Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
--------
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix
#
The following packages have been kept back:
--------
Looking into the aptnew.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this.
OS: Ubuntu 22.04
ubuntu-advantage version: 32.3.1~22.04
Problem:
Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host:
-------- /ubuntu. com/blog/ ubuntu- regresshion- security- fix
➜ ~ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https:/
#
The following packages have been kept back:
--------
Looking into the aptnew.json where this is pulled (Querying https:/ /motd.ubuntu. com/aptnews. json)
we see that there is a selector logic matching versions below 1.8.9p1:
--------
"begin": "2024-07- 03T00:00: 00Z",
"selectors ": {
"codenames" : ["jammy"],
"packages" : [
[ "openssh- server" , "<", "1:8.9p1- 3ubuntu0. 10"]
--------
But this host already satisfies this version:
--------
ii openssh-server 1:8.9p1-3ubuntu0.10
--------
So something seems to be off in the selector comparison logic being used.
This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this.