Discussion:
Bug#939856: unattended-upgrades: claims to upgrade packages, but then only upgrades some
Add Reply
Marc Lehmann
2019-09-09 14:20:02 UTC
Reply
Permalink
Package: unattended-upgrades
Version: 0.93.1+nmu1
Severity: normal

Dear Maintainer,

I'm sure I am doing something wrong, but if I do, then I think
unattended-upgrades should explain itself better.

I maintain a small pool of stretch machines which were all cloned from
the same master image, with some local package changes - some use
exim4-daemon-light, some use exim4-daemon-heavy.

After CVE-2019-15846, I had a look at whether unattended-upgrades has
properly installed security fixes, but what I found I cannot explain:

On machines using exim4-daemon-light, everything was upgraded:

ii exim4-base 4.89-2+deb9u6
ii exim4-config 4.89-2+deb9u6
ii exim4-daemon-light 4.89-2+deb9u6

On machines using exim4-daemon-heavy, everything but that package was upgraded:

ii exim4-base 4.89-2+deb9u6
ii exim4-config 4.89-2+deb9u6
ii exim4-daemon-heavy 4.89-2+deb9u3

If I run unattended-upgrades -v manually, it clearly claims to have
installed it successfully:

2019-09-08 13:22:07,884 INFO Packages that will be upgraded: exim4-daemon-heavy
2019-09-08 13:22:07,884 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-09-08 13:22:07,926 INFO All upgrades installed

But it didn't. And in fact, looking at the log, it keeps saying this for a while already:

2019-06-07 06:36:19,385 INFO Starting unattended upgrades script
2019-06-07 06:36:19,385 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-07 06:36:23,617 INFO Packages that will be upgraded: exim4-base exim4-config exim4-daemon-heavy
2019-06-07 06:36:23,618 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-07 06:37:08,647 INFO All upgrades installed
2019-06-08 06:18:09,946 INFO Starting unattended upgrades script
2019-06-08 06:18:09,947 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-08 06:18:15,564 INFO Packages that will be upgraded: exim4-daemon-heavy qemu-kvm qemu-system-common qemu-system-x86 qemu-utils
2019-06-08 06:18:15,564 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-08 06:18:50,208 INFO All upgrades installed
2019-06-09 06:00:07,184 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-09 06:00:10,673 INFO Packages that will be upgraded: exim4-daemon-heavy
2019-06-09 06:00:10,673 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-09 06:00:10,721 INFO All upgrades installed
... from here on the last lines keep repeating.

Nothing in the log indicates that it installs some packages, but not others.

There is no mention of even trying to install exim4-daemon-heavy in
unattended-upgrades-dpkg.log.

So, unattended-upgrades on this machine clearly installed most security
updates, but not exim4-daemon-heavy. It claims to install it, and that
everything went ok, but in fact, it doesn't even try.

When I run apt install exim4-daemon-heavy manually, it installs it without
issues.

Even if this is some kind of misconfiguration on my part, I think that
unattended-upgrades should not claim it has installed security updates
when in fact it didn't do anything at all.

Version of unattended upgrades is:

ii unattended-upgrades 0.93.1+nmu1

</etc/apt/apt.conf.d/50unattended-upgrades grep -v ^\/

Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

Unattended-Upgrade::Package-Blacklist {
};

tail of unattended-upgrades-dpkg.log (the log does not otherwise contain
the word exim4-daemon-heavy):

Log started: 2019-09-03 06:27:28
(Reading database ... 62135 files and directories currently installed.)
Preparing to unpack .../libnghttp2-14_1.18.1-1+deb9u1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.18.1-1+deb9u1) over (1.18.1-1) ...
Setting up libnghttp2-14:amd64 (1.18.1-1+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
Log ended: 2019-09-03 06:27:51

Log started: 2019-09-08 06:20:08
Preconfiguring packages ...
(Reading database ... 62135 files and directories currently installed.)
Preparing to unpack .../exim4-config_4.89-2+deb9u6_all.deb ...
Unpacking exim4-config (4.89-2+deb9u6) over (4.89-2+deb9u5) ...
Preparing to unpack .../exim4-base_4.89-2+deb9u6_amd64.deb ...
Unpacking exim4-base (4.89-2+deb9u6) over (4.89-2+deb9u5) ...
Setting up exim4-config (4.89-2+deb9u6) ...
Setting up exim4-base (4.89-2+deb9u6) ...
Processing triggers for systemd (232-25+deb9u11) ...
Processing triggers for man-db (2.7.6.1-2) ...
Log ended: 2019-09-08 06:20:39
Bálint Réczey
2019-10-09 10:30:01 UTC
Reply
Permalink
Control: fixed -1 1.11

Hi Marc,

I'm sure this is fixed in recent releases. Please reopen otherwise.

