ubuntu-security-status checks esm-infra for ESM Apps

Bug #1878694 reported by David Coronel on 2020-05-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Medium
Brian Murray

Bug Description

It looks like ubuntu-security-status assumes that ESM Apps is enabled when only ESM Infra is enabled.

There is no problem with ESM Apps and ubuntu-security-status. It's just that it looks like ESM Infra gives a false positive about receiving the updates.

Reproducer with an Ubuntu 18.04 Pro instance on AWS:

ubuntu@ip-172-31-11-12:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance
esm-infra yes enabled UA Infra: Extended Security Maintenance
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service
[...]

ubuntu@ip-172-31-11-12:~$ sudo apt update
ubuntu@ip-172-31-11-12:~$ sudo apt install ansible

ubuntu@ip-172-31-11-12:~$ wget https://bit.ly/3cDGwLe -qO ubuntu-security-status

ubuntu@ip-172-31-11-12:~$ python3 ubuntu-security-status
535 packages installed on Ubuntu 18.04 LTS, of which:
529 receive package updates with LTS until 4/2023
  5 are receiving security updates with ESM Apps until 4/2028
  1 package is no longer available for download
[...]

ubuntu@ip-172-31-11-12:~$ sudo ua disable esm-apps
Updating package lists

ubuntu@ip-172-31-11-12:~$ python3 ubuntu-security-status
535 packages installed on Ubuntu 18.04 LTS, of which:
529 receive package updates with LTS until 4/2023
  5 are receiving security updates with ESM Apps until 4/2028
  1 package is no longer available for download
[...]

ubuntu@ip-172-31-11-12:~$ sudo ua disable esm-infra
Updating package lists

ubuntu@ip-172-31-11-12:~$ python3 ubuntu-security-status
535 packages installed on Ubuntu 18.04 LTS, of which:
529 receive package updates with LTS until 4/2023
  5 could receive security updates with ESM Apps until 4/2028
  1 package is no longer available for download

Packages that are not available for download may be left over from a
previous release of Ubuntu, may have been installed directly from a
.deb file, or are from a source which has been disabled.
For more information on the packages, run 'ubuntu-security-status
--unavailable'.

Enable Extended Security Maintenance (ESM Apps) to get 5 security
updates (so far) and enable coverage of 5 packages.

Enable ESM Apps with: ua enable esm-apps

ubuntu@ip-172-31-11-12:~$ sudo ua enable esm-infra
One moment, checking your subscription first
Updating package lists
ESM Infra enabled

ubuntu@ip-172-31-11-12:~$ python3 ubuntu-security-status
535 packages installed on Ubuntu 18.04 LTS, of which:
529 receive package updates with LTS until 4/2023
  5 are receiving security updates with ESM Apps until 4/2028
  1 package is no longer available for download
[...]

Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Brian Murray (brian-murray)
Revision history for this message
Brian Murray (brian-murray) wrote :

I believe I have a fix for this issue in the branch linked to from this bug report. If you could test it out for me that would be helpful. Thanks!

Changed in update-manager (Ubuntu):
status: Triaged → In Progress
tags: added: id-5ec2d02e1edc1e7ba8d882e8
Revision history for this message
David Coronel (davecore) wrote :

Thanks @brian-murray. However it doesn't look like it fixed it, it seems to be even worse now. It doesn't tell me I am getting the security updates when I have ESM-apps enabled:

ubuntu@ip-172-31-55-253:~$ bzr branch lp:~brian-murray/update-manager/u-s-s-new
ubuntu@ip-172-31-55-253:~$ cd u-s-s-new/

ubuntu@ip-172-31-55-253:~/u-s-s-new$ python3 ubuntu-security-status
551 packages installed on Ubuntu 18.04 LTS, of which:
542 receive package updates with LTS until 4/2023
  8 could receive security updates with ESM Apps until 4/2028
  1 package is no longer available for download

Packages that are not available for download may be left over from a
previous release of Ubuntu, may have been installed directly from a
.deb file, or are from a source which has been disabled.
For more information on the packages, run 'ubuntu-security-status
--unavailable'.

ubuntu@ip-172-31-55-253:~/u-s-s-new$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance
esm-infra yes enabled UA Infra: Extended Security Maintenance
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service

Enable services with: ua enable <service>

                Account: <edited out>
           Subscription: <edited out>
            Valid until: n/a
Technical support level: essential

ubuntu@ip-172-31-55-253:~/u-s-s-new$ sudo ua disable esm-infra
Updating package lists

ubuntu@ip-172-31-55-253:~/u-s-s-new$ python3 ubuntu-security-status
551 packages installed on Ubuntu 18.04 LTS, of which:
542 receive package updates with LTS until 4/2023
  8 could receive security updates with ESM Apps until 4/2028
  1 package is no longer available for download

Packages that are not available for download may be left over from a
previous release of Ubuntu, may have been installed directly from a
.deb file, or are from a source which has been disabled.
For more information on the packages, run 'ubuntu-security-status
--unavailable'.

ubuntu@ip-172-31-55-253:~/u-s-s-new$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service

Enable services with: ua enable <service>

                Account: <edited out>
           Subscription: <edited out>
            Valid until: n/a
Technical support level: essential

Revision history for this message
Brian Murray (brian-murray) wrote :

Please test the latest version of ubuntu-security-status from here:

https://code.launchpad.net/~brian-murray/update-manager/ubuntu-security-status/

Revision history for this message
David Coronel (davecore) wrote :

Yes this works as expected now.

Only the esm-apps service as an impact on the "are receiving/could receive security updates with ESM Apps" statement now, and the message changes as expected depending on if esm-apps is enabled or disabled.

Thank you.

Changed in update-manager (Ubuntu):
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers