Dev1 Galaxy Forum / [SOLVED] Security update delays

Re: [SOLVED] Security update delays

dummy@example.com (Marjorie) — Sun, 14 Jun 2020 09:20:57 +0000

Maybe working again?

On my mail-server unattended-upgrades (beowulf-security updates only) downloaded an intel-microcode package at 03:45 BST.

Unattended upgrade result: All upgrades installed 

Packages that were upgraded:
 intel-microcode 

Package installation log:
Log started: 2020-06-14  03:45:13
apt-listchanges: Reading changelogs...
Preparing to unpack .../intel-microcode_3.20200609.2~deb10u1_amd64.deb ...
Unpacking intel-microcode (3.20200609.2~deb10u1) over (3.20191115.2~deb10u1) ...
Setting up intel-microcode (3.20200609.2~deb10u1) ...
update-initramfs: deferring update (trigger activated)
intel-microcode: microcode will be updated at next boot
Processing triggers for initramfs-tools (0.133+deb10u1) ...
update-initramfs: Generating /boot/initrd.img-4.19.0-9-amd64
Log ended: 2020-06-14  03:45:24

Unattended-upgrades log:
Enabled logging to syslog via daemon facility 
Initial blacklist : 
Initial whitelist: 
Starting unattended upgrades script
Allowed origins are: o=Devuan,n=beowulf-security
Packages that will be upgraded: intel-microcode
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
All upgrades installed

Re: [SOLVED] Security update delays

dummy@example.com (fsmithred) — Sat, 13 Jun 2020 22:45:04 +0000

Thanks. For some reason, security updates on pkgmaster are going to *-proposed-updates. We're not yet sure why. Until then you can add ascii-proposed-updates or beowulf-proposed-updtates, whichever is appropriate.

e.g.

deb http://deb.devuan.org/merged ascii-proposed-updates main contrib non-free

Re: [SOLVED] Security update delays

dummy@example.com (pcalvert) — Sat, 13 Jun 2020 04:31:45 +0000

I found some evidence that this problem is back (or maybe it's a new, but related problem):

DSA-4701-1 intel-microcode -- security update
[Date Reported: 11 Jun 2020]

The update hasn't shown up for me yet, so I did some checking:

$ apt policy intel-microcode
intel-microcode:
  Installed: (none)
  Candidate: 3.20200609.2~deb9u1
  Version table:
     3.20200609.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/non-free i386 Packages
     3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free i386 Packages

When I first looked at that, I was a little confused. And then I remembered that I am using a 64-bit kernel (it's a multi-arch system).

So I checked again:

$ apt policy intel-microcode:amd64
intel-microcode:amd64:
  Installed: 3.20191115.2~deb9u1
  Candidate: 3.20191115.2~deb9u1
  Version table:
 *** 3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free amd64 Packages
        500 http://deb.devuan.org/merged ascii-security/non-free amd64 Packages
        100 /var/lib/dpkg/status

Okay, so that explains (partially) why I am not seeing the update. I then wondered, "Is this a Devuan problem, or is the problem on Debian's end?" To help answer that question, I added the repository for Debian Stretch security updates.

And here's the result that gave me:

$ apt policy intel-microcode:amd64
intel-microcode:amd64:
  Installed: 3.20191115.2~deb9u1
  Candidate: 3.20200609.2~deb9u1
  Version table:
     3.20200609.2~deb9u1 500
        500 http://deb.debian.org/debian-security stretch/updates/non-free amd64 Packages
 *** 3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free amd64 Packages
        500 http://deb.devuan.org/merged ascii-security/non-free amd64 Packages
        100 /var/lib/dpkg/status

That tells me that the problem is not on Debian's end.

