Public bug reported: OS: Ubuntu 22.04 ubuntu-advantage-tools version: 32.3.1~22.04
Problem: Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host: -------- ➜ ~ sudo apt dist-upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done # # OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases. # RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling. # For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix # The following packages have been kept back: -------- Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json) we see that there is a selector logic matching versions below 1.8.9p1: -------- "begin": "2024-07-03T00:00:00Z", "selectors": { "codenames": ["jammy"], "packages": [ ["openssh-server", "<", "1:8.9p1-3ubuntu0.10"] -------- But this host already satisfies this version: -------- ii openssh-server 1:8.9p1-3ubuntu0.10 -------- So something seems to be off in the selector comparison logic being used. This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New ** Tags: dist-upgrade ** Description changed: + OS: Ubuntu 22.04 + ubuntu-advantage version: 32.3.1~22.04 - OS: Ubuntu 22.04 - ubuntu-advantage version: 32.3.1~22.04 - - Problem: + Problem: Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host: -------- ➜ ~ sudo apt dist-upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done # # OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases. # RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling. # For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix # The following packages have been kept back: -------- - Looking into the aptnew.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json) + Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json) we see that there is a selector logic matching versions below 1.8.9p1: -------- - "begin": "2024-07-03T00:00:00Z", - "selectors": { - "codenames": ["jammy"], - "packages": [ - ["openssh-server", "<", "1:8.9p1-3ubuntu0.10"] + "begin": "2024-07-03T00:00:00Z", + "selectors": { + "codenames": ["jammy"], + "packages": [ + ["openssh-server", "<", "1:8.9p1-3ubuntu0.10"] -------- - But this host already satisfies this version: -------- - ii openssh-server 1:8.9p1-3ubuntu0.10 + ii openssh-server 1:8.9p1-3ubuntu0.10 -------- - - So something seems to be off in the selector comparison logic being used. + So something seems to be off in the selector comparison logic being used. This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. ** Description changed: OS: Ubuntu 22.04 - ubuntu-advantage version: 32.3.1~22.04 + ubuntu-advantage-tools version: 32.3.1~22.04 Problem: Running "apt dist-upgrade" shows a MOTD message for a CVE that's already been patched on the host: -------- ➜ ~ sudo apt dist-upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done # # OpenSSH CVE-2024-6387 fix is available for all affected Ubuntu releases. # RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling. # For more details see: https://ubuntu.com/blog/ubuntu-regresshion-security-fix # The following packages have been kept back: -------- Looking into the aptnews.json where this is pulled (Querying https://motd.ubuntu.com/aptnews.json) we see that there is a selector logic matching versions below 1.8.9p1: -------- "begin": "2024-07-03T00:00:00Z", "selectors": { "codenames": ["jammy"], "packages": [ ["openssh-server", "<", "1:8.9p1-3ubuntu0.10"] -------- But this host already satisfies this version: -------- ii openssh-server 1:8.9p1-3ubuntu0.10 -------- So something seems to be off in the selector comparison logic being used. This only is shown on "apt dist-upgrade" from what I've seen, but I don't know if this is the only way to trigger this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072677 Title: MOTD CVE warning being shown on already-patched package versions when running apt upgrades To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2072677/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
