check_apt always report 0 critical updates

Bug #1031680 reported by Fabien on 2012-08-01
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Nagios Plugins
nagios-plugins (Ubuntu)
Ubuntu Server
Ubuntu Server

Bug Description

check_apt reports 0 critical updates even if there are critical updates.
Tested on Natty, Oneiric and Precise.

 sh> ssh host
 Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-12-generic x86_64)
 217 packages can be updated.
 192 updates are security updates.
 host> /usr/lib/nagios/plugins/check_apt
 APT WARNING: 217 packages available for upgrade (0 critical updates).

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: nagios-plugins-basic 1.4.15-5ubuntu3
ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
Uname: Linux 3.2.0-27-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.0.1-0ubuntu11
Architecture: amd64
Date: Wed Aug 1 11:18:36 2012
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
SourcePackage: nagios-plugins
UpgradeStatus: Upgraded to precise on 2012-04-27 (96 days ago)

Robie Basak (racb) wrote :

Reproduced on precise:

ubuntu@precise-test:~$ /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
12 updates are security updates.
ubuntu@precise-test:~$ /usr/lib/nagios/plugins/check_apt
APT WARNING: 14 packages available for upgrade (0 critical updates).

Checking Quantal is a bit more involved, since there won't be any "critical" updates for Quantal until after it is released.

Changed in nagios-plugins (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Robie Basak (racb) wrote :

It looks like this is due to how check_apt is checking for "critical" updates. Since Ubuntu publishes security updates in both the -updates and -security pockets, it only works if the security pocket is listed first in sources.list.

Workaround: move the security lines in /etc/apt/sources.list to the top.

Now I get:

ubuntu@precise-test:~$ /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
12 updates are security updates.
ubuntu@precise-test:~$ /usr/lib/nagios/plugins/check_apt
APT CRITICAL: 14 packages available for upgrade (9 critical updates).

Not an exact match, but better. This is probably due to how exactly check_apt is checking apt-get's output.

It seems suboptimal to me. Now that /usr/lib/update-notifier/apt-check exists, check_apt could use it instead. But this would be a fundamental change in how check_apt works, so this should probably be sent for discussion upstream.

Changing to Importance: Medium as a workaround is available.

Changed in nagios-plugins (Ubuntu):
status: Confirmed → Triaged
importance: High → Medium
Robie Basak (racb) wrote :

It turns out that somebody has already arranged a better workaround for Nagios here:

Simon Déziel (sdeziel) wrote :

Another workaround is to reorder sources.list to have -security before -updates like this:

$ cat /etc/apt/sources.list
deb precise main universe
deb precise-security main universe
deb precise-updates main universe

$ /usr/lib/nagios/plugins/check_apt -d
APT CRITICAL: 5 packages available for dist-upgrade (4 critical updates).

Changed in nagios-plugins (Ubuntu):
importance: Medium → High
assignee: nobody → Ubuntu Server Team (ubuntu-server)
tags: added: rls-s-incoming
Changed in nagios-plugins (Ubuntu Precise):
status: New → Confirmed
Changed in nagios-plugins (Ubuntu Quantal):
status: New → Confirmed
Tony Yarusso (tonyyarusso) wrote :

I also can confirm both this bug and Robie's explanation for it. Additionally, I attached a copy of a potential replacement check plugin to Bug #1167621 along with some changes needed to update-notifier in order for that to work.

not knowing about security updates are a security issue; changed the but type

information type: Public → Public Security
Robie Basak (racb) wrote :

I've reported this upstream, since I don't see that this bug will get fixed any other way:

I'm dubious about calling this a security vulnerability. I can see your logic, but this bug's root cause is the fundamental design of check_apt (fragile apt-get simulation parsing) causing it to not work for security purposes at all. I'd love to see this fixed, but it might be better to just write an entirely separate plugin based on calling /usr/lib/update-notifier/apt-check instead. In that case, it might be better to just say that check_apt is unsuitable for detecting security updates on Ubuntu, and what you really have is a wishlist bug for a different plugin that *is* capable of it. Since /usr/lib/update-notifier/apt-check is machine readable, such an alternative plugin could be about five lines of shell. I have asked if such a contribution would be welcome in the upstream bug.

Anyway, how to classify this bug isn't really going to change anything. I have asked upstream for comments on a suitable fix. A working interface to get the required information is available. We can follow whatever they decide to do.

Simon Déziel (sdeziel) wrote :

I too needed to know when security packages were available so I cooked my own (*) wrapper around /usr/lib/update-notifier/apt-check. It works well and also provides perf_data for those who'd like to visualize the package availability.