Phil

Re: [SOLVED] Security update delays

dummy@example.com (fsmithred) — Fri, 10 Jan 2020 01:21:48 +0000

This (below) is a different problem. The security update delays have been fixed. The problem you're seeing here is the reason we recommend using the codenames in sources.list.

ascii is stretch
beowulf is buster

stable is not the same release in debian and devuan right now. They will be the same again when beowulf is released. Until debian moves to their next release.

anonymous wrote:

devuan
$ apt policy firefox-esr
firefox-esr:
Installed: 68.3.0esr-1~deb9u1
Candidate: 68.3.0esr-1~deb9u1
Version table:
*** 68.3.0esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii-security/main amd64 Packages
100 /var/lib/dpkg/status
60.7.1esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii-updates/main amd64 Packages
60.6.3esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii/main amd64 Packages
-------------------------------------
debian:
firefox-esr:
Installed: 68.4.1esr-1~deb10u1
Candidate: 68.4.1esr-1~deb10u1
Version table:
*** 68.4.1esr-1~deb10u1 500
500 http://deb.debian.org/debian-security stable/updates/main amd64 Packages
100 /var/lib/dpkg/status
68.2.0esr-1~deb10u1 500
500 http://deb.debian.org/debian stable/main amd64 Packages

devuan (beowulf)

firefox-esr:
  Installed: 68.3.0esr-1~deb10u1
  Candidate: 68.4.1esr-1~deb10u1
  Version table:
     68.4.1esr-1~deb10u1 500
        500 http://pkgmaster.devuan.org/merged beowulf-security/main amd64 Packages

Re: [SOLVED] Security update delays

dummy@example.com (anonymous) — Thu, 09 Jan 2020 15:41:04 +0000

devuan

$ apt policy firefox-esr
firefox-esr:
Installed: 68.3.0esr-1~deb9u1
Candidate: 68.3.0esr-1~deb9u1
Version table:
*** 68.3.0esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii-security/main amd64 Packages
100 /var/lib/dpkg/status
60.7.1esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii-updates/main amd64 Packages
60.6.3esr-1~deb9u1 500
500 http://deb.devuan.org/merged ascii/main amd64 Packages
-------------------------------------

debian:

firefox-esr:
Installed: 68.4.1esr-1~deb10u1
Candidate: 68.4.1esr-1~deb10u1
Version table:
*** 68.4.1esr-1~deb10u1 500
500 http://deb.debian.org/debian-security stable/updates/main amd64 Packages
100 /var/lib/dpkg/status
68.2.0esr-1~deb10u1 500
500 http://deb.debian.org/debian stable/main amd64 Packages

Re: [SOLVED] Security update delays

dummy@example.com (Marjorie) — Sun, 14 Jul 2019 12:59:17 +0000

Firefox-esr 60.8.0esr-1~deb9u1 hit the gb.deb.devuan.org/merged archive sometime before 2019-07-14 13:12:27 +0100 as that was when my unattended upgrades program downloaded it.

Both the previous Firefox-esr secuirty 60.7.1 and 60.7.2 security updates also downloaded shortly after Debian put them in their stable archive (though they hit Debian experimental and then testing sooner). I see no problem here.

Any idea when we might expect to see Firefox-esr 68 on ascii? I understand there will be another 2 months of security updates still to come on 60 before it becomes unsupported which implies it might be best to have a backpost before Beowulf becomes our new stable.

Re: [SOLVED] Security update delays

dummy@example.com (fsmithred) — Sun, 14 Jul 2019 11:14:05 +0000

yeti wrote:

I was lazy and now have 2 repositories in my sources list.
If this is a bad idea, please someone enlighten me...

I see only devuan and ascii in your sources. You're safe. If you started adding non-devuan or non-ascii sources, you could run into problems. Without pinning, apt will take the highest available version, so right now, if you installed/upgraded firefox-esr, you'd get 60.8 from ascii-security on auto.mirror, because that's a higher version than what's in deb.devuan.

But that will change in a few minutes or a couple hours. Repo is updating again. (Thanks, Ralph.)

I'm not marking the thread as Solved this time. Let's wait and see what happens.

Re: [SOLVED] Security update delays

dummy@example.com (yeti) — Sun, 14 Jul 2019 10:55:19 +0000

I was lazy and now have 2 repositories in my sources list.
If this is a bad idea, please someone enlighten me...

$ apt policy firefox-esr
firefox-esr:
  Installed: (none)
  Candidate: 60.8.0esr-1~deb9u1
  Version table:
     60.8.0esr-1~deb9u1 500
        500 http://auto.mirror.devuan.org/merged ascii-security/main armhf Packages
     60.7.2esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main armhf Packages
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main armhf Packages
        500 http://auto.mirror.devuan.org/merged ascii-updates/main armhf Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main armhf Packages
        500 http://auto.mirror.devuan.org/merged ascii/main armhf Packages

Re: [SOLVED] Security update delays

dummy@example.com (pcalvert) — Sun, 14 Jul 2019 02:16:50 +0000

My results:

$ apt policy firefox-esr
firefox-esr:
  Installed: 60.7.2esr-1~deb9u1
  Candidate: 60.7.2esr-1~deb9u1
  Version table:
 *** 60.7.2esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main i386 Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Debian Stretch version: 60.8.0esr-1~deb9u1

Phil

Re: [SOLVED] Security update delays

dummy@example.com (anonymous) — Sat, 13 Jul 2019 16:52:55 +0000

AGAIN waiting for firefox-esr security update....

https://security-tracker.debian.org/tracker/firefox-esr

stretch (security) 60.8.0esr-1~deb9u1

------------

ascii devuan (64bit) in apt policy firefox-esr still has

NOT UPDATED

Re: [SOLVED] Security update delays

dummy@example.com (pcalvert) — Mon, 24 Jun 2019 22:25:40 +0000

Update: The problem seems to have been fixed.

$ apt policy firefox-esr
firefox-esr:
  Installed: 60.7.1esr-1~deb9u1
  Candidate: 60.7.1esr-1~deb9u1
  Version table:
 *** 60.7.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main i386 Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Phil

Re: [SOLVED] Security update delays

dummy@example.com (Ogis1975) — Wed, 19 Jun 2019 13:14:12 +0000

fsmithred wrote:

Here's the explanation that was posted on devuan-dev mailing list yesterday. (The script failed if there was a read timeout.)

Thanks for the answer.

Re: [SOLVED] Security update delays

dummy@example.com (fsmithred) — Wed, 19 Jun 2019 11:58:29 +0000

Adjusted the subject line again.
Reported the issue again.

Stay tuned...

fsr

Re: [SOLVED] Security update delays

dummy@example.com (anonymous) — Wed, 19 Jun 2019 09:27:12 +0000

waiting for firefox-esr security update....

https://security-tracker.debian.org/tra … irefox-esr

stretch (security) 60.7.1esr-1~deb9u1

------------

devuan (64bit) in apt policy firefox-esr still has

ascii 60.7.0esr-1~deb9u1(candidate) (edited -> 60.6.1esr-1~deb9u1)

refreshing...

Re: [SOLVED] Security update delays

dummy@example.com (fsmithred) — Tue, 18 Jun 2019 14:40:59 +0000

Ogis1975 wrote:

I'm sorry, but i want to ask. Why do such delays happen?

Here's the explanation that was posted on devuan-dev mailing list yesterday. (The script failed if there was a read timeout.)

Picked this up today. The issue was an unhandled exception in net.py.
I've pushed a fix to Gitlab[0] and applied this in production for both
pkgmaster.do and packages.do.
[0] https://git.devuan.org/devuan-infrastru … a8252eb85f
The amprolla logs[1] are there for a reason
Just grep it for 'ERR' to see what's wrong.
[1] https://pkgmaster.devuan.org/amprolla.txt

Edit: Phil, I changed the subject line in your original post to 'Solved'. If that's wrong, please let me know. (squeeky wheel law)