cron-apt informed me that there are pending security updates on my Debian system but I can't find the corresponding announcement. How shall I proceed?

Question

Today, cron-apt informed me that there are pending security updates on my Debian stable system:

CRON-APT RUN [/etc/cron-apt/config]: Tue Jan 25 04:00:01 CET 2022
CRON-APT SLEEP: 3076, Tue Jan 25 04:51:17 CET 2022
CRON-APT ACTION: 3-download
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following package was automatically installed and is no longer required:
  linux-image-5.10.0-9-amd64
Use 'apt autoremove' to remove it.
The following packages will be upgraded:
  bsdextrautils bsdutils eject libblkid1 libmount1 libsmartcols1 libuuid1
  mount util-linux util-linux-locales
10 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 3561 kB of archives.
After this operation, 16.4 kB of additional disk space will be used.
Get:1 http://security.debian.org bullseye-security/main amd64 bsdutils amd64 1:2.36.1-8+deb11u1 [148 kB]
Get:2 http://security.debian.org bullseye-security/main amd64 util-linux amd64 2.36.1-8+deb11u1 [1141 kB]
Get:3 http://security.debian.org bullseye-security/main amd64 mount amd64 2.36.1-8+deb11u1 [186 kB]
Get:4 http://security.debian.org bullseye-security/main amd64 bsdextrautils amd64 2.36.1-8+deb11u1 [145 kB]
Get:5 http://security.debian.org bullseye-security/main amd64 libblkid1 amd64 2.36.1-8+deb11u1 [193 kB]
Get:6 http://security.debian.org bullseye-security/main amd64 libmount1 amd64 2.36.1-8+deb11u1 [212 kB]
Get:7 http://security.debian.org bullseye-security/main amd64 libsmartcols1 amd64 2.36.1-8+deb11u1 [158 kB]
Get:8 http://security.debian.org bullseye-security/main amd64 libuuid1 amd64 2.36.1-8+deb11u1 [83.9 kB]
Get:9 http://security.debian.org bullseye-security/main amd64 eject amd64 2.36.1-8+deb11u1 [102 kB]
Get:10 http://security.debian.org bullseye-security/main amd64 util-linux-locales all 2.36.1-8+deb11u1 [1192 kB]
Fetched 3561 kB in 0s (47.6 MB/s)
Download complete and in download only mode

However, looking at https://www.debian.org/security/, I do not find a matching announcement:

Recent Advisories

These web pages include a condensed archive of security advisories posted to the debian-security-announce list.

[21 Jan 2022] DSA-5052-1 usbview security update
[20 Jan 2022] DSA-5051-1 aide security update
[20 Jan 2022] DSA-5050-1 linux security update
[15 Jan 2022] DSA-5048-1 libreswan security update
...

So, either (1) the announcement is delayed or (2) something fishy is going on. (I am aware that the probability for (1) is much higher than for (2), but still...)

How shall I proceed to verify that this is indeed a genuine and benign security update? I tried looking at the package information page of one of the updated packages (https://packages.debian.org/bullseye/bsdutils), but the "Debian Changelog" link on the right-hand side shows that the last modification was half a year ago.

---

Notes:

• While I am interested in an answer to this particular case, I am more interested in a general answer on how to proceed in such a case (see the bolded question above).
• If you think that this question is more suitable for security.se, feel free to migrate.

Answer 1

Assuming you still trust the infrastructure, you can find out what changed by requesting the changelogs on your system; for example

$ apt changelog util-linux/bullseye-security
util-linux (2.36.1-8+deb11u1) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * include/strutils: Add ul_strtou64() function
  * libmount: fix UID check for FUSE umount [CVE-2021-3995]
  * libmount: fix (deleted) suffix issue [CVE-2021-3996]

 -- Salvatore Bonaccorso <[email protected]>  Thu, 20 Jan 2022 21:10:35 +0100

...

(This queries the changelog from the repositories, it doesn’t require you to apply the upgrades.)

In your case, all the updated packages come from the util-linux source package, so they will all show the same changelog. While the fix only involves libmount, uploading a fixed source package means rebuilding all the binary packages it produces, and shipping them all as security updates.

This information is also available on the package tracker, which offers links to the changelog and the security tracker (among many others). The security tracker was down when the question was written, which might explain why some of the other pages aren’t updated as you’d expect; the DSA was sent out on January 24.

If you want to check what changed, you can download the original and updated source code:

$ apt source util-linux/{stable,bullseye-security}

and compare the downloaded tarballs — in most cases, only the .debian tarball, util-linux_2.36.1-8.debian.tar.xz and util-linux_2.36.1-8+deb11u1.debian.tar.xz in this case:

$ mkdir ulo uls; tar xf util-linux_2.36.1-8.debian.tar.xz -C ulo; tar xf util-linux_2.36.1-8+deb11u1.debian.tar.xz -C uls
$ diff -urN ulo uls | less

Answer 2

The "Recent Advisories" list on the Debian home page is outdated, check the mailing list archives (https://lists.debian.org/debian-security-announce/) instead.

There, you'll find that the advisory for util-linux has been sent yesterday. As mentioned in the comments, that bug involves libmount, which explains the other package updates.