Security update mistake?

NoOp glgxg at mfire.com
Sat May 26 22:19:23 UTC 2007 

On 05/26/2007 02:30 PM, Thilo Six wrote:
> Johan Grönqvist wrote the following on 25.05.2007 10:33
>> Hello,
>> 
>> Yesterday, there was a security announcement recommending upgrading the
>> kernel to 2.6.20.16, but synaptic does not automatically suggest this
>> upgrade. The new kernel image is available in the repository, but not
>> automatically upgraded to. 
>> 
>> I believe this is because no upgrade is available to linux-generic,
>> which still is version 2.6.20.15 and does not depend on the new kernel.
>> To me it feels good to let a meta-package select what kernel I should
>> use, but now that does not seem to be the best option now.
>> 
>> Is this a mistake in the security update process?
>> 
>> 
>> / johan
> 
> the dependencies seem to be wrong.
> I have send a mail to devel-discuss - waiting for an answer.
> 
> bye Thilo

I noticed the same; on a machine that I did 'sudo apt-get update'
yesterday - in Synaptic|Status|New in repository, are 23 packages for
2.6.20.16. On this machine after a 'sudo apt-get update' I show same 23
packages, but only after doing a search 2.6.20.16 (none installed of
course). linux-image-2.6.20-16-generic is in the 23.

The May 23 Security advisory advises:

===========================================================
Ubuntu Security Notice USN-464-1               May 23, 2007
linux-source-2.6.15/2.6.17/2.6.20 vulnerabilities
CVE-2007-1357, CVE-2007-1388, CVE-2007-1496, CVE-2007-1497,
CVE-2007-1592, CVE-2007-1730, CVE-2007-2172
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  linux-image-2.6.20-16-386                2.6.20-16.28
  linux-image-2.6.20-16-generic            2.6.20-16.28
  linux-image-2.6.20-16-hppa32             2.6.20-16.28
  linux-image-2.6.20-16-hppa64             2.6.20-16.28
  linux-image-2.6.20-16-itanium            2.6.20-16.28
  linux-image-2.6.20-16-lowlatency         2.6.20-16.28
  linux-image-2.6.20-16-mckinley           2.6.20-16.28
  linux-image-2.6.20-16-powerpc            2.6.20-16.28
  linux-image-2.6.20-16-powerpc-smp        2.6.20-16.28
  linux-image-2.6.20-16-powerpc64-smp      2.6.20-16.28
  linux-image-2.6.20-16-server             2.6.20-16.28
  linux-image-2.6.20-16-server-bigiron     2.6.20-16.28
  linux-image-2.6.20-16-sparc64            2.6.20-16.28
  linux-image-2.6.20-16-sparc64-smp        2.6.20-16.28

sudo apt-get upgrade results in nothing to be done - ditto for sudo
aptitude upgrade.

Note: the full upgrade notice can be found here
http://www.ubuntu.com/usn/usn-464-1
or
http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/552
for a listing with the repos.

More information about the ubuntu-users mailing list