Jan Wagner (waja) on 2013-06-28
information type: Public Security → Public
Jan Wagner (waja) wrote :

Sorry guys .. this ist _NOT_ a security issue (at least no one of nagios-plugins).

Opening a but upstream might a good idea, but upstream doesn't work on debian systems. So it's up to you guys to present (useful and senseful) patches which might be adopted upstream.

If anybody want to rely on apt-check, you should spin off a separate plugin and try to incorporate that into the nagios-plugins-contrib package! Anyways ... nagios-plugins-contrib also provides check_packages, maybe you give it a go.

Cheers, Jan (with Debian Nagios-Plugins Maintainers hat on).

Dimitri John Ledkov (xnox) wrote :

It's not a security issue, per se, just closely related. It is indeed bug on ubuntu system and it is ubuntu specific in some ways. We should provide improved checks by default, and if possible, in an unstreamable way. I have targeted this bug for saucy, such that hopefully this can be resolved this cycle.

Robie Basak (racb) wrote :

I've made some suggestions here:

Reading cyco's comment, I suppose another route would be to get Simon's plugin into nagios-plugins-contrib?

Jan Wagner (waja) wrote :

Also an option is to port check_apt to use libapt-pkg[1]. This has the advantage that libapt-pkg is providing a stable api and we don't need to parse output of apt-get/aptitude.

The easiest way to get changes into upstream is to send pull requests[2].


Robie Basak (racb) wrote :

Dropping Saucy target, as I don't think it's realistic.

no longer affects: nagios-plugins (Ubuntu Saucy)
Jan Wagner (waja) wrote :

Anyways ... please fill pull requests over there in, the upstream has changed it's name.

Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in nagios-plugins (Ubuntu Quantal):
status: Confirmed → Won't Fix
Rolf Leggewie (r0lf) wrote :

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

Changed in nagios-plugins (Ubuntu Raring):
status: Triaged → Won't Fix
mc0e (xgcsufw02) wrote :

If after 5 years this plugin still hasn't been fixed such that it can fulfil its primary function, then perhaps it's time to remove it from ubuntu's repositories?

Robie Basak (racb) wrote :

nagios-plugins has in fact not been present in a release since Vivid.

Changed in nagios-plugins (Ubuntu):
status: Triaged → Invalid
Simon Déziel (sdeziel) wrote :

I think the problematic check_apt is now shipped by monitoring-plugins(-basic) that replaced nagios-plugins. For those interested, I'm still maintaining a working check_apt_upgrade [1]. I'm also about to package it along with some other checks in a PPA.


Simon Déziel (sdeziel) wrote :

I just tested on a Xenial VM and check_apt (monitoring-plugins) doesn't count the same way as apt-check (update-notifier-common):

# /usr/lib/nagios/plugins/check_apt
APT CRITICAL: 15 packages available for upgrade (4 critical updates). |available_upgrades=15;;;0 critical_updates=4;;;0

# /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
5 updates are security updates.

The pending list looks like that:

The following NEW packages will be installed:
   linux-image-4.4.0-77-generic (4.4.0-77.98)
The following packages will be upgraded:
   apt (1.2.19 => 1.2.20)
   apt-utils (1.2.19 => 1.2.20)
   distro-info-data (0.28ubuntu0.2 => 0.28ubuntu0.3)
   dpkg (1.18.4ubuntu1.1 => 1.18.4ubuntu1.2)
   libapt-inst2.0 (1.2.19 => 1.2.20)
   libapt-pkg5.0 (1.2.19 => 1.2.20)
   libdns-export162 (1:9.10.3.dfsg.P4-8ubuntu1.5 => 1:9.10.3.dfsg.P4-8ubuntu1.6)
   libfreetype6 (2.6.1-0.1ubuntu2.1 => 2.6.1-0.1ubuntu2.2)
   libisc-export160 (1:9.10.3.dfsg.P4-8ubuntu1.5 => 1:9.10.3.dfsg.P4-8ubuntu1.6)
   libpam-systemd (229-4ubuntu16 => 229-4ubuntu17)
   libsystemd0 (229-4ubuntu16 => 229-4ubuntu17)
   libudev1 (229-4ubuntu16 => 229-4ubuntu17)
   linux-image-virtual ( =>
   systemd (229-4ubuntu16 => 229-4ubuntu17)
   systemd-sysv (229-4ubuntu16 => 229-4ubuntu17)
   udev (229-4ubuntu16 => 229-4ubuntu17)

So I'd guess that check_apt doesn't count the new kernel to be installed as being critical.

Simon Déziel (sdeziel) wrote :

@mc0e, from the above output, it seems that check_apt/monitoring-plugins is working at least in Xenial and newer.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.