MOTD CVE warning being shown on already-patched package versions when running apt upgrades
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-advantage-tools (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
OS: Ubuntu 22.04
ubuntu-
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https:/
#
The following packages have been kept back:
--------
Looking into the aptnews.json where this is pulled (Querying https:/
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07-
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this.
| description: | updated |
| description: | updated |
| Andreas Hasenack (ahasenack) wrote | #1 |
Can you please attach /var/log/
Alternatively, run:
apport-collect 2072677
and that will attach the relevant logs to this bug