[Bug 891747] Re: unattended-upgrades fails to upgrade insecure packages
Jean-Baptiste Lallement
jean-baptiste at ubuntu.com
Mon Feb 6 16:38:23 UTC 2012
SRU verification for Lucid:
I have reproduced the problem with unattended-upgrades 0.55ubuntu6 in lucid-updates and have verified that the version of unattended-upgrades 0.55ubuntu7 in -proposed fixes the issue.
I used w3m as a victim package and with u-u from -proposed the version from -security is installed.
w3m:
Installé : 0.5.2-2.1ubuntu1.1
Candidat : 0.5.2-2.1ubuntu1.2
Table de version :
0.5.2-2.1ubuntu1.2 0
500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
*** 0.5.2-2.1ubuntu1.1 0
500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
100 /var/lib/dpkg/status
0.5.2-2.1ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
Marking as verification-done
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
Status in “unattended-upgrades” package in Ubuntu:
Fix Released
Status in “unattended-upgrades” source package in Lucid:
Fix Committed
Status in “unattended-upgrades” source package in Maverick:
Fix Committed
Status in “unattended-upgrades” source package in Natty:
Fix Committed
Status in “unattended-upgrades” source package in Oneiric:
Fix Committed
Bug description:
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-upgrades:
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
In the example above, we have xserver-xorg-core, which is currently an
insecure package containing security flaws. A run of the unattended-
upgrades tool SHOULD resolve this situation, but in fact, it does not
due to a higher revision package that is available for installation
that is not tagged as a security release. This results in the
unattended-upgrade tool not being reliable as a means to ensure system
security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
Unattended-Upgrade::Allowed-Origins {
"Google\, Inc.:stable";
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
};
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
More information about the foundations-bugs
mailing list