Debian Security Software Updates – How to Proceed with Pending Security Updates on Debian

debianSecuritysoftware-updates

Today, cron-apt informed me that there are pending security updates on my Debian stable system:

CRON-APT RUN [/etc/cron-apt/config]: Tue Jan 25 04:00:01 CET 2022
CRON-APT SLEEP: 3076, Tue Jan 25 04:51:17 CET 2022
CRON-APT ACTION: 3-download
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following package was automatically installed and is no longer required:
  linux-image-5.10.0-9-amd64
Use 'apt autoremove' to remove it.
The following packages will be upgraded:
  bsdextrautils bsdutils eject libblkid1 libmount1 libsmartcols1 libuuid1
  mount util-linux util-linux-locales
10 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 3561 kB of archives.
After this operation, 16.4 kB of additional disk space will be used.
Get:1 http://security.debian.org bullseye-security/main amd64 bsdutils amd64 1:2.36.1-8+deb11u1 [148 kB]
Get:2 http://security.debian.org bullseye-security/main amd64 util-linux amd64 2.36.1-8+deb11u1 [1141 kB]
Get:3 http://security.debian.org bullseye-security/main amd64 mount amd64 2.36.1-8+deb11u1 [186 kB]
Get:4 http://security.debian.org bullseye-security/main amd64 bsdextrautils amd64 2.36.1-8+deb11u1 [145 kB]
Get:5 http://security.debian.org bullseye-security/main amd64 libblkid1 amd64 2.36.1-8+deb11u1 [193 kB]
Get:6 http://security.debian.org bullseye-security/main amd64 libmount1 amd64 2.36.1-8+deb11u1 [212 kB]
Get:7 http://security.debian.org bullseye-security/main amd64 libsmartcols1 amd64 2.36.1-8+deb11u1 [158 kB]
Get:8 http://security.debian.org bullseye-security/main amd64 libuuid1 amd64 2.36.1-8+deb11u1 [83.9 kB]
Get:9 http://security.debian.org bullseye-security/main amd64 eject amd64 2.36.1-8+deb11u1 [102 kB]
Get:10 http://security.debian.org bullseye-security/main amd64 util-linux-locales all 2.36.1-8+deb11u1 [1192 kB]
Fetched 3561 kB in 0s (47.6 MB/s)
Download complete and in download only mode

However, looking at https://www.debian.org/security/, I do not find a matching announcement:

Recent Advisories

These web pages include a condensed archive of security advisories posted to the debian-security-announce list.

[21 Jan 2022] DSA-5052-1 usbview security update
[20 Jan 2022] DSA-5051-1 aide security update
[20 Jan 2022] DSA-5050-1 linux security update
[15 Jan 2022] DSA-5048-1 libreswan security update
…

So, either (1) the announcement is delayed or (2) something fishy is going on. (I am aware that the probability for (1) is much higher than for (2), but still…)

How shall I proceed to verify that this is indeed a genuine and benign security update? I tried looking at the package information page of one of the updated packages (https://packages.debian.org/bullseye/bsdutils), but the "Debian Changelog" link on the right-hand side shows that the last modification was half a year ago.

Notes:

While I am interested in an answer to this particular case, I am more interested in a general answer on how to proceed in such a case (see the bolded question above).
If you think that this question is more suitable for security.se, feel free to migrate.

Best Answer

Assuming you still trust the infrastructure, you can find out what changed by requesting the changelogs on your system; for example

$ apt changelog util-linux/bullseye-security
util-linux (2.36.1-8+deb11u1) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * include/strutils: Add ul_strtou64() function
  * libmount: fix UID check for FUSE umount [CVE-2021-3995]
  * libmount: fix (deleted) suffix issue [CVE-2021-3996]

 -- Salvatore Bonaccorso <[email protected]>  Thu, 20 Jan 2022 21:10:35 +0100

...

(This queries the changelog from the repositories, it doesn’t require you to apply the upgrades.)

In your case, all the updated packages come from the util-linux source package, so they will all show the same changelog. While the fix only involves libmount, uploading a fixed source package means rebuilding all the binary packages it produces, and shipping them all as security updates.

This information is also available on the package tracker, which offers links to the changelog and the security tracker (among many others). The security tracker was down when the question was written, which might explain why some of the other pages aren’t updated as you’d expect; the DSA was sent out on January 24.

If you want to check what changed, you can download the original and updated source code:

$ apt source util-linux/{stable,bullseye-security}

and compare the downloaded tarballs — in most cases, only the .debian tarball, util-linux_2.36.1-8.debian.tar.xz and util-linux_2.36.1-8+deb11u1.debian.tar.xz in this case:

$ mkdir ulo uls; tar xf util-linux_2.36.1-8.debian.tar.xz -C ulo; tar xf util-linux_2.36.1-8+deb11u1.debian.tar.xz -C uls
$ diff -urN ulo uls | less

Related Solutions

Debian – Understanding Apt Pinning Priority Restrictions

I don't understand why you are doing here. Why do you have a preferences setting for stable at all if you are running a stable system? As far I know, no preferences setting is necessary for stable in that case.

You don't explicitly say whether you are running a stable system (you really should say so), but if you are not, then I really have no idea what you are doing.

And if the release is on stable, then the usual thing to do for testing and unstable is to set their preferences to less than 100. I usually use 50.

And if you want to downgrade to stable, just do the following (assuming sane settings like the ones above) to downgrade pkgname1 and pkgname2:

apt-get install pkgname1/stable pkgname2/stable

This sets the specified packages to the target release stable.

Incidentally, mixing testing and/or unstable packages with an unstable system is generally a bad idea unless you know what you are doing. Some of the time it is Ok, but most of the time you need to use backports, either from Debian, or self-made.

Debian – Am I at risk? How to interpret debscan vulnerability output

debsecan uses a series of databases which record vulnerabilities and the availability of fixes; but those databases are only available for Debian suites. If you run it on a Ubuntu system, the results at minimum won’t account for security issues fixed in Ubuntu-specific releases, e.g. QEMU which receives security releases for Ubuntu which are separate from the Debian releases.

In Debian, you would configure debsecan with the --suite option or its package configuration (which you’d see by installing it with sudo apt install debsecan, even in Ubuntu) to track whatever release you’re using; but the required information isn’t available for Ubuntu releases, so debsecan can’t be used in the same way for Ubuntu.

If you look at all the CVEs listed in your report, I think you’ll find that the majority of them (and all the serious ones) are fixed in your release of Ubuntu, but that debsecan doesn’t know about those fixes. You’re using a support release of Ubuntu, apt update && apt upgrade should be enough to keep you up-to-date (you’re always at risk from undiscovered vulnerabilities, and during the — hopefully short — window between discovery and the availability of fixes, and from mis-configuration; but that’s the case with any distribution).

Best Answer

Related Solutions

Debian – Understanding Apt Pinning Priority Restrictions

Debian – Am I at risk? How to interpret debscan vulnerability output

Related Question