Ubuntu
update-notifier package

Update-notifier incorrectly reports security updates (including on login)

Bug #674534 reported by David Watson
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: update-notifier

1) Release:

david@lucid:~$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

2) Package version:

david@lucid:~$ apt-cache policy update-notifier
update-notifier:
  Installed: (none)
  Candidate: 0.99.3
  Version table:
     0.99.3 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

3) Default /etc/apt/sources.list, run:

sudo apt-get update
sudo apt-get --simulate upgrade

david@lucid:~$ sudo apt-get --simulate upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  debootstrap e2fslibs e2fsprogs libc-bin libc-dev-bin libc6 libc6-dev libc6-i386 libcomerr2 libfreetype6 libmysqlclient16 libss2 libudev0 libvirt-bin libvirt0 libxml2 linux-headers-2.6.32-25 linux-headers-2.6.32-25-server linux-image-2.6.32-25-server linux-libc-dev
  man-db mysql-client mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1 mysql-server-core-5.1 python-libvirt python-vm-builder ubuntu-vm-builder udev update-manager-core
33 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Inst libc6-i386 [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates) []
Inst libc-dev-bin [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates) [libc6-dev ]
Inst libc6-dev [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates) []
Inst libc-bin [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates) [libc6 ]
Conf libc-bin (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates) [libc6 ]
Inst libc6 [2.11.1-0ubuntu7.2] (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates)
Conf libc6 (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates)
Inst linux-libc-dev [2.6.32-25.44] (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Inst man-db [2.5.7-2] (2.5.7-2ubuntu1 Ubuntu:10.04/lucid-updates)
Inst e2fslibs [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates) [e2fsprogs on e2fslibs] [e2fsprogs ]
Conf e2fslibs (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates) [e2fsprogs ]
Inst e2fsprogs [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Conf e2fsprogs (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Inst linux-image-2.6.32-25-server [2.6.32-25.44] (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Inst mysql-common [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-server [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-client [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst libmysqlclient16 [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-client-core-5.1 [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-client-5.1 [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-server-core-5.1 [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-common (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst mysql-server-5.1 [5.1.41-3ubuntu12.6] (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Inst libcomerr2 [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Conf libcomerr2 (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Inst libss2 [1.41.11-1ubuntu2] (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Conf libss2 (1.41.11-1ubuntu2.1 Ubuntu:10.04/lucid-updates)
Inst libudev0 [151-12.1] (151-12.2 Ubuntu:10.04/lucid-updates)
Inst udev [151-12.1] (151-12.2 Ubuntu:10.04/lucid-updates)
Inst libxml2 [2.7.6.dfsg-1ubuntu1] (2.7.6.dfsg-1ubuntu1.1 Ubuntu:10.04/lucid-updates)
Inst update-manager-core [1:0.134.10] (1:0.134.11 Ubuntu:10.04/lucid-updates)
Inst libfreetype6 [2.3.11-1ubuntu2.2] (2.3.11-1ubuntu2.4 Ubuntu:10.04/lucid-updates)
Inst libvirt-bin [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates) []
Inst libvirt0 [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates)
Inst linux-headers-2.6.32-25 [2.6.32-25.44] (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Inst linux-headers-2.6.32-25-server [2.6.32-25.44] (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Inst python-libvirt [0.7.5-5ubuntu27.3] (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates)
Inst debootstrap [1.0.20ubuntu1] (1.0.20ubuntu1.1 Ubuntu:10.04/lucid-updates)
Inst python-vm-builder [0.12.4-0ubuntu0.1] (0.12.4-0ubuntu0.2 Ubuntu:10.04/lucid-updates)
Inst ubuntu-vm-builder [0.12.4-0ubuntu0.1] (0.12.4-0ubuntu0.2 Ubuntu:10.04/lucid-updates)
Conf libc6-i386 (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates)
Conf libc-dev-bin (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates)
Conf linux-libc-dev (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Conf libc6-dev (2.11.1-0ubuntu7.5 Ubuntu:10.04/lucid-updates)
Conf man-db (2.5.7-2ubuntu1 Ubuntu:10.04/lucid-updates)
Conf linux-image-2.6.32-25-server (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Conf libmysqlclient16 (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-client-core-5.1 (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-client-5.1 (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-server-core-5.1 (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-server-5.1 (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-server (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf mysql-client (5.1.41-3ubuntu12.7 Ubuntu:10.04/lucid-updates)
Conf libudev0 (151-12.2 Ubuntu:10.04/lucid-updates)
Conf udev (151-12.2 Ubuntu:10.04/lucid-updates)
Conf libxml2 (2.7.6.dfsg-1ubuntu1.1 Ubuntu:10.04/lucid-updates)
Conf update-manager-core (1:0.134.11 Ubuntu:10.04/lucid-updates)
Conf libfreetype6 (2.3.11-1ubuntu2.4 Ubuntu:10.04/lucid-updates)
Conf libvirt0 (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates)
Conf libvirt-bin (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates)
Conf linux-headers-2.6.32-25 (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Conf linux-headers-2.6.32-25-server (2.6.32-25.45 Ubuntu:10.04/lucid-updates)
Conf python-libvirt (0.7.5-5ubuntu27.7 Ubuntu:10.04/lucid-updates)
Conf debootstrap (1.0.20ubuntu1.1 Ubuntu:10.04/lucid-updates)
Conf python-vm-builder (0.12.4-0ubuntu0.2 Ubuntu:10.04/lucid-updates)
Conf ubuntu-vm-builder (0.12.4-0ubuntu0.2 Ubuntu:10.04/lucid-updates)

