Ubuntu
ubuntu-advantage-tools package

'ua fix' tells me to reboot with inaccurate message

Bug #1926183 reported by James Troup
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
Medium
Grant Orndorff
Xenial
Fix Released
Medium
Unassigned
Bionic
Fix Committed
Medium
Unassigned
Focal
Fix Committed
Medium
Unassigned
Groovy
Won't Fix
Medium
Unassigned
Hirsute
Won't Fix
Medium
Unassigned
Impish
Fix Released
Medium
Grant Orndorff

Bug Description

[Impact]

When using an affected version of uaclient (any beta of v27) and using the `fix` command, the user could be shown a misleading message. Specifically, if the users machine has the system reboot required flag set, and then they use the `ua fix` command, uaclient will say that a reboot is required to complete the fix, even though uaclient didn't even have to install anything.

[Test case]

The following example will work on xenial, bionic, focal, and groovy.

To reproduce on hirsute, use USN-4913-2 instead of USN-4898-1, and use node-underscore instead of curl in the instructions below.

To reproduce:

1. Launch a container: using focal here as an example
    lxc launch ubuntu-daily:focal dev-f

2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging
    add-apt-repository ppa:ua-client/staging
    apt-get update

3. Install version 27 beta 3
    apt install ubuntu-advantage-tools=27.0~20.04.1~beta3

4. Make sure you have the latest version of curl installed
    apt install curl

5. Touch the reboot-required file
    sudo touch /var/run/reboot-required

6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1
    ua fix USN-4898-1

7. See a message like this

USN-4898-1: curl vulnerabilities
Found CVEs:
https://ubuntu.com/security/CVE-2021-22890
https://ubuntu.com/security/CVE-2021-22876
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu standard updates.
The update is already installed.
A reboot is required to complete fix operation.
✘ USN-4898-1 is not resolved.

To see the fixed version:

1. Launch a container: using focal here as an example
    lxc launch ubuntu-daily:focal dev-f

2. Add this ppa that contains the unreleased fix for this bug: https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27
    add-apt-repository ppa:orndorffgrant/uaclient-staging-27
    apt-get update

3. Install version 27
    apt install ubuntu-advantage-tools

4. Make sure you have the latest version of curl installed
    apt install curl

5. Touch the reboot-required file
    sudo touch /var/run/reboot-required

6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1
    ua fix USN-4898-1

7. See a message like this

USN-4898-1: curl vulnerabilities
Found CVEs:
https://ubuntu.com/security/CVE-2021-22890
https://ubuntu.com/security/CVE-2021-22876
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu standard updates.
The update is already installed.
✔ USN-4898-1 is resolved.

[Where problems could occur]

The logic of when to show the reboot required message is still based on the system /var/run/reboot-required flag, and this fix adds additional complexity to our messaging logic after fixing a cve/usn.

If this new logic isn't quite right, it may result in uaclient still saying that a reboot is required to complete a fix even when it isn't (for some other situation not in this bug).

Or from the opposite direction: if the logic is wrong, it could result in uaclient failing to tell the user that a reboot is required to complete a fix, even when it is.

More generally, the changeset is large and carries the risk of other unexpected issues. Any unexpected issues would be limited to uaclient behavior though.

[Discussion]

This bug doesn't actually exist outside of the v27 betas in the ua-client/staging ppa. The number of users affected by this bug is very low and almost entirely limited to those who were deliberately testing the v27 betas. Because of this, the risk associated with fixing this bug is predicted to be very low.

[Original Report]

root@malefic:~# ua fix CVE-2021-3410
CVE-2021-3410: libcaca vulnerability
https://ubuntu.com/security/CVE-2021-3410
1 affected package is installed: libcaca
(1/1) libcaca:
A fix is available in Ubuntu standard updates.
The update is already installed.
A reboot is required to complete fix operation.
✘ CVE-2021-3410 is not resolved.
root@malefic:~#

The line 'A reboot is required to complete fix operation.' may be partially true (i.e. a reboot is needed) for other reasons, but is not accurate in the context of this CVE. Both 'checkrestart' and 'needrestart' confirm that no running process is using the caca library. Looking at the code, it looks like it's looking at a global 'needs reboot' flag, unrelated to the specific fix operation. I'd argue that a) it shouldn't say 'to complete fix operation' and b) it shouldn't claim 'CVE-2021-3410 is not resolved'.

