[Bug 891747] Re: unattended-upgrades fails to upgrade insecure packages
Launchpad Bug Tracker
891747 at bugs.launchpad.net
Thu Nov 24 17:32:14 UTC 2011
This bug was fixed in the package unattended-upgrades - 0.75
---------------
unattended-upgrades (0.75) unstable; urgency=low
* add tests for compat mode and spaces in a origin
* escape "," in the Allowed-Origins compat mode (LP: #824856)
* merged lp:~mvo/unattended-upgrades/unshadow-versions, this will
ensure that higher versions in a non-origin branch do not "shadow"
the versions from a desired origin (LP: #891747)
-- Michael Vogt <mvo at debian.org> Tue, 22 Nov 2011 15:27:56 +0100
** Changed in: unattended-upgrades (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
Status in “unattended-upgrades” package in Ubuntu:
Fix Released
Status in “unattended-upgrades” source package in Lucid:
New
Status in “unattended-upgrades” source package in Maverick:
New
Status in “unattended-upgrades” source package in Natty:
New
Status in “unattended-upgrades” source package in Oneiric:
New
Bug description:
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-upgrades:
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
In the example above, we have xserver-xorg-core, which is currently an
insecure package containing security flaws. A run of the unattended-
upgrades tool SHOULD resolve this situation, but in fact, it does not
due to a higher revision package that is available for installation
that is not tagged as a security release. This results in the
unattended-upgrade tool not being reliable as a means to ensure system
security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
Unattended-Upgrade::Allowed-Origins {
"Google\, Inc.:stable";
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
};
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
More information about the foundations-bugs
mailing list