Cheers,
Balint
Post by Marc Lehmann
Package: unattended-upgrades
Version: 0.93.1+nmu1
Severity: normal
Dear Maintainer,
I'm sure I am doing something wrong, but if I do, then I think
unattended-upgrades should explain itself better.
I maintain a small pool of stretch machines which were all cloned from
the same master image, with some local package changes - some use
exim4-daemon-light, some use exim4-daemon-heavy.
After CVE-2019-15846, I had a look at whether unattended-upgrades has
ii exim4-base 4.89-2+deb9u6
ii exim4-config 4.89-2+deb9u6
ii exim4-daemon-light 4.89-2+deb9u6
ii exim4-base 4.89-2+deb9u6
ii exim4-config 4.89-2+deb9u6
ii exim4-daemon-heavy 4.89-2+deb9u3
If I run unattended-upgrades -v manually, it clearly claims to have
2019-09-08 13:22:07,884 INFO Packages that will be upgraded: exim4-daemon-heavy
2019-09-08 13:22:07,884 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-09-08 13:22:07,926 INFO All upgrades installed
2019-06-07 06:36:19,385 INFO Starting unattended upgrades script
2019-06-07 06:36:19,385 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-07 06:36:23,617 INFO Packages that will be upgraded: exim4-base exim4-config exim4-daemon-heavy
2019-06-07 06:36:23,618 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-07 06:37:08,647 INFO All upgrades installed
2019-06-08 06:18:09,946 INFO Starting unattended upgrades script
2019-06-08 06:18:09,947 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-08 06:18:15,564 INFO Packages that will be upgraded: exim4-daemon-heavy qemu-kvm qemu-system-common qemu-system-x86 qemu-utils
2019-06-08 06:18:15,564 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-08 06:18:50,208 INFO All upgrades installed
2019-06-09 06:00:07,184 INFO Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
2019-06-09 06:00:10,673 INFO Packages that will be upgraded: exim4-daemon-heavy
2019-06-09 06:00:10,673 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
2019-06-09 06:00:10,721 INFO All upgrades installed
... from here on the last lines keep repeating.
Nothing in the log indicates that it installs some packages, but not others.
There is no mention of even trying to install exim4-daemon-heavy in
unattended-upgrades-dpkg.log.
So, unattended-upgrades on this machine clearly installed most security
updates, but not exim4-daemon-heavy. It claims to install it, and that
everything went ok, but in fact, it doesn't even try.
When I run apt install exim4-daemon-heavy manually, it installs it without
issues.
Even if this is some kind of misconfiguration on my part, I think that
unattended-upgrades should not claim it has installed security updates
when in fact it didn't do anything at all.
ii unattended-upgrades 0.93.1+nmu1
</etc/apt/apt.conf.d/50unattended-upgrades grep -v ^\/
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
};
tail of unattended-upgrades-dpkg.log (the log does not otherwise contain
Log started: 2019-09-03 06:27:28
(Reading database ... 62135 files and directories currently installed.)
Preparing to unpack .../libnghttp2-14_1.18.1-1+deb9u1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.18.1-1+deb9u1) over (1.18.1-1) ...
Setting up libnghttp2-14:amd64 (1.18.1-1+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
Log ended: 2019-09-03 06:27:51
Log started: 2019-09-08 06:20:08
Preconfiguring packages ...
(Reading database ... 62135 files and directories currently installed.)
Preparing to unpack .../exim4-config_4.89-2+deb9u6_all.deb ...
Unpacking exim4-config (4.89-2+deb9u6) over (4.89-2+deb9u5) ...
Preparing to unpack .../exim4-base_4.89-2+deb9u6_amd64.deb ...
Unpacking exim4-base (4.89-2+deb9u6) over (4.89-2+deb9u5) ...
Setting up exim4-config (4.89-2+deb9u6) ...
Setting up exim4-base (4.89-2+deb9u6) ...
Processing triggers for systemd (232-25+deb9u11) ...
Processing triggers for man-db (2.7.6.1-2) ...
Log ended: 2019-09-08 06:20:39
Loading...