See original description

Related branches

~chad.smith/ubuntu/+source/ubuntu-advantage-tools:release-27-hirsute
Bryce Harrington (community): Approve
Diff: 12713 lines (+8514/-712)
88 files modified
.gitignore (+24/-0)
Jenkinsfile (+28/-35)
README.md (+29/-12)
RELEASES.md (+63/-4)
apt-hook/20apt-esm-hook.conf (+10/-2)
apt-hook/Makefile (+11/-4)
apt-hook/hook.cc (+264/-74)
apt-hook/json-hook-src/go.mod (+3/-0)
apt-hook/json-hook-src/json-hook.go (+253/-0)
apt-hook/json-hook-src/json-hook_test.go (+410/-0)
debian/changelog (+160/-1)
debian/control (+8/-2)
debian/lintian-overrides (+5/-0)
debian/po/templates.pot (+2/-2)
debian/rules (+10/-2)
debian/ubuntu-advantage-tools.config (+14/-0)
debian/ubuntu-advantage-tools.postinst (+150/-40)
debian/ubuntu-advantage-tools.templates (+1/-1)
dev/null (+0/-0)
features/attach_invalidtoken.feature (+1/-1)
features/attach_validtoken.feature (+63/-28)
features/attached_commands.feature (+12/-12)
features/attached_enable.feature (+62/-118)
features/cloud.py (+0/-12)
features/environment.py (+27/-17)
features/gcp-ids.yaml (+3/-3)
features/staging_commands.feature (+50/-5)
features/steps/steps.py (+75/-3)
features/ubuntu_pro.feature (+39/-9)
features/unattached_commands.feature (+388/-3)
features/util.py (+0/-81)
integration-requirements.txt (+1/-1)
lib/reboot_cmds.py (+12/-8)
lib/ua_update_messaging.py (+302/-0)
setup.py (+1/-0)
systemd/ua-messaging.service (+8/-0)
systemd/ua-messaging.timer (+11/-0)
tools/test_xenial_upgrade.sh (+224/-0)
tools/tox-lxd-runner (+2/-2)
tox.ini (+2/-2)
uaclient-devel.conf (+1/-0)
uaclient.conf (+1/-0)
uaclient/apt.py (+1/-0)
uaclient/cli.py (+87/-18)
uaclient/clouds/identity.py (+12/-0)
uaclient/clouds/tests/test_identity.py (+31/-0)
uaclient/config.py (+136/-8)
uaclient/contract.py (+1/-2)
uaclient/defaults.py (+10/-1)
uaclient/entitlements/esm.py (+53/-7)
uaclient/entitlements/fips.py (+9/-3)
uaclient/entitlements/livepatch.py (+3/-3)
uaclient/entitlements/repo.py (+3/-3)
uaclient/entitlements/tests/test_base.py (+2/-2)
uaclient/entitlements/tests/test_cc.py (+1/-1)
uaclient/entitlements/tests/test_esm.py (+145/-34)
uaclient/entitlements/tests/test_fips.py (+38/-1)
uaclient/entitlements/tests/test_livepatch.py (+8/-6)
uaclient/entitlements/tests/test_repo.py (+1/-1)
uaclient/exceptions.py (+12/-0)
uaclient/gpg.py (+1/-1)
uaclient/security.py (+1179/-0)
uaclient/serviceclient.py (+19/-2)
uaclient/status.py (+237/-37)
uaclient/testing/fakes.py (+4/-1)
uaclient/tests/test_apt.py (+5/-1)
uaclient/tests/test_cli.py (+2/-0)
uaclient/tests/test_cli_attach.py (+33/-3)
uaclient/tests/test_cli_auto_attach.py (+28/-0)
uaclient/tests/test_cli_detach.py (+31/-2)
uaclient/tests/test_cli_disable.py (+27/-3)
uaclient/tests/test_cli_enable.py (+31/-7)
uaclient/tests/test_cli_fix.py (+78/-0)
uaclient/tests/test_cli_refresh.py (+20/-1)
uaclient/tests/test_cli_status.py (+81/-7)
uaclient/tests/test_config.py (+162/-31)
uaclient/tests/test_contract.py (+1/-8)
uaclient/tests/test_reboot_cmds.py (+48/-1)
uaclient/tests/test_security.py (+2344/-0)
uaclient/tests/test_serviceclient.py (+24/-0)
uaclient/tests/test_status.py (+49/-1)
uaclient/tests/test_ua_update_messaging.py (+469/-0)
uaclient/tests/test_util.py (+237/-9)
uaclient/tests/test_version.py (+10/-3)
uaclient/util.py (+101/-18)
uaclient/version.py (+2/-2)
update-motd.d/88-esm-announce (+4/-0)
