group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #45145
[Bug 2006705] Re: Ubuntu pro reports CVE falsely as fixed
This bug was fixed in the package ubuntu-advantage-tools - 27.14.4~16.04
---------------
ubuntu-advantage-tools (27.14.4~16.04) xenial; urgency=medium
* Backport new upstream release: (LP: #2011477) to xenial
ubuntu-advantage-tools (27.14.4) lunar; urgency=medium
* timer: disable update_contract_info job (LP: #2015302)
* livepatch: prevent livepatch from auto-enabling and subsequently failing
on non-amd64 systems (LP: #2015241)
ubuntu-advantage-tools (27.14.3) lunar; urgency=medium
* livepatch: prevent livepatch from auto-enabling and subsequently failing
on interim releases (LP: #2013409)
ubuntu-advantage-tools (27.14.2~23.04.1) lunar; urgency=medium
* status:
- always use dpkg instead of lscpu for fetching architecture
information (LP: #2012735)
ubuntu-advantage-tools (27.14.1~23.04.1) lunar; urgency=medium
* New upstream release 27.14.1
- apt: fix a configuration leak in the apt.get_pkg_candidate_version
function (LP: #2012642)
ubuntu-advantage-tools (27.14~23.04.1) lunar; urgency=medium
* d/ubuntu-advantage-tools.{postinst,postrm,preinst}:
- migrate certain settings out of uaclient.conf to a new file managed by
the pro config subcommand (LP: #2004280)
* d/ubuntu-advantage-tools.postinst:
- refactor PREVIOUS_PKG_VER as a global variable
- simplify how we add notices
* New upstream release 27.14 (LP: #2011477)
- api: new u.unattended_upgrades.status.v1 endpoint for querying status of
unattended upgrades
- apt:
+ remove legacy apt-hook
+ deliver json apt-hook for interim releases
+ fix cloud identification logic in json apt-hook
+ make all calls to esm-cache isolated from system configuration
(LP: #2008280)
+ only set up the esm cache on supported systems (LP: #2004018)
- fix:
+ format the output to be more readable (LP: #1926182)
+ add option to attach during a fix without a token
+ verify if fixed version can be installed before trying (LP: #2006705)
- livepatch: show warning if current kernel is not supported
- locks: alert user about corrupted lock files (LP: #1996931)
- logging: logs are now formatted as jsonlines
- motd: remove esm-apps announcement
- notices: new representation on disk as separate files (LP: #1987738)
- realtime: remove ubuntu-realtime package on disablement
- status:
+ removed contract info update check network call
+ no longer includes warnings about notices when non-root (LP: #2006138)
+ unattached status sends virt type to contract server for better
resource availability calculation
- timer jobs: add daily job to check for contract updates
- yaml: always import distro-provided pyyaml (LP: #2007234, LP: #2007241)
-- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx> Thu, 06 Apr 2023
10:50:05 -0300
** Changed in: ubuntu-advantage-tools (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2006705
Title:
Ubuntu pro reports CVE falsely as fixed
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Kinetic:
Fix Released
Bug description:
[Impact]
In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.
The fix is to check the local apt-cache before trying to install a
version to make sure that the candidate version is the one with the
fix applied. Only then do we proceed with the `apt install` and say
that the CVE is resolved.
[Test Case]
This will be covered by our full test run for u-a-t 27.14.
The specific test that covers this scenario can be inspected here:
https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474
[Regression Potential]
The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.
[Original Description]
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the
http://security.ubuntu.com/ubuntu bionic-security/main repository)
Reason for the update not working is because the repositories the
machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command,
being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command
successfully was able to run, but that does not mean the CVE is fixed
(in this case, I had no repository in my sources.list offering the
patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not
resolved."
Reason for reporting this as a security issue is the false claiming of
a fixed security vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+subscriptions
