Update-notifier incorrectly reports security updates (including on login)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-notifier (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: update-notifier
1) Release:
david@lucid:~$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
2) Package version:
david@lucid:~$ apt-cache policy update-notifier
update-notifier:
Installed: (none)
Candidate: 0.99.3
Version table:
0.99.3 0
500 http://
3) Default /etc/apt/
sudo apt-get update
sudo apt-get --simulate upgrade
david@lucid:~$ sudo apt-get --simulate upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
debootstrap e2fslibs e2fsprogs libc-bin libc-dev-bin libc6 libc6-dev libc6-i386 libcomerr2 libfreetype6 libmysqlclient16 libss2 libudev0 libvirt-bin libvirt0 libxml2 linux-headers-
man-db mysql-client mysql-client-5.1 mysql-client-
33 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Inst libc6-i386 [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:
Inst libc-dev-bin [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:
Inst libc6-dev [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:
Inst libc-bin [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:
Conf libc-bin (2.11.1-0ubuntu7.5 Ubuntu:
Inst libc6 [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:
Conf libc6 (2.11.1-0ubuntu7.5 Ubuntu:
Inst linux-libc-dev [2.6.32-25.44] (2.6.32-25.45 Ubuntu:
Inst man-db [2.5.7-2] (2.5.7-2ubuntu1 Ubuntu:
Inst e2fslibs [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:
Conf e2fslibs (1.41.11-1ubuntu2.1 Ubuntu:
Inst e2fsprogs [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:
Conf e2fsprogs (1.41.11-1ubuntu2.1 Ubuntu:
Inst linux-image-
Inst mysql-common [5.1.41-
Inst mysql-server [5.1.41-
Inst mysql-client [5.1.41-
Inst libmysqlclient16 [5.1.41-
Inst mysql-client-
Inst mysql-client-5.1 [5.1.41-
Inst mysql-server-
Conf mysql-common (5.1.41-3ubuntu12.7 Ubuntu:
Inst mysql-server-5.1 [5.1.41-
Inst libcomerr2 [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:
Conf libcomerr2 (1.41.11-1ubuntu2.1 Ubuntu:
Inst libss2 [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:
Conf libss2 (1.41.11-1ubuntu2.1 Ubuntu:
Inst libudev0 [151-12.1] (151-12.2 Ubuntu:
Inst udev [151-12.1] (151-12.2 Ubuntu:
Inst libxml2 [2.7.6.
Inst update-manager-core [1:0.134.10] (1:0.134.11 Ubuntu:
Inst libfreetype6 [2.3.11-1ubuntu2.2] (2.3.11-1ubuntu2.4 Ubuntu:
Inst libvirt-bin [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:
Inst libvirt0 [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:
Inst linux-headers-
Inst linux-headers-
Inst python-libvirt [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:
Inst debootstrap [1.0.20ubuntu1] (1.0.20ubuntu1.1 Ubuntu:
Inst python-vm-builder [0.12.4-0ubuntu0.1] (0.12.4-0ubuntu0.2 Ubuntu:
Inst ubuntu-vm-builder [0.12.4-0ubuntu0.1] (0.12.4-0ubuntu0.2 Ubuntu:
Conf libc6-i386 (2.11.1-0ubuntu7.5 Ubuntu:
Conf libc-dev-bin (2.11.1-0ubuntu7.5 Ubuntu:
Conf linux-libc-dev (2.6.32-25.45 Ubuntu:
Conf libc6-dev (2.11.1-0ubuntu7.5 Ubuntu:
Conf man-db (2.5.7-2ubuntu1 Ubuntu:
Conf linux-image-
Conf libmysqlclient16 (5.1.41-3ubuntu12.7 Ubuntu:
Conf mysql-client-
Conf mysql-client-5.1 (5.1.41-3ubuntu12.7 Ubuntu:
Conf mysql-server-
Conf mysql-server-5.1 (5.1.41-3ubuntu12.7 Ubuntu:
Conf mysql-server (5.1.41-3ubuntu12.7 Ubuntu:
Conf mysql-client (5.1.41-3ubuntu12.7 Ubuntu:
Conf libudev0 (151-12.2 Ubuntu:
Conf udev (151-12.2 Ubuntu:
Conf libxml2 (2.7.6.
Conf update-manager-core (1:0.134.11 Ubuntu:
Conf libfreetype6 (2.3.11-1ubuntu2.4 Ubuntu:
Conf libvirt0 (0.7.5-5ubuntu27.7 Ubuntu:
Conf libvirt-bin (0.7.5-5ubuntu27.7 Ubuntu:
Conf linux-headers-
Conf linux-headers-
Conf python-libvirt (0.7.5-5ubuntu27.7 Ubuntu:
Conf debootstrap (1.0.20ubuntu1.1 Ubuntu:
Conf python-vm-builder (0.12.4-0ubuntu0.2 Ubuntu:
Conf ubuntu-vm-builder (0.12.4-0ubuntu0.2 Ubuntu:
Check whether pending updates come from lucid-updates or lucid-security repo:
david@lucid:~$ sudo apt-get --simulate upgrade | grep ^Inst | grep lucid-updates | wc -l
33
david@lucid:~$ sudo apt-get --simulate upgrade | grep ^Inst | grep lucid-security | wc -l
0
Since no security patches are currently pending from the lucid-security repo, I'd expect update-notifier to report zero pending security patches on login.
4) However, run update-notifier and compare the output:
david@lucid:~$ /usr/lib/
33 packages can be updated.
24 updates are security updates.
Update-notifier appears to be using a different definition for what compromises a security patch to the Ubuntu repo definition. According to https:/
"Important Security Updates (lucid-security)". Patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates.
"Recommended Updates (lucid-updates)". Updates for serious bugs in Ubuntu packaging that do not affect the security of the system.
You can also compare this behaviour with the Nagios check_apt check too:
david@lucid:~$ /usr/lib/
APT WARNING: 33 packages available for upgrade (0 critical updates).
Which matches my understanding of what is expected.
Issue is also reproducible on Karmic:
david@karmic:~$ sudo apt-get --simulate upgrade | grep Inst | grep karmic-updates | wc -l
23
david@karmic:~$ sudo apt-get --simulate upgrade | grep Inst | grep karmic-security | wc -l
0
david@karmic:~$ /usr/lib/
25 packages can be updated.
23 updates are security updates.
Whilst investigating another problem I've just realized that the behaviour described above for apt-get --simulate update appears to be caused by the ordering of repos in /etc/apt/ sources. list. If the lucid/karmic security repo is listed first, apt-get --simulate update reports that there are a mix of security and non-essential updates required. If the lucid/karmic updates repo is listed first (and the security updates repo is second), apt-get --simulate update reports that there are no security updates available but the same number of non-essential security updates. Altering the repo order will change the behaviour of apt-get update.
Whether this is a design issue in apt-get, or a race condition, it seems to be this that causes the disparity between apt-get and update-notifier (and which will also break Nagios checks using the Ubuntu bundled nagios- check-apt- updates script for pending security updates, or any other similar tools that attempt to hook the same reporting mechanism).