update-motd.d/91-contract-ua-esm-status (+4/-0)
~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27
Bryce Harrington (community): Approve
Diff: 12025 lines (+8488/-712)
87 files modified
Jenkinsfile (+28/-35)
README.md (+29/-12)
RELEASES.md (+63/-4)
apt-hook/20apt-esm-hook.conf (+10/-2)
apt-hook/Makefile (+11/-4)
apt-hook/hook.cc (+264/-74)
apt-hook/json-hook-src/go.mod (+3/-0)
apt-hook/json-hook-src/json-hook.go (+253/-0)
apt-hook/json-hook-src/json-hook_test.go (+410/-0)
debian/changelog (+158/-1)
debian/control (+8/-2)
debian/lintian-overrides (+5/-0)
debian/po/templates.pot (+2/-2)
debian/rules (+10/-2)
debian/ubuntu-advantage-tools.config (+14/-0)
debian/ubuntu-advantage-tools.postinst (+150/-40)
debian/ubuntu-advantage-tools.templates (+1/-1)
dev/null (+0/-0)
features/attach_invalidtoken.feature (+1/-1)
features/attach_validtoken.feature (+63/-28)
features/attached_commands.feature (+12/-12)
features/attached_enable.feature (+62/-118)
features/cloud.py (+0/-12)
features/environment.py (+27/-17)
features/gcp-ids.yaml (+3/-3)
features/staging_commands.feature (+50/-5)
features/steps/steps.py (+75/-3)
features/ubuntu_pro.feature (+39/-9)
features/unattached_commands.feature (+388/-3)
features/util.py (+0/-81)
integration-requirements.txt (+1/-1)
lib/reboot_cmds.py (+12/-8)
lib/ua_update_messaging.py (+302/-0)
setup.py (+1/-0)
systemd/ua-messaging.service (+8/-0)
systemd/ua-messaging.timer (+11/-0)
tools/test_xenial_upgrade.sh (+224/-0)
tools/tox-lxd-runner (+2/-2)
tox.ini (+2/-2)
uaclient-devel.conf (+1/-0)
uaclient.conf (+1/-0)
uaclient/apt.py (+1/-0)
uaclient/cli.py (+87/-18)
uaclient/clouds/identity.py (+12/-0)
uaclient/clouds/tests/test_identity.py (+31/-0)
uaclient/config.py (+136/-8)
uaclient/contract.py (+1/-2)
uaclient/defaults.py (+10/-1)
uaclient/entitlements/esm.py (+53/-7)
uaclient/entitlements/fips.py (+9/-3)
uaclient/entitlements/livepatch.py (+3/-3)
uaclient/entitlements/repo.py (+3/-3)
uaclient/entitlements/tests/test_base.py (+2/-2)
uaclient/entitlements/tests/test_cc.py (+1/-1)
uaclient/entitlements/tests/test_esm.py (+145/-34)
uaclient/entitlements/tests/test_fips.py (+38/-1)
uaclient/entitlements/tests/test_livepatch.py (+8/-6)
uaclient/entitlements/tests/test_repo.py (+1/-1)
uaclient/exceptions.py (+12/-0)
uaclient/gpg.py (+1/-1)
uaclient/security.py (+1179/-0)
uaclient/serviceclient.py (+19/-2)
uaclient/status.py (+237/-37)
uaclient/testing/fakes.py (+4/-1)
uaclient/tests/test_apt.py (+5/-1)
uaclient/tests/test_cli.py (+2/-0)
uaclient/tests/test_cli_attach.py (+33/-3)
uaclient/tests/test_cli_auto_attach.py (+28/-0)
uaclient/tests/test_cli_detach.py (+31/-2)
uaclient/tests/test_cli_disable.py (+27/-3)
uaclient/tests/test_cli_enable.py (+31/-7)
uaclient/tests/test_cli_fix.py (+78/-0)
uaclient/tests/test_cli_refresh.py (+20/-1)
uaclient/tests/test_cli_status.py (+81/-7)
uaclient/tests/test_config.py (+162/-31)
uaclient/tests/test_contract.py (+1/-8)
uaclient/tests/test_reboot_cmds.py (+48/-1)
uaclient/tests/test_security.py (+2344/-0)
uaclient/tests/test_serviceclient.py (+24/-0)
uaclient/tests/test_status.py (+49/-1)
uaclient/tests/test_ua_update_messaging.py (+469/-0)
uaclient/tests/test_util.py (+237/-9)
uaclient/tests/test_version.py (+10/-3)
uaclient/util.py (+101/-18)
uaclient/version.py (+2/-2)
update-motd.d/88-esm-announce (+4/-0)
update-motd.d/91-contract-ua-esm-status (+4/-0)

CVE References

Revision history for this message
James Troup (elmo) wrote :

ubuntu-advantage-tools 27.0~20.10.1~beta3 on 20.10/amd64.

Revision history for this message
Richard Harding (rharding) wrote :

Thanks for the report.

Yes I can see the reboot conflicting there. We generally are showing that if the system indicates a reboot is required to try to get the user to an all-green state, but here in ua fix it is distracting.

The fact that it says it was not resolved though is completely incorrect and so that we will address it.

Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

We have a PR up addressing this bug here: https://github.com/canonical/ubuntu-advantage-client/pull/1577

After that PR is merged, ua will not print "A reboot is required to complete fix operation. ✘ CVE-2021-3410 is not resolved." when the update is already installed. It will instead only print: "✔ CVE-2021-3410 is resolved", even if the global 'needs reboot' flag is set.

Chad Smith (chad.smith)
Changed in ubuntu-advantage-tools (Ubuntu):
status: New → In Progress
assignee: nobody → Grant Orndorff (orndorffgrant)
importance: Undecided → Medium
Grant Orndorff (orndorffgrant)
Changed in ubuntu-advantage-tools (Ubuntu):
status: In Progress → Fix Committed
Grant Orndorff (orndorffgrant)
description: updated
Grant Orndorff (orndorffgrant)
description: updated
Grant Orndorff (orndorffgrant)
description: updated
description: updated
Grant Orndorff (orndorffgrant)
description: updated
Grant Orndorff (orndorffgrant)
description: updated
Grant Orndorff (orndorffgrant)
description: updated
Grant Orndorff (orndorffgrant)
description: updated
Bryce Harrington (bryce)
Changed in ubuntu-advantage-tools (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in ubuntu-advantage-tools (Ubuntu Groovy):
importance: Undecided → Medium
Changed in ubuntu-advantage-tools (Ubuntu Focal):
importance: Undecided → Medium
Changed in ubuntu-advantage-tools (Ubuntu Bionic):
importance: Undecided → Medium
Changed in ubuntu-advantage-tools (Ubuntu Xenial):
importance: Undecided → Medium
Changed in ubuntu-advantage-tools (Ubuntu Groovy):
importance: Medium → Undecided
Changed in ubuntu-advantage-tools (Ubuntu Impish):
status: Fix Committed → In Progress
Grant Orndorff (orndorffgrant)
description: updated
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello James, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.0~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Robie Basak (racb) wrote :

Hello James, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.0~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Hello James, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.0~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Groovy):
status: New → Fix Committed
tags: added: verification-needed-groovy
Revision history for this message
Robie Basak (racb) wrote :

Hello James, or anyone else affected,

Accepted ubuntu-advantage-tools into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.0~20.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed-hirsute
Revision history for this message
Robie Basak (racb) wrote :

Hello James, or anyone else affected,

Accepted ubuntu-advantage-tools into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.0~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Chad Smith (chad.smith)
Changed in ubuntu-advantage-tools (Ubuntu Impish):
status: In Progress → Fix Committed
Richard Harding (rharding)
tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Chad Smith (chad.smith) wrote :

Logs from Xenial test run asserting that no reboot needed message reported:
csmith@uptown:~/src/ubuntu-advantage-client$ cat proposed.yaml
#cloud-config
write_files:
- content: ZGViIGh0dHA6Ly9hcmNoaXZlLnVidW50dS5jb20vdWJ1bnR1LyB4ZW5pYWwtcHJvcG9zZWQgcmVzdHJpY3RlZCBtYWluIG11bHRpdmVyc2UgdW5pdmVyc2UK
  encoding: b64
  owner: root:root
  path: /etc/apt/sources.list.d/proposed-ua.list
  permissions: '0644'

package_update: true
packages: [ubuntu-advantage-tools]
csmith@uptown:~/src/ubuntu-advantage-client$ lxc launch ubuntu-daily:xenial sru-test-1926183 -c user.user-data="$(cat proposed.yaml)"
Creating sru-test-1926183
Starting sru-test-1926183
csmith@uptown:~/src/ubuntu-advantage-client$ lxc exec sru-test-1926183 bash
root@sru-test-1926183:~# touch /var/run/reboot-required
root@sru-test-1926183:~# cloud-init status --wait --long

status: done
time: Thu, 29 Apr 2021 23:07:07 +0000
detail:
DataSourceNoCloud [seed=/var/lib/cloud/seed/nocloud-net][dsmode=net]
root@sru-test-1926183:~# ua version
27.0~16.04.1
root@sru-test-1926183:~# apt policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 27.0~16.04.1
  Candidate: 27.0~16.04.1
  Version table:
 *** 27.0~16.04.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.16.04.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
root@sru-test-1926183:~# ua fix USN-4898-1
USN-4898-1: curl vulnerabilities
Found CVEs:
https://ubuntu.com/security/CVE-2021-22890
https://ubuntu.com/security/CVE-2021-22876
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu standard updates.
The update is already installed.
✔ USN-4898-1 is resolved.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.0~16.04.1

---------------
ubuntu-advantage-tools (27.0~16.04.1) xenial; urgency=medium

  * New upstream release 27.0: (LP: #1926361)
    - apt-hook: mitigate failures with true
    - messages: add optional (s) to apt messaging to include
      singular/plural pkgs
    - apt-hook: avoid reporting and counting duplicate package
      names (GH: #1578)
    - fix: don't say reboot required when unnecessary (LP: #1926183)
    - test: uncomment additional xenial upgrade tests

 -- Lucas Moura <email address hidden> Tue, 27 Apr 2021 15:31:06 -0300

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/27.0~21.04.1)

All autopkgtests for the newly accepted ubuntu-advantage-tools (27.0~21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-advantage-tools/27.0~21.04.1 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#ubuntu-advantage-tools

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/27.0~20.04.1)

All autopkgtests for the newly accepted ubuntu-advantage-tools (27.0~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-advantage-tools/27.0~20.04.1 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#ubuntu-advantage-tools

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Chad Smith (chad.smith) wrote :
Download full text (22.0 KiB)

Bionic Focal, Groovy and Hirsute test runs:

Test procedure:
1. install u-a-tools from <release>-proposed pocket using cloud-init
2. touch external reboot-required flag file to simulate a system which already needs a reboot from an unrelated package install.
3. run ua fix on an issue that will not install any packages
4. confirm ua tooling doesn't report reboot required.
5. Expect SUCCESS if no reboot suggested FAILURE otherwise

TLDR: All SUCCESS msgs, no reboot required messaging if ua fix hasn't installing debs.

==== test script ======

#!/bin/bash
set -e

for release in bionic focal groovy hirsute; do
  echo "======= START $release ========"

  name=test-sru-1926183-$release
  case "${release}" in
      hirsute) lxc exec $name apt install samba; issue="CVE-2021-20254";;
      *) issue="CVE-2020-8285";;
  esac
  lxc stop $name || true
  lxc delete $name || true
  lxc launch ubuntu-daily:$release $name -c user.user-data="$( cat proposed-$release.yaml )"
  sleep 3;
  lxc exec $name -- cloud-init status --wait --long
  lxc exec $name -- ua version
  echo "====== Check ua tools 27.0 ====="
  lxc exec $name -- apt policy ubuntu-advantage-tools
  lxc exec $name -- apt install ${downgrade}
  lxc exec $name -- touch /var/run/reboot-required
  echo "====== Check no reboot required message on NOOP ===="
  MSG=`lxc exec $name -- ua fix $issue`
  echo $MSG
  echo $MSG| grep -q reboot && echo "FAILURE: reboot required message found when no pkg changes made" || echo "SUCCESS: no reboot required message"
  echo "======= END $release ========"
done

======= START bionic ========
Creating test-sru-1926183-bionic
Starting test-sru-1926183-bionic
..............................................................................
status: done
time: Fri, 30 Apr 2021 23:26:23 +0000
detail:
DataSourceNoCloud [seed=/var/lib/cloud/seed/nocloud-net][dsmode=net]
27.0~18.04.1
====== Check ua tools 27.0 =====
ubuntu-advantage-tools:
  Installed: 27.0~18.04.1
  Candidate: 27.0~18.04.1
  Version table:
 *** 27.0~18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     17 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.
====== Check no reboot required message on NOOP ====
CVE-2020-8285: curl vulnerabilities https://ubuntu.com/security/CVE-2020-8285 1 affected package is installed: curl (1/1) curl: A fix is available in Ubuntu standard updates. The update is already installed. ✔ CVE-2020-8285 is resolved.
SUCCESS: no reboot required message
======= END bionic ========
======= START focal ========
Creating test-sru-1926183-focal
Starting test-sru-1926183-focal
........................................................................................................................
status: done
time: Fri, 30 Apr 2021 23:27:07 +0000
detail:
DataSourceNoCloud [seed=/var/lib/cloud/seed/nocloud-...

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-hirsute
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-hirsute
Revision history for this message
Chad Smith (chad.smith) wrote :

sample cloud-config setting up proposed-bionic.yaml

Mathew Hodson (mhodson)
Changed in ubuntu-advantage-tools (Ubuntu Groovy):
importance: Undecided → Medium
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/27.0~20.10.1)

All autopkgtests for the newly accepted ubuntu-advantage-tools (27.0~20.10.1) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-advantage-tools/27.0~20.10.1 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#ubuntu-advantage-tools

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.0.1

---------------
ubuntu-advantage-tools (27.0.1) impish; urgency=medium

  * Add .gitignore and cleanup ignored directory .pytest_cache
  * apt-hook: mitigate failures with true

 -- Chad Smith <email address hidden> Wed, 28 Apr 2021 13:55:28 -0600

Changed in ubuntu-advantage-tools (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in ubuntu-advantage-tools (Ubuntu Groovy):
status: Fix Committed → Won't Fix
Revision history for this message
Brian Murray (brian-murray) wrote :

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Changed in ubuntu-advantage-tools (Ubuntu Hirsute):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.