2024-07-10 18:00:09 |
Dagmawi Biru |
bug |
|
|
added bug |
2024-07-10 18:01:56 |
Dagmawi Biru |
description |
OS: Ubuntu 22.04
ubuntu-advantage version: 32.3.1~22.04
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix
#
The following packages have been kept back:
--------
Looking into the aptnew.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07-03T00:00:00Z",
"selectors": {
"codenames": ["jammy"],
"packages": [
["openssh-server", "<", "1:8.9p1-3ubuntu0.10"]
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. |
OS: Ubuntu 22.04
ubuntu-advantage version: 32.3.1~22.04
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix
#
The following packages have been kept back:
--------
Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07-03T00:00:00Z",
"selectors": {
"codenames": ["jammy"],
"packages": [
["openssh-server", "<", "1:8.9p1-3ubuntu0.10"]
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. |
|
2024-07-10 18:02:26 |
Dagmawi Biru |
description |
OS: Ubuntu 22.04
ubuntu-advantage version: 32.3.1~22.04
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix
#
The following packages have been kept back:
--------
Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07-03T00:00:00Z",
"selectors": {
"codenames": ["jammy"],
"packages": [
["openssh-server", "<", "1:8.9p1-3ubuntu0.10"]
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. |
OS: Ubuntu 22.04
ubuntu-advantage-tools version: 32.3.1~22.04
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix
#
The following packages have been kept back:
--------
Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07-03T00:00:00Z",
"selectors": {
"codenames": ["jammy"],
"packages": [
["openssh-server", "<", "1:8.9p1-3ubuntu0.10"]
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. |
|
2024-07-13 15:35:43 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |