Oh OK. Thank you. I just wanted to ensure that future releases are
being patched. Cheers...
On Fri, Mar 8, 2013 at 12:21 PM, Marc Deslauriers
wrote:
> @Kristian: he's not going to be introducing a vulnerability. The flaw in
> unattended-upgrades had never gotten fixed in Oneiric in the first
> pl
@Kristian: he's not going to be introducing a vulnerability. The flaw in
unattended-upgrades had never gotten fixed in Oneiric in the first
place, so the vulnerability has always been present.
Since Oneiric is going end-of-life in a month or so, I don't think this
is worth attempting to fix furthe
OK -- but realize that if you move forward, you are going to be
introducing a CRITICAL vulnerability affecting multiple packages
across the entire Ubuntu distribution.
On Fri, Mar 8, 2013 at 11:47 AM, Seth Arnold <891...@bugs.launchpad.net> wrote:
> @Kristian -- no one performed the SRU verificati
@Kristian -- no one performed the SRU verification steps as requested in
comment #18 for Oneiric. Thus the fix was never pushed to Oneiric, and
the problem has never been addressed there.
Please see this wiki page for more details about the SRU process:
https://wiki.ubuntu.com/StableReleaseUp
Brian -- wait a moment. Are you planning to reintroduce a security flaw
into Ubuntu?
On Mar 8, 2013 9:48 AM, "Brian Murray" wrote:
> The version of unattended-upgrades in oneiric-proposed has been removed
> as the bugs it was fixing (including this one) were not verified in a
> timely fashion.
>
The version of unattended-upgrades in oneiric-proposed has been removed
as the bugs it was fixing (including this one) were not verified in a
timely fashion.
** Changed in: unattended-upgrades (Ubuntu Oneiric)
Status: Fix Committed => Triaged
** Tags removed: verification-needed
** Tags r
** Changed in: unattended-upgrades (Ubuntu Natty)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure
Resetting verification tag for the other releases.
** Tags removed: verification-done
** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgra
** Branch linked: lp:ubuntu/lucid-updates/unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notificati
This bug was fixed in the package unattended-upgrades - 0.55ubuntu7
---
unattended-upgrades (0.55ubuntu7) lucid-proposed; urgency=low
* backport lp:~mvo/unattended-upgrades/unshadow-versions
to fix versions in -updates shadowing versions in -security
(LP: #891747)
* print
SRU verification for Lucid:
I have reproduced the problem with unattended-upgrades 0.55ubuntu6 in
lucid-updates and have verified that the version of unattended-upgrades
0.55ubuntu7 in -proposed fixes the issue.
I used w3m as a victim package and with u-u from -proposed the version from
-securi
** Changed in: unattended-upgrades (Ubuntu Maverick)
Status: New => Fix Committed
** Changed in: unattended-upgrades (Ubuntu Natty)
Status: New => Fix Committed
** Changed in: unattended-upgrades (Ubuntu Maverick)
Importance: Undecided => Medium
** Changed in: unattended-upgrade
** Branch linked: lp:ubuntu/oneiric-proposed/unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notific
Hello Kristian, or anyone else affected,
Accepted unattended-upgrades into lucid-proposed, the package will build
now and be available in a few hours. Please test and give feedback here.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you
Hello Kristian, or anyone else affected,
Accepted unattended-upgrades into oneiric-proposed, the package will
build now and be available in a few hours. Please test and give feedback
here. See https://wiki.ubuntu.com/Testing/EnableProposed for
documentation how to enable and use -proposed. Thank y
** Branch linked: lp:~ubuntu-core-dev/unattended-upgrades/oneiric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notifi
** Changed in: unattended-upgrades (Ubuntu Oneiric)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packag
** Changed in: unattended-upgrades (Ubuntu Lucid)
Status: New => In Progress
** Changed in: unattended-upgrades (Ubuntu Lucid)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.laun
I prepared a fix for lucid now, its in:
$ bzr branch lp:ubuntu/lucid-proposed/unattended-upgrades
$ bzr-buildpackage
(or cd unattedned-upgrades ; sudo ./unatteded-upgrades)
Works fine for me in my test-vm, I push a SRU once the current version in
-proposed moves to -updates).
Once that is done I
** Branch linked: lp:ubuntu/lucid-proposed/unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notificat
This bug was fixed in the package unattended-upgrades - 0.75
---
unattended-upgrades (0.75) unstable; urgency=low
* add tests for compat mode and spaces in a origin
* escape "," in the Allowed-Origins compat mode (LP: #824856)
* merged lp:~mvo/unattended-upgrades/unshadow-versi
** Branch linked: lp:debian/unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notifications about this
** Branch linked: lp:unattended-upgrades
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
To manage notifications about this bug go
** Also affects: unattended-upgrades (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: unattended-upgrades (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: unattended-upgrades (Ubuntu Natty)
Importance: Undecided
Status: New
** Al
That being said, we may choose to publish it in the -security pocket
once it's gone through the SRU process.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to
This only happens if there is both a package in -security and a package
in -updates. Typically, packages in -updates need to wait a week in
-proposed before making their way to -updates. For most installations,
unattended-upgrades will have updated to the package in -security before
the more recent
OK. But just be advised that anyone running an LTS version of Ubuntu,
that expect security updates to be installed via unattended-upgrades
will be VULNERABLE to exploitation because updated packages are NOT
being installed as expected. This has the potential to do much more harm
to any system than
The attachment "quick fix for ubuntu" of this bug report has been
identified as being a patch. The ubuntu-reviewers team has been
subscribed to the bug report so that they can review the patch. In the
event that this is in fact not a patch you can resolve this situation by
removing the tag 'patch
We don't generally consider bugs in package update tools to directly be
a security issue. As such, we won't be publishing this as a security
update, it should go through the proper SRU process.
** Visibility changed to: Public
** This bug is no longer flagged as a security vulnerability
** Visib
29 matches
Mail list logo