apt not updating ssh? WAS: Re: [plug] Heads-up: OpenSSH vulnerability

Russell Steicke r.steicke at bom.gov.au
Wed Sep 17 12:13:43 WST 2003 

Hello,

Someone might be able to shed some light on a debian mystery.

I tried to update ssh on a debian woody box, but apt didn't seem to want
to see the newer version.  So I grabbed the deb and installed it with
dpkg.

I have this in sources.list:

  deb http://security.debian.org woody/updates main non-free contrib
  deb http://mirror.aarnet.edu.au/pub/debian woody main non-free contrib
  deb-src http://mirror.aarnet.edu.au/pub/debian woody main non-free contrib

And apt-get says this:

  # apt-get update
  Hit http://mirror.aarnet.edu.au woody/main Packages
  Hit http://mirror.aarnet.edu.au woody/main Release       
  Hit http://mirror.aarnet.edu.au woody/non-free Packages   
  Hit http://mirror.aarnet.edu.au woody/non-free Release    
  Hit http://mirror.aarnet.edu.au woody/contrib Packages    
  Hit http://mirror.aarnet.edu.au woody/contrib Release     
  Hit http://mirror.aarnet.edu.au woody/main Sources        
  Hit http://mirror.aarnet.edu.au woody/main Release        
  Hit http://mirror.aarnet.edu.au woody/non-free Sources    
  Hit http://mirror.aarnet.edu.au woody/non-free Release    
  Hit http://mirror.aarnet.edu.au woody/contrib Sources
  Hit http://mirror.aarnet.edu.au woody/contrib Release
  Hit http://security.debian.org woody/updates/main Packages
  Hit http://security.debian.org woody/updates/main Release
  Hit http://security.debian.org woody/updates/non-free Packages
  Hit http://security.debian.org woody/updates/non-free Release
  Hit http://security.debian.org woody/updates/contrib Packages
  Hit http://security.debian.org woody/updates/contrib Release
  Reading Package Lists... Done
  Building Dependency Tree... Done

but apt-cache says this:

  # apt-cache showpkg ssh
  Package: ssh
  Versions: 
  1:3.4p1-1.1(/var/lib/dpkg/status)
  1:3.4p1-1(/var/lib/apt/lists/mirror.aarnet.edu.au_pub_debian_dists_woody_main_binary-i386_Packages)
  1:3.4p1-0.0woody1(/var/lib/apt/lists/security.debian.org_dists_woody_updates_main_binary-i386_Packages)

  Reverse Depends: 
    xvncviewer,ssh
    xutils,ssh
    xutils,ssh
    ... etc

Notice that it isn't listing ssh 3.4p1-1.1 from security.debian.org.
(That package is listed as being installed because I did that manually.)
If I grab the Packages.gz file from security.debian.org like so:

  wget http://security.debian.org/debian-security/dists/woody/updates/main/binary-i386/Packages.gz

then 3.4p1-1.1 appears in there.

  Package: ssh
  ...
  Version: 1:3.4p1-1.1
  ...

I even tried removing the package list files on /var/lib/apt/lists, and
doing apt-get update, but that didn't change things.

This box is on westnet ADSL, if that makes any difference.

Can someone tell me why apt wouldn't install the updated ssh?

Thanks
Russell




-- 
Russell Steicke

-- Fortune says:
"... gentlemen do not read each other's mail."
		-- Secretary of State Henry Stimson, on closing down
		   the Black Chamber, the precursor to the National
		   Security Agency.
_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list