Easy to trigger 404/416 errors after recent security update

Bug #1382401 reported by Michael Vogt on 2014-10-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
High
Unassigned
Lucid
High
Unassigned
Precise
High
Unassigned

Bug Description

[Impact]

The recent security update make it easy to trigger Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710924 - i.e. apt does not deal well with 416 requests from the remote server.

[Test Case]

1 install latest apt from security
2 run sudo apt-get update
3 run sudo apt-get update again and ctrl somewhere in the middle
4 run sudo apt-get update again
5 verify that you get either 404 or 416 errors

6 install the updated version from prospoed
7 verify that sudo apt-get update works now
8 verify that steps 2-4 do not lead to a failure

Michael Vogt (mvo) on 2014-10-17
Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → High
Changed in apt (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in apt (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High

Hello Michael, or anyone else affected,

Accepted apt into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.22 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Michael, or anyone else affected,

Accepted apt into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.7.25.3ubuntu9.17.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Bartosz Kosiorek (gang65) wrote :

After install apt package from precise proposed, the problem was gone.
Verification done.

  Installed: 0.8.16~exp12ubuntu10.22
  Candidate: 0.8.16~exp12ubuntu10.22
  Version table:
 *** 0.8.16~exp12ubuntu10.22 0
        100 /var/lib/dpkg/status
     0.8.16~exp12ubuntu10.21 0
        500 http://ftp.icm.edu.pl/pub/Linux/ubuntu/ precise-updates/main amd64 Packages
        500 http://ftp.icm.edu.pl/pub/Linux/ubuntu/ precise-security/main amd64 Packages
     0.8.16~exp12ubuntu10 0
        500 http://ftp.icm.edu.pl/pub/Linux/ubuntu/ precise/main amd64 Packages

tags: added: verification-done-precise
tags: added: verification-needed-lucid
removed: verification-needed
Chris J Arges (arges) wrote :

Has this been verified for lucid?

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.22

---------------
apt (0.8.16~exp12ubuntu10.22) precise-proposed; urgency=low

  [ David Kalnischkies ]
  * methods/http.cc:
    - retry without partial data after a 416 response (closes: 710924)
      LP: #1382401
 -- Michael Vogt <email address hidden> Fri, 17 Oct 2014 09:57:34 +0200

Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released
description: updated
Changed in apt (Debian):
status: Unknown → Fix Released

The fix for this bug has been awaiting testing feedback in the -proposed repository for lucid for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
description: updated

The version of apt in the proposed pocket of Lucid that was purported to fix this bug report has been removed because the bugs that were to be fixed by the upload were not verified in a timely (105 days) fashion.

tags: removed: verification-needed-lucid
Changed in apt (Ubuntu Lucid):
status: Fix Committed → Won't Fix
tags: removed: removal-candidate
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.