Package: unattended-upgrades
Version: 2.0
Severity: critical
Tags: security
See the package description:
Description: Install security upgrades automatically
This package will download and install security upgrades automatically
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and unattended. It will take care to only install packages from the
^^^^^^^^^^^^^^
configured origin and will check for conffile prompts.
It does no such thing. Not even if /usr/bin/unattended-upgrade is run
manually does it actually install the upgrades, it just downloads
them! It writes to its log files what commands it should have run to
actually install the upgrades.
The reason I set this bug to critical and tag it security is that the
package promises to install security upgrades for the user but fails
to act on that promise. This tricks the user into a false sense of
security. There are no doubt users running insecure kernels and other
software because of this bug.
Regards,
--
Göran Weinholt. Debian developer. Network administrator.
"Wow! My entire arm disintegrated!" -- Spongebob Squarepants
