On Fri 01 Jul 2022 at 07:24:29 (+0100), Tixy wrote: > On Fri, 2022-07-01 at 04:46 +0200, icedgorilla wrote: > > [...] Is this some sort of Man in The Middle attack or is there an easy > > explanation and a simple way to fix? > > # apt changelog openssl
(You shouldn't need root for that.) > > Err:1 https://metadata.ftp-master.debian.org openssl 1.1.1n-0+deb11u3 > > Changelog > > Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: > > 146.75.94.132 443]) > > E: Failed to fetch > > https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.1.1n-0%2bdeb11u3_changelog > > Changelog unavailable for openssl=1.1.1n-0+deb11u3 (404 Not Found [IP: > > 146.75.94.132 443]) > > It just means that version isn't available in the repositories. If you > get a list by pointing a web broswer at last directory in that URL > (https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/) > you see 'u2' is the latest version. > > If you go to the package tracker at https://tracker.debian.org > and search for 'openssl' you get to a page that shows under 'news' that > the 'u3' version is 'embargoed'. Which means it's been produced but not > publicly available, this is done when packages have security fixes for > for vulnerabilities that haven't been publicly detailed yet. > There's been at lot of news in recent days about bugs in openssl. > > This doesn't answer why your machine is trying to download this 'u3' > version, perhaps it appeared transiently for a time your machine was > trying to update. Considering it's July, that's very odd: $ zgrep -A2 -B2 openssl /var/log/apt/history.log.1.gz Start-Date: 2022-06-27 08:26:52 Commandline: apt-get upgrade Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3), openssl:amd64 (1.1.1n-0+deb11u2, 1.1.1n-0+deb11u3) End-Date: 2022-06-27 08:27:08 $ apt changelog openssl | head WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Get:1 store: openssl 1.1.1n-0+deb11u3 Changelog openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium * CVE-2022-2068 (The c_rehash script allows command injection). * Update expired certs. -- Sebastian Andrzej Siewior <[email protected]> Fri, 24 Jun 2022 22:22:19 +0200 openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium E: Sub-process pager received signal 13. $ > Have you tried running 'apt update' to refresh the package list on you > computer. Or rather, always run update before carrying out these sorts of operations. Never having not done so, I wouldn't know what symptoms to expect in this case. Cheers, David.
