On Sun, Mar 11, 2018 at 06:38:56PM +0100, Felix Natter wrote: > hi, > > I had a wrong configuration in sources.list (for about half a year :-(): > > deb http://security.debian.org/ stretch/updates main contrib non-free > deb-src http://security.debian.org/ stretch/updates main contrib non-free > > which I corrected now: > > deb http://security.debian.org/debian-security/ stretch/updates main contrib > non-free > deb-src http://security.debian.org/debian-security/ stretch/updates main > contrib non-free > I think that either form is fine. I have some cloud systems that use the first form and I received all the expected security updates.
> > But I still do not get the stretch 9.4 security updates, like > firefox-esr for example [1]. > > However, looking at the package status for firefox-esr [2], there does > not seem to be a [security] update (but maybe it's just designated > differently since stretch?). In any case, that version > (52.6.0esr-1~deb9u1) is installed. > > Is that because the 9.4 release pulls in all sec updates in the regular > update channel? > Debian 9.4 constitutes a point release [0]. When a point release is made the packages in the main archive are updated, usually from those that have updated to the security suite, but also with additional non-security updates that have been proposed by package maintainers and/or release managers. So, those updates, including firefox-esr, would be expected from the standard archive sources instead of the security sources. You can tell if you are updated to Debian 9.4 by looking at the output of any of these commands: $ cat /etc/debian_version $ lsb_release -a $ apt-cache policy base-files Regards, -Roberto [0] https://wiki.debian.org/DebianReleases/PointReleases -- Roberto C. Sánchez
