apt-cacher stops updates of random packages (Connection failed)

Bug #516500 reported by LimCore on 2010-02-03
278
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apt-cacher (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: apt-cacher

SECURITY:
apt-cacher stops downloading given packages (or perhaps even indexes), and as a result any auto updates running other computers using this cache will stop working, probably silently, staying at old versions of software.
System's are not updating themselves, which can be a security problem.

apt-cacher on server is up-to-date (2010.02.03) Ubuntu 9.10 amd64: 1.6.8ubuntu1
aptitude on client is up-to-date (2010.02.03) Ubuntu 9.10 amd64

Each time (also after apt-cacher restart) the client was getting error of Connection failed when updating some packages.

# aptitude install konsole korganizer kgpg -y
[...]
The following NEW packages will be installed:
  kgpg
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 925kB of archives. After unpacking 2,085kB will be used.
Writing extended state information... Done
Err http://pl.archive.ubuntu.com karmic/main kgpg 4:4.3.2-0ubuntu1
  Connection failed
E: Failed to fetch http://pl.archive.ubuntu.com/ubuntu/pool/main/k/kdeutils/kgpg_4.3.2-0ubuntu1_amd64.deb: Connection failed

Then on the server I removed the kgpg cached files, and since then all works - kgpg can be again downloaded.

find /var/cache/apt-cacher/ | grep kgpg
/var/cache/apt-cacher/private/kgpg_4.3.2-0ubuntu1_amd64.deb.complete
/var/cache/apt-cacher/packages/kgpg_4.3.2-0ubuntu1_amd64.deb
/var/cache/apt-cacher/headers/kgpg_4.3.2-0ubuntu1_amd64.deb

root@jumpi(2010-02-03 12:26:15)~$ sha1sum `find /var/cache/apt-cacher/ | grep kgpg`
da39a3ee5e6b4b0d3255bfef95601890afd80709 /var/cache/apt-cacher/private/kgpg_4.3.2-0ubuntu1_amd64.deb.complete
accbd5a2689122f7fdbdff7d33f885147a2362c4 /var/cache/apt-cacher/packages/kgpg_4.3.2-0ubuntu1_amd64.deb
c25cd10f3168e94d30b4757a3d86f6cd2193195e /var/cache/apt-cacher/headers/kgpg_4.3.2-0ubuntu1_amd64.deb

root@jumpi(2010-02-03 12:26:20)~$ rm `find /var/cache/apt-cacher/ | grep kgpg`

LimCore (limcore) on 2010-02-03
description: updated
description: updated
LimCore (limcore) wrote :

Bug disables updates of Ubuntu for the clients.

I hope this will be seen as a security risk also by security team.

description: updated
summary: - apt-cacher sometimes dissallows to download given packages untill cache
- is fixed. Failed to fetch
+ apt-cacher stops updates of random packages (Connection failed)
security vulnerability: no → yes
LimCore (limcore) wrote :

This bug happens all the time.
The computer here:
a) is on unstable network connection (connection resets quite often, after reset having other external IP)
b) the clients are running updates very frequently (apt-cacher is hit each few minutes)

Changed in apt-cacher (Ubuntu):
status: New → Confirmed
LimCore (limcore) wrote :

Thanks Marc.
In what conditions does the bug happen for you?

To sum up, for users affected, they will be SILENTLY NOT GETTING THE SECURITY UPDATES menu (if some of the indexes will failed to be downloaded).

This sounds quite severe. Prio High?

Krzysztof Klimonda (kklimonda) wrote :

Setting it to High as per discussion on #ubuntu-bugs with LimCore - the possibility of security updates not being applied to all systems configured to use apt-cacher indeed seem a big matter. Please check if problem is still present in the current development release.

Changed in apt-cacher (Ubuntu):
importance: Undecided → High
Fail2Ban (failtoban) on 2010-02-20
Changed in apt-cacher (Ubuntu):
status: Confirmed → New
tags: added: verification-needed
Mitch Towner (kermiac) wrote :

@ Fail2Ban: The "verification-needed" tag is used specifically for our SRU process. Please don't add it for general use like that. Please refer to https://wiki.ubuntu.com/Bugs/Tags for more information regarding bug tags in Ubuntu. Thanks!

tags: removed: verification-needed
Changed in apt-cacher (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers