← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2006705] Re: Ubuntu pro reports CVE falsely as fixed

 

This bug was fixed in the package ubuntu-advantage-tools - 27.14.4~20.04

---------------
ubuntu-advantage-tools (27.14.4~20.04) focal; urgency=medium

  * Backport new upstream release: (LP: #2011477) to focal

ubuntu-advantage-tools (27.14.4) lunar; urgency=medium

  * timer: disable update_contract_info job (LP: #2015302)
  * livepatch: prevent livepatch from auto-enabling and subsequently failing
    on non-amd64 systems (LP: #2015241)

ubuntu-advantage-tools (27.14.3) lunar; urgency=medium

  * livepatch: prevent livepatch from auto-enabling and subsequently failing
    on interim releases (LP: #2013409)

ubuntu-advantage-tools (27.14.2~23.04.1) lunar; urgency=medium

  * status:
    - always use dpkg instead of lscpu for fetching architecture
      information (LP: #2012735)

ubuntu-advantage-tools (27.14.1~23.04.1) lunar; urgency=medium

  * New upstream release 27.14.1
    - apt: fix a configuration leak in the apt.get_pkg_candidate_version
      function (LP: #2012642)

ubuntu-advantage-tools (27.14~23.04.1) lunar; urgency=medium

  * d/ubuntu-advantage-tools.{postinst,postrm,preinst}:
    - migrate certain settings out of uaclient.conf to a new file managed by
      the pro config subcommand (LP: #2004280)
  * d/ubuntu-advantage-tools.postinst:
    - refactor PREVIOUS_PKG_VER as a global variable
    - simplify how we add notices
  * New upstream release 27.14 (LP: #2011477)
    - api: new u.unattended_upgrades.status.v1 endpoint for querying status of
      unattended upgrades
    - apt:
      + remove legacy apt-hook
      + deliver json apt-hook for interim releases
      + fix cloud identification logic in json apt-hook
      + make all calls to esm-cache isolated from system configuration
        (LP: #2008280)
      + only set up the esm cache on supported systems (LP: #2004018)
    - fix:
      + format the output to be more readable (LP: #1926182)
      + add option to attach during a fix without a token
      + verify if fixed version can be installed before trying (LP: #2006705)
    - livepatch: show warning if current kernel is not supported
    - locks: alert user about corrupted lock files (LP: #1996931)
    - logging: logs are now formatted as jsonlines
    - motd: remove esm-apps announcement
    - notices: new representation on disk as separate files (LP: #1987738)
    - realtime: remove ubuntu-realtime package on disablement
    - status:
      + removed contract info update check network call
      + no longer includes warnings about notices when non-root (LP: #2006138)
      + unattached status sends virt type to contract server for better
        resource availability calculation
    - timer jobs: add daily job to check for contract updates
    - yaml: always import distro-provided pyyaml (LP: #2007234, LP: #2007241)

 -- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx>  Thu, 06 Apr 2023
10:48:25 -0300

** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2006705

Title:
  Ubuntu pro reports CVE falsely as fixed

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.

  The fix is to check the local apt-cache before trying to install a
  version to make sure that the candidate version is the one with the
  fix applied. Only then do we proceed with the `apt install` and say
  that the CVE is resolved.

  [Test Case]
  This will be covered by our full test run for u-a-t 27.14.
  The specific test that covers this scenario can be inspected here:
  https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474

  [Regression Potential]
  The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.

  [Original Description]

  pro version: 27.13.3-18.01.1

  When running:
      sudo pro fix CVE-2023-0286
      CVE-2023-0286: OpenSSL vulnerabilities
      https://ubuntu.com/security/CVE-2023-0286
      2 affected source packages are installed: openssl, openssl1.0
      (1/2, 2/2) openssl, openssl1.0:
      A fix is available in Ubuntu standard updates.
      { apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
      ✔ CVE-2023-0286 is resolved.

  The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
      apt policy openssl
      openssl:
        Installed: 1.1.1-1ubuntu2.1~18.04.14
        Candidate: 1.1.1-1ubuntu2.1~18.04.14
        Version table:
       *** 1.1.1-1ubuntu2.1~18.04.14 500
          500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages

  (expected version is 1.1.1-1ubuntu2.1~18.04.21, from the
  http://security.ubuntu.com/ubuntu bionic-security/main repository)

  Reason for the update not working is because the repositories the
  machine is subscribed to do not contain the fix.

  The bug I want to file is the last line of the 'pro fix' command,
  being ' ✔ CVE-2023-0286 is resolved.'

  This (presumably) is stated there because the apt install command
  successfully was able to run, but that does not mean the CVE is fixed
  (in this case, I had no repository in my sources.list offering the
  patch).

  Suggestion to change that last line to: "❌ CVE-2023-0286 is not
  resolved."

  Reason for reporting this as a security issue is the false claiming of
  a fixed security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+subscriptions