[Bug 891747] Verification still needed
Brian Murray
brian at ubuntu.com
Thu Jan 24 21:37:39 UTC 2013
The fix for this bug has been awaiting testing feedback in the -proposed
repository for oneiric for more than 90 days. Please test this fix and
update the bug appropriately with the results. In the event that the
fix for this bug is still not verified 15 days from now, the package
will be removed from the -proposed repository.
** Tags added: removal-candidate
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
Status in “unattended-upgrades” package in Ubuntu:
Fix Released
Status in “unattended-upgrades” source package in Lucid:
Fix Released
Status in “unattended-upgrades” source package in Maverick:
Won't Fix
Status in “unattended-upgrades” source package in Natty:
Won't Fix
Status in “unattended-upgrades” source package in Oneiric:
Fix Committed
Bug description:
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-upgrades:
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
In the example above, we have xserver-xorg-core, which is currently an
insecure package containing security flaws. A run of the unattended-
upgrades tool SHOULD resolve this situation, but in fact, it does not
due to a higher revision package that is available for installation
that is not tagged as a security release. This results in the
unattended-upgrade tool not being reliable as a means to ensure system
security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
Unattended-Upgrade::Allowed-Origins {
"Google\, Inc.:stable";
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
};
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
More information about the foundations-bugs
mailing list