not do at the moment. >> Here's what I see, using "openssl" as an example: << ** In Terminal ** # apt changelog openssl Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 Changelog Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: 146.75.94.132 443]) E: Failed to fetch https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: 146.75.94.132 443]) ** In Synaptic ** This change is not coming from a source that supports changelogs. Failed to fetch the changelog for openssl URI was: https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog
Re: Changelog unavailable / This change is not coming from a source that supports changelogs
Hello Tixy, Thank you for your help! Yes, I always use 'apt update' prior to upgrades! Thank you for asking. Oddly enough, when I checked several hours later the changelog was finally there, dated June 24th. Perhaps this thread had something to do with it? The update went smoothly. > It just means that version isn't available in the repositories. If you > get a list by pointing a web broswer at last directory in that URL > (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/) > you see 'u2' is the latest version. > > If you go to the package tracker at https://tracker.debian.org > and search for 'openssl' you get to a page that shows under 'news' that > the 'u3' version is 'embargoed'. Which means it's been produced but not > publicly available, this is done when packages have security fixes for > for vulnerabilities that haven't been publicly detailed yet. > There's been at lot of news in recent days about bugs in openssl. > > This doesn't answer why your machine is trying to download this 'u3' > version, perhaps it appeared transiently for a time your machine was > trying to update. > > Have you tried running 'apt update' to refresh the package list on you > computer. > > -- > Tixy >
Re: Changelog unavailable / This change is not coming from a source that supports changelogs
Tixy, Thank you again for your further assistance! The problem has been resolved. Jul 1, 2022, 10:36 by t...@yxit.co.uk: > On Fri, 2022-07-01 at 11:08 -0500, David Wright wrote: > >> On Fri 01 Jul 2022 at 07:24:29 (+0100), Tixy wrote: >> [...] >> > This doesn't answer why your machine is trying to download this 'u3' >> > version, perhaps it appeared transiently for a time your machine was >> > trying to update. >> >> Considering it's July, that's very odd: >> >> $ zgrep -A2 -B2 openssl /var/log/apt/history.log.1.gz >> Start-Date: 2022-06-27 08:26:52 >> Commandline: apt-get upgrade >> Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3), openssl:amd64 >> (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3) >> End-Date: 2022-06-27 08:27:08 >> > > That's a point, I just checked and I have the 'u3' version installed on > this machine, so it is available, and that was installed a few days > ago. > > I just checked again at > https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/ > and 'u3' is now available and 'u2' isn't (note, u1 still is) this is > different to when I checked this morning. > > So this seems to have been some kind of weird transient issue. > > -- > Tixy >
Re: Changelog unavailable / This change is not coming from a source that supports changelogs
Hello David, Thank you for correcting my bad habit of using root to fetch changelogs. :D Thank you for the additional work in helping me. Thanks to this thread I have learned a lot. Jul 1, 2022, 09:08 by deb...@lionunicorn.co.uk: > On Fri 01 Jul 2022 at 07:24:29 (+0100), Tixy wrote: > >> On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote: >> > [...] Is this some sort of Man in The Middle attack or is there an easy >> > explanation and a simple way to fix? >> > # apt changelog openssl >> > > (You shouldn't need root for that.) > >> > Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 >> > Changelog >> > Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: >> > 146.75.94.132 443]) >> > E: Failed to fetch >> > https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog >> > Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: >> > 146.75.94.132 443]) >> >> It just means that version isn't available in the repositories. If you >> get a list by pointing a web broswer at last directory in that URL >> (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/) >> you see 'u2' is the latest version. >> >> If you go to the package tracker at https://tracker.debian.org >> and search for 'openssl' you get to a page that shows under 'news' that >> the 'u3' version is 'embargoed'. Which means it's been produced but not >> publicly