12 of 6 updates are security updates

Tim Frost timfrost at xtra.co.nz
Fri Aug 14 10:56:12 UTC 2009 

On Thu, 2009-08-13 at 22:19 +0200, Markus Schönhaber wrote:
> Hi,
> 
> I just saw this on an i686 Jaunty box:
> | ~$ cat /etc/motd
> [...]
> |   Graph this data and manage this system at
> https://landscape.canonical.com/
> |
> | 6 packages can be updated.
> | 12 updates are security updates.


> Has anyone seen something similar (and has an explanation)?
> There really are 6 updates available (2 x flash, 4 x XML) which are
> indeed security updates.

And they appear in both jaunty-security and jaunty-updates repositories:
tim at zaphod:~$ apt-cache policy flashplugin-installer
flashplugin-installer:
  Installed: 10.0.32.18ubuntu0.9.04.1
  Candidate: 10.0.32.18ubuntu0.9.04.1
  Version table:
 *** 10.0.32.18ubuntu0.9.04.1 0
        500 http://nz2.archive.ubuntu.com jaunty-updates/multiverse
Packages
        500 http://nz2.archive.ubuntu.com jaunty-security/multiverse
Packages
        100 /var/lib/dpkg/status
     10.0.22.87ubuntu2 0
        500 http://nz2.archive.ubuntu.com jaunty/multiverse Packages


In jaunty, /etc/motd is dynamically (re-)generated, and those 2 lines
would have been generated by /usr/lib/update-notifier/apt_check.py. 
That python script loops through all the available packages, looking for
packages which are considered for install/upgrade.  When a package is
found, a check is made for all versions of the package that are newer
than the current installed version, to detect whether the upgrade is a
security upgrade (this is to detect the case where a package was
released to fix a security issue, then a new version was released before
the security update was applied to this system)

The code in apt-check.py is not correctly detecting the situation where
the package with the security update has been uploaded to BOTH
jaunty-security and jaunty-updates.  In this situation, prior to the
packages being upgraded, apt-check.py was concluding "I have found two
versions of flashplugin-installer, both of which are security updates,
and one can be installed".  Repeat that for the other 5 packages, and we
get the situation described.


Now to see what the code is like in the version of apt-check.py in
karmic, and figure out the correct fix.

> 
> -- 
> Regards
>   mks
> 

Tim

-- 
Tim Frost <timfrost at xtra.co.nz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090814/63d163d3/attachment.sig>

More information about the ubuntu-users mailing list