Landscape sometimes don't list the security-update

Bug #1750600 reported by Norbert Härig on 2018-02-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Server
Undecided
Unassigned

Bug Description

Hello everybody

if an update of a package is listed in $RELEASE-updates and in $RELEASE-security, the update will not shown in the webinterface of Landscape as security update. It will be shown as normal update.

Example:
user@server:~$ apt-get upgrade -s | grep -i security
Inst systemd-sysv [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64])
Conf systemd-sysv (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64])
Inst udev [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64]) []
Inst libudev1 [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64])
Conf libudev1 (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64])
Inst update-manager-core [1:16.04.10] (1:16.04.12 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all]) []
Inst python3-update-manager [1:16.04.10] (1:16.04.12 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Inst update-notifier-common [3.168.5] (3.168.7 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Inst linux-firmware [1.157.14] (1.157.16 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Conf udev (229-4ubuntu21.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [amd64])
Conf python3-update-manager (1:16.04.12 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Conf update-manager-core (1:16.04.12 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Conf update-notifier-common (3.168.7 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])
Conf linux-firmware (1.157.16 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [all])

As you can see, these updates are listed in both lists, but Landscape don't list them as "security update" (screenshot)

I think it's an security vulnerability, because people think falsely they installed all security-updates if they use landscape for updating their systems.

I am using "landscape-server/xenial,now 17.03.3-0ubuntu1 amd64" from the repository
http://ppa.launchpad.net/landscape/17.03/ubuntu xenial main

Best regards,
Norbert Härig

Norbert Härig (nhaerig) wrote :
information type: Private Security → Public
David Britton (davidpbritton) wrote :

Hi Norbert --

Landscape does not take into account the "pocket" (ex: ubuntu-security) where a package comes from when reporting if an upgrade is a security fix or not. See this page for more details on pockets: https://wiki.ubuntu.com/SecurityTeam/FAQ#How_are_components_and_pockets_used_in_the_builds.2C_and_how_do_they_affect_security_updates.3F

Instead, Landscape relies on the USN Database, which is authoritative for Ubuntu systems. A number of factors could be at play here, and this problem would need more isolation before it could be actioned.

Just off the top of my head:

1) Your image shows 38 "Upgrades", but you had 7 packages actually installed in your output. These could be different machines, or different points in time.

2) There is a package reporter process that runs periodically from the client and reports back to the server, you may have caught things during a window before that was run.

3) the USN database needs to be kept up to date, and errors or firewall blocks can cause this process to never complete. See here for example: https://askubuntu.com/questions/879604/, https://askubuntu.com/questions/818983

Please check into these things and narrow things down. But, just so you know, your base assumption about the pocket being important to Landscape calculation is not correct. It does not come into play at all. Just package name, version and the USN database are used.

Changed in landscape:
status: New → Incomplete
Norbert Härig (nhaerig) wrote :

Hello,
thank your for your answer.

With this new information, I was able to narrow down the problem. Now I think it's not a bug in Landcape.

I searched the USN database https://usn.ubuntu.com/usn-db/database-all.json for these updates. I found some packages which are released by the security repo but has no entry in the USN-database.

Example: I installed linux-firmware_1.157.15 and can update to linux-firmware_1.157.16 via xenial-security, but there is no entry for linux-firmware_1.157.16 in the database.

Is it possible that not every update in $release-security as an entry in the USN-database?

Best regards,
Norbert Härig

Tyler Hicks (tyhicks) wrote :

Hi Norbert - thanks for the additional research! I can confirm that we (Ubuntu Security) release some updates into the -security pocket without publishing a USN for the update. What I think is happening in this specific case is that you're seeing updates in the -security pocket that don't fix a security vulnerability.

It is valid for a system to not enable the -updates pocket and only have the release and -security pockets enabled. That makes it necessary to publish updates to the -security pocket which don't necessarily fix security vulnerabilities. An example would be a update to a toolchain related package, such as gcc, that's needed in order to build a future security update. The updated toolchain package typically won't receive a USN even though it was published to -security. The actual security update, built with the new toolchain, will receive a USN. It is fine if an end user's system doesn't have the new toolchain update because it isn't actually needed to fix a vulnerability.

Norbert Härig (nhaerig) wrote :

Hi,

Thanks for the answer, the information helped me a lot.

Best regards
Norbert Härig

Launchpad Janitor (janitor) wrote :

[Expired for Landscape Server because there has been no activity for 60 days.]

Changed in landscape:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers