Comment 7 for bug 891747

OK. But just be advised that anyone running an LTS version of Ubuntu, that expect security updates to be installed via unattended-upgrades will be VULNERABLE to exploitation because updated packages are NOT being installed as expected. This has the potential to do much more harm to any system than a specific single package vulnerability, mainly because now the exposure is multiplied by the total number of packages not updated that contain vulnerabilities. In such a case, it could be hundreds of packages. In my specific case, it was around ~20 packages that were vulnerable.

So, in summary, anyone running an LTS release with this vulnerable package will remain vulnerable for up to five years because unattended-upgrades is not being tagged as a security vulnerability and not upgrading itself.

Also, this brings to light another attack on the packaging system as detailed below.

1) Security team announces major security issue in a package used by everyone (say libpam)
2) Security update released to public.
3) One hour later, a trusted insider posts an update to the same libpam package to fix some minor bugs.
4) Vulnerable systems never receive package update via unattended-upgrades and remain vulnerable for eternity due to improper package update selection process algorithm...

This could mean the libpam vulnerability is exploitable forever on the system! If that is what you think is acceptable, then OK!