Landscape sometimes don't list the security-update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Landscape Server |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hello everybody
if an update of a package is listed in $RELEASE-updates and in $RELEASE-security, the update will not shown in the webinterface of Landscape as security update. It will be shown as normal update.
Example:
user@server:~$ apt-get upgrade -s | grep -i security
Inst systemd-sysv [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:
Conf systemd-sysv (229-4ubuntu21.1 Ubuntu:
Inst udev [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:
Inst libudev1 [229-4ubuntu21] (229-4ubuntu21.1 Ubuntu:
Conf libudev1 (229-4ubuntu21.1 Ubuntu:
Inst update-manager-core [1:16.04.10] (1:16.04.12 Ubuntu:
Inst python3-
Inst update-
Inst linux-firmware [1.157.14] (1.157.16 Ubuntu:
Conf udev (229-4ubuntu21.1 Ubuntu:
Conf python3-
Conf update-manager-core (1:16.04.12 Ubuntu:
Conf update-
Conf linux-firmware (1.157.16 Ubuntu:
As you can see, these updates are listed in both lists, but Landscape don't list them as "security update" (screenshot)
I think it's an security vulnerability, because people think falsely they installed all security-updates if they use landscape for updating their systems.
I am using "landscape-
http://
Best regards,
Norbert Härig
Hi Norbert --
Landscape does not take into account the "pocket" (ex: ubuntu-security) where a package comes from when reporting if an upgrade is a security fix or not. See this page for more details on pockets: https:/ /wiki.ubuntu. com/SecurityTea m/FAQ#How_ are_components_ and_pockets_ used_in_ the_builds. 2C_and_ how_do_ they_affect_ security_ updates. 3F
Instead, Landscape relies on the USN Database, which is authoritative for Ubuntu systems. A number of factors could be at play here, and this problem would need more isolation before it could be actioned.
Just off the top of my head:
1) Your image shows 38 "Upgrades", but you had 7 packages actually installed in your output. These could be different machines, or different points in time.
2) There is a package reporter process that runs periodically from the client and reports back to the server, you may have caught things during a window before that was run.
3) the USN database needs to be kept up to date, and errors or firewall blocks can cause this process to never complete. See here for example: https:/ /askubuntu. com/questions/ 879604/, https:/ /askubuntu. com/questions/ 818983
Please check into these things and narrow things down. But, just so you know, your base assumption about the pocket being important to Landscape calculation is not correct. It does not come into play at all. Just package name, version and the USN database are used.