1

I need to find out which versions of an arbitrary Debian package have ever existed for a certain Debian major version.

On a fresh Debian install, apt-cache policy only shows me the latest package version available.

Let's take libssl1.0.0, for example. Debian Wheezy 7.0 came with a libssl1.0.0 which was vulnerable to the heartbleed bug. Later, the bug was fixed, and a new version (1.0.1e-2+deb7u5) was released.

I need a list of all of these patches, from the first released Debian major version up to the current date. I would prefer to do that with existing tools (apt-cache for example).

I could imagine that this is solvable using additional sources.list entries, but I was searching the web for over two hours without success.

Does anyone have an idea on how to do that?

Background: I am currently running an investigation about the occurrence of CVE-fixes in Debian packages. It's a quite cumbersome job, so I would like to avoid walking through every changelog to check release dates, version numbers and so on (this is necessary later on anyway, however, I would like to postpone this task).

Hoedur
  • 21

1 Answers1

1

Debian packages provide a changelog which can easily be parsed. A changelog may be obtained using

apt-get changelog <pkgname>

or

aptitude changelog <pkgname>

By searching for a certain package version, one can track down all released patches of a certain package for the currently used Debian release. For example:

aptitude changelog libssl1.0.0 | grep "1.0.1k"

This prints a list of all patches for version 1.0.1k of the package libssl1.0.0. On Debian Jessie, this would be:

vagrant@debian-jessie:~$ aptitude changelog libssl1.0.0 | grep "1.0.1k"
openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium
openssl (1.0.1k-3) unstable; urgency=medium
openssl (1.0.1k-2) unstable; urgency=high
openssl (1.0.1k-1) unstable; urgency=medium
Hoedur
  • 21