unattended-upgrades fails to upgrade insecure packages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unattended-upgrades (Ubuntu) |
Fix Released
|
Medium
|
Michael Vogt | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Won't Fix
|
Medium
|
Unassigned | ||
Natty |
Won't Fix
|
Medium
|
Unassigned | ||
Oneiric |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://
100 /var/lib/
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:
500 http://
2:
500 http://
*** 2:1.10.4-1ubuntu4 0
500 http://
100 /var/lib/
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:
500 http://
2:
500 http://
*** 2:1.10.4-1ubuntu4 0
500 http://
100 /var/lib/
"""
In the example above, we have xserver-xorg-core, which is currently an insecure package containing security flaws. A run of the unattended-upgrades tool SHOULD resolve this situation, but in fact, it does not due to a higher revision package that is available for installation that is not tagged as a security release. This results in the unattended-upgrade tool not being reliable as a means to ensure system security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/
Unattended-
"Google\, Inc.:stable";
"${distro_id} ${distro_
};
Unattended-
};
"""
Changed in unattended-upgrades (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in unattended-upgrades (Ubuntu Oneiric): | |
status: | New → In Progress |
Changed in unattended-upgrades (Ubuntu Maverick): | |
status: | New → Fix Committed |
Changed in unattended-upgrades (Ubuntu Natty): | |
status: | New → Fix Committed |
Changed in unattended-upgrades (Ubuntu Maverick): | |
importance: | Undecided → Medium |
Changed in unattended-upgrades (Ubuntu Natty): | |
importance: | Undecided → Medium |
Changed in unattended-upgrades (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
Changed in unattended-upgrades (Ubuntu Natty): | |
status: | Fix Committed → Won't Fix |
Indeed, this is a problem. I work on a proper fix now.
In the meantime my suggestion is to comment oneiric-updates in sources.list to avoid having these higher version number shadowing the security version.