This bug was fixed in the package ubuntu-advantage-tools - 27.14.4~22.04 --------------- ubuntu-advantage-tools (27.14.4~22.04) jammy; urgency=medium
* Backport new upstream release: (LP: #2011477) to jammy ubuntu-advantage-tools (27.14.4) lunar; urgency=medium * timer: disable update_contract_info job (LP: #2015302) * livepatch: prevent livepatch from auto-enabling and subsequently failing on non-amd64 systems (LP: #2015241) ubuntu-advantage-tools (27.14.3) lunar; urgency=medium * livepatch: prevent livepatch from auto-enabling and subsequently failing on interim releases (LP: #2013409) ubuntu-advantage-tools (27.14.2~23.04.1) lunar; urgency=medium * status: - always use dpkg instead of lscpu for fetching architecture information (LP: #2012735) ubuntu-advantage-tools (27.14.1~23.04.1) lunar; urgency=medium * New upstream release 27.14.1 - apt: fix a configuration leak in the apt.get_pkg_candidate_version function (LP: #2012642) ubuntu-advantage-tools (27.14~23.04.1) lunar; urgency=medium * d/ubuntu-advantage-tools.{postinst,postrm,preinst}: - migrate certain settings out of uaclient.conf to a new file managed by the pro config subcommand (LP: #2004280) * d/ubuntu-advantage-tools.postinst: - refactor PREVIOUS_PKG_VER as a global variable - simplify how we add notices * New upstream release 27.14 (LP: #2011477) - api: new u.unattended_upgrades.status.v1 endpoint for querying status of unattended upgrades - apt: + remove legacy apt-hook + deliver json apt-hook for interim releases + fix cloud identification logic in json apt-hook + make all calls to esm-cache isolated from system configuration (LP: #2008280) + only set up the esm cache on supported systems (LP: #2004018) - fix: + format the output to be more readable (LP: #1926182) + add option to attach during a fix without a token + verify if fixed version can be installed before trying (LP: #2006705) - livepatch: show warning if current kernel is not supported - locks: alert user about corrupted lock files (LP: #1996931) - logging: logs are now formatted as jsonlines - motd: remove esm-apps announcement - notices: new representation on disk as separate files (LP: #1987738) - realtime: remove ubuntu-realtime package on disablement - status: + removed contract info update check network call + no longer includes warnings about notices when non-root (LP: #2006138) + unattached status sends virt type to contract server for better resource availability calculation - timer jobs: add daily job to check for contract updates - yaml: always import distro-provided pyyaml (LP: #2007234, LP: #2007241) -- Renan Rodrigo <renanrodr...@canonical.com> Thu, 06 Apr 2023 10:48:43 -0300 ** Changed in: ubuntu-advantage-tools (Ubuntu Kinetic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/2006705 Title: Ubuntu pro reports CVE falsely as fixed Status in ubuntu-advantage-tools package in Ubuntu: Fix Released Status in ubuntu-advantage-tools source package in Xenial: Fix Released Status in ubuntu-advantage-tools source package in Bionic: Fix Released Status in ubuntu-advantage-tools source package in Focal: Fix Released Status in ubuntu-advantage-tools source package in Jammy: Fix Released Status in ubuntu-advantage-tools source package in Kinetic: Fix Released Bug description: [Impact] In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not. The fix is to check the local apt-cache before trying to install a version to make sure that the candidate version is the one with the fix applied. Only then do we proceed with the `apt install` and say that the CVE is resolved. [Test Case] This will be covered by our full test run for u-a-t 27.14. The specific test that covers this scenario can be inspected here: https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474 [Regression Potential] The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved. [Original Description] pro version: 27.13.3-18.01.1 When running: sudo pro fix CVE-2023-0286 CVE-2023-0286: OpenSSL vulnerabilities https://ubuntu.com/security/CVE-2023-0286 2 affected source packages are installed: openssl, openssl1.0 (1/2, 2/2) openssl, openssl1.0: A fix is available in Ubuntu standard updates. { apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl } ✔ CVE-2023-0286 is resolved. The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version apt policy openssl openssl: Installed: 1.1.1-1ubuntu2.1~18.04.14 Candidate: 1.1.1-1ubuntu2.1~18.04.14 Version table: *** 1.1.1-1ubuntu2.1~18.04.14 500 500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages (expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository) Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix. The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.' This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch). Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved." Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp