[Bug 891747] Re: unattended-upgrades fails to upgrade insecure packages
Launchpad Bug Tracker
891747 at bugs.launchpad.net
Wed Nov 23 03:38:26 UTC 2011
** Branch linked: lp:debian/unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
Status in “unattended-upgrades” package in Ubuntu:
In Progress
Status in “unattended-upgrades” source package in Lucid:
New
Status in “unattended-upgrades” source package in Maverick:
New
Status in “unattended-upgrades” source package in Natty:
New
Status in “unattended-upgrades” source package in Oneiric:
New
Bug description:
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-upgrades:
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
In the example above, we have xserver-xorg-core, which is currently an
insecure package containing security flaws. A run of the unattended-
upgrades tool SHOULD resolve this situation, but in fact, it does not
due to a higher revision package that is available for installation
that is not tagged as a security release. This results in the
unattended-upgrade tool not being reliable as a means to ensure system
security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
Unattended-Upgrade::Allowed-Origins {
"Google\, Inc.:stable";
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
};
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
More information about the foundations-bugs
mailing list