Check whether pending updates come from lucid-updates or lucid-security repo:

david@lucid:~$ sudo apt-get --simulate upgrade | grep ^Inst | grep lucid-updates | wc -l
33

david@lucid:~$ sudo apt-get --simulate upgrade | grep ^Inst | grep lucid-security | wc -l
0

Since no security patches are currently pending from the lucid-security repo, I'd expect update-notifier to report zero pending security patches on login.

4) However, run update-notifier and compare the output:

david@lucid:~$ /usr/lib/update-notifier/apt-check --human-readable
33 packages can be updated.
24 updates are security updates.

Update-notifier appears to be using a different definition for what compromises a security patch to the Ubuntu repo definition. According to https://help.ubuntu.com/community/Repositories/Ubuntu:

"Important Security Updates (lucid-security)". Patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates.

"Recommended Updates (lucid-updates)". Updates for serious bugs in Ubuntu packaging that do not affect the security of the system.

You can also compare this behaviour with the Nagios check_apt check too:

david@lucid:~$ /usr/lib/nagios/plugins/check_apt
APT WARNING: 33 packages available for upgrade (0 critical updates).

Which matches my understanding of what is expected.

Issue is also reproducible on Karmic:

david@karmic:~$ sudo apt-get --simulate upgrade | grep Inst | grep karmic-updates | wc -l
23
david@karmic:~$ sudo apt-get --simulate upgrade | grep Inst | grep karmic-security | wc -l
0
david@karmic:~$ /usr/lib/update-notifier/apt-check --human-readable
25 packages can be updated.
23 updates are security updates.

Revision history for this message
David Watson (david-watson) wrote :

Whilst investigating another problem I've just realized that the behaviour described above for apt-get --simulate update appears to be caused by the ordering of repos in /etc/apt/sources.list. If the lucid/karmic security repo is listed first, apt-get --simulate update reports that there are a mix of security and non-essential updates required. If the lucid/karmic updates repo is listed first (and the security updates repo is second), apt-get --simulate update reports that there are no security updates available but the same number of non-essential security updates. Altering the repo order will change the behaviour of apt-get update.

Whether this is a design issue in apt-get, or a race condition, it seems to be this that causes the disparity between apt-get and update-notifier (and which will also break Nagios checks using the Ubuntu bundled nagios-check-apt-updates script for pending security updates, or any other similar tools that attempt to hook the same reporting mechanism).

Revision history for this message
David Watson (david-watson) wrote :

Alternative solutions for Nagios checks of pending security patches on Ubuntu include:

http://superuser.com/questions/199869/check-number-of-pending-security-updates-in-ubuntu

http://serverfault.com/questions/92932/how-does-ubuntu-keep-track-of-the-system-restart-required-flag-in-motd

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.