Bug#886415: Unattended-upgrades not detecting Linux kernel security update by default

2018-05-11 Thread Lars Kruse 
Package: unattended-upgrades
Followup-For: Bug #886415

Dear Maintainer,

I encounter the same issue.

Running "unattended-upgrades --debug --apt-debug" I see the following
reasoning for the non-upgrade:

  Checking: linux-image-amd64 ([, 
])
Installing linux-image-4.9.0-6-amd64 as Depends of linux-image-amd64
  Installing firmware-linux-free as Recommends of linux-image-4.9.0-6-amd64
  Installing irqbalance as Recommends of linux-image-4.9.0-6-amd64
Installing libnuma1 as Depends of irqbalance
  pkg 'firmware-linux-free' not in allowed origin
  sanity check failed

The following logic seems to apply:
* linux-image-4.9.0-6-amd64 recommends "firmware-linux-free"
  (the same applies for previous versions of the linux-image-... package)
* "firmware-linux-free" is not installed on the host
  (the kernel package was probably installed with "--no-install-recommends")
* the above sanity check tests if the upgradable package (linux-image)
  can be installed with default settings. Since this would pull in
  packages (via Recommends) from a non-allowed origin, the package is not
  eligible for an upgrade.

Thus currently unattended-upgrades silently omits any package, that was
not installed together with all its Recommends.
The issue can be worked around by changing the default for "Recommends"
somewhere below /etc/apt/apt.conf.d/:

  APT::Install-Recommends "0";

Of course, this would change all future apt operations, which may not be
what the administrator wants.

Thus unattended-upgrades currently works only, if one of the following
two sets of requirements is met:
A) the "Recommends" of all packages are installed
B) "APT::Install-Recommends" is disabled (system-wide)

Or did I forget another approach?

I could imagine, that "unattended-upgrades" should instead disable
"APT::Install-Recommends" for the sanity checks, since it is not
supposed to install additional packages (even with the proper Origin),
anyway. I do not know, whether this is feasible.

Thank you for your time!

Cheers,
Lars

Bug#886415: Unattended-upgrades not detecting Linux kernel security update by default

2018-01-05 Thread Sam Kuper 
Package: unattended-upgrades
Version: 0.93.1+nmu1

(N.B. in the below, I have replaced the domain of my VPS hosting
provider with ``, for privacy.)

My Debian 9.3 "Stretch" instance is showing a kernel update as being available:

# apt list --upgradable -a
Listing... Done
linux-image-amd64/stable 4.9+80+deb9u3 amd64 [upgradable from:
4.9+80+deb9u2]
linux-image-amd64/stable,now 4.9+80+deb9u2 amd64
[installed,upgradable to: 4.9+80+deb9u3]

I believe `4.9+80+deb9u3` is the same as `4.9.65-3+deb9u2`, a recent
kernel security update (intended to address
[CVE-2017-5754](https://security-tracker.debian.org/tracker/CVE-2017-5754),
aka 
[Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability))).


## Default config fails to install kernel security update

The default contents of `Unattended-Upgrade::Origins-Pattern` in
`/etc/apt/apt.conf.d/50unattended-upgrades` is:

Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

With that configuration in place, the kernel security update fails to
be installed:

# unattended-upgrades -v -d
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are:
['origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([.com' isTrusted:True>])
pkg 'firmware-linux-free' not in allowed origin
sanity check failed
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
Packages that will be upgraded:
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since
'2018-01-05 13:11:22'
Sending mail to 'root'
mail returned: 0

This is against my expectations. I suspect most sysadmins would like
unattended-upgrades, with such an Origin-Pattern in place, to install
kernel security updates.

(If my expectations are somehow misguided, and the behaviour above is
expected by the maintainer of unattended-upgrades, I would be grateful
for an explanation of why that is the case. Alternatively, if a bug is
present but lies outside the unattended-upgrades package - for
instance, if the kernel update was improperly released via a
repository other than Debian-security - then please could you confirm
this, so that this bug report can be re-filed against the correct
package.)



## Modified config installs kernel security update

If I change `Unattended-Upgrade::Origins-Pattern` in
`/etc/apt/apt.conf.d/50unattended-upgrades` to read

Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

then the security update is found and installed:

# unattended-upgrades -v -d
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are:
['origin=Debian,codename=stretch,label=Debian',
'origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([.com' isTrusted:True>])
pkgs that look like they should be upgraded: linux-image-amd64
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
http://mirror..com/debian/pool/main/f/firmware-free/firmware-linux-free_3.4_all.deb'
ID:0 ErrorText: ''>

check_conffile_prompt('/var/cache/apt/archives/firmware-linux-free_3.4_all.deb')
No conffiles in deb
'/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' (There is no
member named 'conffiles')
http://mirror..com/debian/pool/main/n/numactl/libnuma1_2.0.11-2.1_amd64.deb'
ID:0 ErrorText: ''>

check_conffile_prompt('/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb')
No conffiles in deb
'/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' (There is no
member named 'conffiles')
http://mirror..com/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb'
ID:0 ErrorText: ''>

check_conffile_prompt('/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb')
No conffiles in deb
'/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb'
(There is no member named 'conffiles')
http://mirror..com/debian-security/pool/updates/main/l/linux-latest/linux-image-amd64_4.9+80+deb9u3_amd64.deb'
ID:0 ErrorText: ''>

check_conffile_prompt('/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb')
found pkg: linux-image-amd64
No conffiles in deb
'/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb'
(There is no member named 'conffiles')
http://mirror..com/debian/pool/main/i/irqbalance/irqbalance_1.1.0-2.3_amd64.deb'
ID:0 ErrorText: ''>

check_conffile_prompt('/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb')
blacklist: []
whitelist: []