Package: openstack-tempest-ci Version: 0.30 Severity: serious File: /usr/sbin/build-openstack-debian-image User: [email protected] Usertags: bullseye-security
With the release of Debian bullseye and later, security updates are
provided in the bullseye-security suite instead of bullseye/updates.
The above script references ${IN_TARGET_LSB_RELEASE}/updates but when
bullseye is released that will break so it looks like the script would
generate an incorrect sources.list using /updates instead of -security
which would cause the target system to not get security updates from
bullseye in a timely manner.
It looks like the security updates aren't being added for any
particular reason, since the script doesn't also add the suite for
${IN_TARGET_LSB_RELEASE} itself to sources.list so the apt sources.list
would seem to be quite incomplete, unless it is already expected to
have the Debian repo in it, in which case it probably already has the
Debian security repo in it, making the addition of the Debian security
repo by the script unnecessary.
If the addition of the Debian security repo by the script is
unnecessary then I suggest just removing it to resolve this issue.
Otherwise I suggest that this script check the version of the Debian
release in question using distro-info and then if the release is 11 or
higher, then use $release-security otherwise use $release/updates as
before. It is much better to use distro-info than to hard-code the
release version numbers. It might even be a good idea to include the
security suite information in distro-info itself and look it up there.
$ grep -r -B19 -A26 /updates /usr/bin/openstack-tempest-ci
/usr/bin/openstack-tempest-ci-otci_aptget_update () {
/usr/bin/openstack-tempest-ci- echo "===> Adding strech-queens apt key"
/usr/bin/openstack-tempest-ci- otci_remote "wget
http://stretch-queens.infomaniak.ch/debian/dists/pubkey.gpg";
/usr/bin/openstack-tempest-ci- otci_remote "apt-key add pubkey.gpg"
/usr/bin/openstack-tempest-ci- echo "===> Fixing sources.list and
updating"
/usr/bin/openstack-tempest-ci- # Do not use pdiffs, they are bad...
/usr/bin/openstack-tempest-ci- echo "Acquire::PDiffs \"false\";"
>temp_file
/usr/bin/openstack-tempest-ci- otci_scp temp_file ""
/usr/bin/openstack-tempest-ci- otci_remote "${SUDO}cp temp_file
/etc/apt/apt.conf.d/98nopdiff"
/usr/bin/openstack-tempest-ci- otci_remote "rm temp_file"
/usr/bin/openstack-tempest-ci- rm temp_file
/usr/bin/openstack-tempest-ci- # TODO: Make it so we select it
depending on target (support unstable?)
/usr/bin/openstack-tempest-ci- IN_TARGET_LSB_RELEASE=`lsb_release -c |
awk '{print $2}'`
/usr/bin/openstack-tempest-ci- # If we're having a sources.list
locally, let's use it
/usr/bin/openstack-tempest-ci- if ! [ -e sources.list ] ; then
/usr/bin/openstack-tempest-ci- # Use the closest mirror, as
defined in pkgos.conf
/usr/bin/openstack-tempest-ci- echo "deb
${OTCI_DEBIAN_REPO_URL}/debian ${IN_TARGET_LSB_RELEASE} main
/usr/bin/openstack-tempest-ci-deb-src ${OTCI_DEBIAN_REPO_URL}/debian
${IN_TARGET_LSB_RELEASE} main
/usr/bin/openstack-tempest-ci-
/usr/bin/openstack-tempest-ci:deb http://security.debian.org/
${IN_TARGET_LSB_RELEASE}/updates main contrib non-free
/usr/bin/openstack-tempest-ci:deb-src http://security.debian.org/
${IN_TARGET_LSB_RELEASE}/updates main contrib non-free
/usr/bin/openstack-tempest-ci-" >sources.list
/usr/bin/openstack-tempest-ci- fi
/usr/bin/openstack-tempest-ci- # scp to dest and install as new
sources.list
/usr/bin/openstack-tempest-ci- otci_scp sources.list ""
/usr/bin/openstack-tempest-ci- otci_remote "${SUDO}cp sources.list
/etc/apt"
/usr/bin/openstack-tempest-ci-
/usr/bin/openstack-tempest-ci- # Add the current repos if it exists
/usr/bin/openstack-tempest-ci- if [ -e
/etc/openstack-tempest-ci/openstack-ci.list ] ; then
/usr/bin/openstack-tempest-ci- echo "-> scp source list"
/usr/bin/openstack-tempest-ci- otci_scp
/etc/openstack-tempest-ci/openstack-ci.list ""
/usr/bin/openstack-tempest-ci- echo "-> Install new source
list"
/usr/bin/openstack-tempest-ci- otci_remote "${SUDO}mv
openstack-ci.list /etc/apt/sources.list.d/openstack.list"
/usr/bin/openstack-tempest-ci- if [ -r /etc/pkgos/pkgos.conf ]
; then
/usr/bin/openstack-tempest-ci- . /etc/pkgos/pkgos.conf
/usr/bin/openstack-tempest-ci- fi
/usr/bin/openstack-tempest-ci- if [ -z
"${TARGET_OPENSTACK_REL}" ] ; then
/usr/bin/openstack-tempest-ci-
TARGET_OPENSTACK_REL=mitaka
/usr/bin/openstack-tempest-ci- fi
/usr/bin/openstack-tempest-ci- echo "-> wget Jenkins key"
/usr/bin/openstack-tempest-ci- otci_remote "wget
http://${TARGET_OPENSTACK_REL}-${IN_TARGET_LSB_RELEASE}.pkgs.mirantis.com/debian/dists/pubkey.gpg";
/usr/bin/openstack-tempest-ci- echo "-> Install Jenkins key"
/usr/bin/openstack-tempest-ci- otci_remote "${SUDO}apt-key add
pubkey.gpg"
/usr/bin/openstack-tempest-ci- fi
/usr/bin/openstack-tempest-ci-
/usr/bin/openstack-tempest-ci- # Finally update
/usr/bin/openstack-tempest-ci- otci_remote "${SUDO}apt-get update"
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800,
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700,
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openstack-tempest-ci depends on:
ii ipmitool 1.8.18-10
ii lsb-release 11.1.0
ii nmap 7.91+dfsg1-1
pn openstack-clients <none>
openstack-tempest-ci recommends no packages.
openstack-tempest-ci suggests no packages.
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