available, this is done when packages have security fixes for >> for vulnerabilities that haven't been publicly detailed yet. >> There's been at lot of news in recent days about bugs in openssl. >> >> This doesn't answer why your machine is trying to download this 'u3' >> version, perhaps it appeared transiently for a time your machine was >> trying to update. >> > > Considering it's July, that's very odd: > > $ zgrep -A2 -B2 openssl /var/log/apt/history.log.1.gz > Start-Date: 2022-06-27 08:26:52 > Commandline: apt-get upgrade > Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3), openssl:amd64 > (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3) > End-Date: 2022-06-27 08:27:08 > > $ apt changelog openssl | head > > WARNING: apt does not have a stable CLI interface. Use with caution in > scripts. > > Get:1 store: openssl 1.1.1n-0+deb11u3 Changelog > openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium > > * CVE-2022-2068 (The c_rehash script allows command injection). > * Update expired certs. > > -- Sebastian Andrzej Siewior Fri, 24 Jun 2022 > 22:22:19 +0200 > > openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium > > E: Sub-process pager received signal 13. > $ > >> Have you tried running 'apt update' to refresh the package list on you >> computer. >> > > Or rather, always run update before carrying out these sorts of operations. > Never having not done so, I wouldn't know what symptoms to expect in this > case. > > Cheers, > David. >
Re: Changelog unavailable / This change is not coming from a source that supports changelogs
Hi Piotr, Thank you for your help. Strangely enough the problem finally resolved itself. Maybe this thread had something to do with it? I don't know. I notice with stable, changelogs sometimes take a few days to be published, whereas with Sid it was never a problem. An additional thank you to all who helped me with this problem. I wish you all a wonderful Summer! Jul 1, 2022, 10:55 by pior...@gmx.com: > On 01/07/2022 07:24, Tixy wrote: > >> On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote: >> >>> [...] Is this some sort of Man in The Middle attack or is there an easy >>> explanation and a simple way to fix? >>> # apt changelog openssl >>> >>> Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 >>> Changelog >>> Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: >>> 146.75.94.132 443]) >>> E: Failed to fetch >>> https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog >>> Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: >>> 146.75.94.132 443]) >>> >> >> It just means that version isn't available in the repositories. If you >> get a list by pointing a web broswer at last directory in that URL >> (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/) >> you see 'u2' is the latest version. >> >> If you go to the package tracker at https://tracker.debian.org >> and search for 'openssl' you get to a page that shows under 'news' that >> the 'u3' version is 'embargoed'. Which means it's been produced but not >> publicly available, this is done when packages have security fixes for >> for vulnerabilities that haven't been publicly detailed yet. >> There's been at lot of news in recent days about bugs in openssl. >> >> This doesn't answer why your machine is trying to download this 'u3' >> version, perhaps it appeared transiently for a time your machine was >> trying to update. >> >> Have you tried running 'apt update' to refresh the package list on you >> computer. >> > This package version is out already. > > My system updated to this version couple of days ago: > $ zcat history.log.1.gz | grep -B2 -A1 openssl > Start-Date: 2022-06-27 06:17:36 > Commandline: /usr/bin/unattended-upgrade > Upgrade: openssl:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3) > End-Date: 2022-06-27 06:17:53 > > > $ apt-cache policy openssl > openssl: > Installed: 1.1.1n-0+deb11u3 > Candidate: 1.1.1n-0+deb11u3 > Version table: > *** 1.1.1n-0+deb11u3 500 > 500 http://security.debian.org/debian-security > bullseye-security/main amd64 Packages > 100 /var/lib/dpkg/status > 1.1.1n-0+deb11u1 500 > 500 http://deb.debian.org/debian bullseye/main amd64 Packages > > $ apt changelog openssl > openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium > > * CVE-2022-2068 (The c_rehash script allows command injection). > * Update expired certs. > > -- Sebastian Andrzej Siewior Fri, 24 Jun > 2022 22:22:19 +0200 > > > -- > With kindest regards, Piotr. > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system > ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ > ⠈⠳⣄ >
