- Upgrades não assistidos não detectando a atualização de segurança do kernel do Linux por padrão

Question

- Upgrades não assistidos não detectando a atualização de segurança do kernel do Linux por padrão

#1 resposta do (4 votos)
#2 resposta do (1 votos)

6

(N.B no seguinte, substituí o domínio do meu provedor de hospedagem VPS por <my_hosting_provider> , para privacidade.)

Minha instância do Debian 9.3 "Stretch" está mostrando uma atualização do kernel disponível:

# apt list --upgradable -a
Listing... Done
linux-image-amd64/stable 4.9+80+deb9u3 amd64 [upgradable from: 4.9+80+deb9u2]
linux-image-amd64/stable,now 4.9+80+deb9u2 amd64 [installed,upgradable to: 4.9+80+deb9u3]

Acredito que 4.9+80+deb9u3 é igual a 4.9.65-3+deb9u2 , uma atualização de segurança recente do kernel destinada a abordar CVE-2017-5754 , também conhecido como .

A configuração padrão falha ao instalar a atualização de segurança do kernel

O conteúdo padrão de Unattended-Upgrade::Origins-Pattern em /etc/apt/apt.conf.d/50unattended-upgrades é:

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

Com essa configuração em vigor, a atualização de segurança do kernel não pode ser instalada:

# unattended-upgrades -v -d
Initial blacklisted packages: 
Initial whitelisted packages: 
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>])
pkg 'firmware-linux-free' not in allowed origin
sanity check failed
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                                                                               
fetch.run() result: 0
blacklist: []
whitelist: []
Packages that will be upgraded: 
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:11:22'
Sending mail to 'root'
mail returned: 0

Configuração modificada instala a atualização de segurança do kernel

Se eu alterar Unattended-Upgrade::Origins-Pattern em /etc/apt/apt.conf.d/50unattended-upgrades para ler

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

a atualização de segurança é encontrada e instalada:

# unattended-upgrades -v -d
Initial blacklisted packages: 
Initial whitelisted packages: 
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian', 'origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>])
pkgs that look like they should be upgraded: linux-image-amd64
Fetched 0 B in 0s (0 B/s)                                                                                                                                               
fetch.run() result: 0
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 19196 DestFile:'/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/f/firmware-free/firmware-linux-free_3.4_all.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/firmware-linux-free_3.4_all.deb')
No conffiles in deb '/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 33252 DestFile:'/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/n/numactl/libnuma1_2.0.11-2.1_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb')
No conffiles in deb '/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 38768102 DestFile:'/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb')
No conffiles in deb '/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 6994 DestFile:'/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux-latest/linux-image-amd64_4.9+80+deb9u3_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb')
found pkg: linux-image-amd64
No conffiles in deb '/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 40396 DestFile:'/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/i/irqbalance/irqbalance_1.1.0-2.3_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb')
blacklist: []
whitelist: []
Packages that will be upgraded: linux-image-amd64
Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
Selecting previously unselected package firmware-linux-free.
(Reading database ... 45465 files and directories currently installed.)
Preparing to unpack .../firmware-linux-free_3.4_all.deb ...
Unpacking firmware-linux-free (3.4) ...
Selecting previously unselected package libnuma1:amd64.
Preparing to unpack .../libnuma1_2.0.11-2.1_amd64.deb ...
Unpacking libnuma1:amd64 (2.0.11-2.1) ...
Selecting previously unselected package linux-image-4.9.0-5-amd64.
Preparing to unpack .../linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb ...
Unpacking linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
Preparing to unpack .../linux-image-amd64_4.9+80+deb9u3_amd64.deb ...
Unpacking linux-image-amd64 (4.9+80+deb9u3) over (4.9+80+deb9u2) ...
Selecting previously unselected package irqbalance.
Preparing to unpack .../irqbalance_1.1.0-2.3_amd64.deb ...
Unpacking irqbalance (1.1.0-2.3) ...
Setting up libnuma1:amd64 (2.0.11-2.1) ...
Setting up linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-4.9.0-4-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-4.9.0-4-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-5-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.9.0-5-amd64
Found initrd image: /boot/initrd.img-4.9.0-5-amd64
Found linux image: /boot/vmlinuz-4.9.0-4-amd64
Found initrd image: /boot/initrd.img-4.9.0-4-amd64
Found linux image: /boot/vmlinuz-4.9.0-3-amd64
Found initrd image: /boot/initrd.img-4.9.0-3-amd64
done
Setting up linux-image-amd64 (4.9+80+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
Processing triggers for systemd (232-25+deb9u1) ...
Setting up firmware-linux-free (3.4) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for man-db (2.7.6.1-2) ...
Setting up irqbalance (1.1.0-2.3) ...
Processing triggers for initramfs-tools (0.130) ...
update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64
Processing triggers for systemd (232-25+deb9u1) ...
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:24:35'
Sending mail to 'root'
mail returned: 0
Found /var/run/reboot-required, rebooting

Perguntas

Em relação à falha em instalar atualizações de segurança com a configuração padrão, eu devo registrar um bug em alguma parte da Debian, ou foi o comportamento esperado (e se foi, por que)?
Eu só quero que unattended-upgrades realize atualizações de segurança. Como posso conseguir isso, já que a configuração padrão não foi bem sucedida?

security unattended-upgrades debian linux-kernel

por sampablokuper 05.01.2018 / 15:04

2 respostas

1

Com trechos, atualizações autônomas são iniciadas apenas entre as 6h e as 7h. Do arquivo NEWS do pacote apt:

apt (1.4.2) unstable; urgency=medium

If periodic updates and unattended upgrades are enabled, the start of periodic updates are now distributed over 24 hour intervals (as in 1.2 to 1.4), whereas starting unattended-upgrade has been restricted to a time between 6 and 7 am. This only affects systems using systemd, other systems still use the classical hourly cron job.

-- Julian Andres Klode Thu, 04 May 2017 22:54:02 +0200

por 04.08.2018 / 20:25

Tags security unattended-upgrades debian linux-kernel

Evitar que o KDE e o Gnome mostrem ícones uns aos outros no menu Executa um arquivo em um aplicativo baseado na extensão do arquivo no bash

score 4 · Accepted Answer

Com base no feedback nos comentários acima, isso parece ser um bug.

Um relatório de bug correspondente foi arquivado aqui .