Package: apt Version: 1.0.9.8.3 Severity: important Tags: security Hey. Actually the following may be rather an issue in monitoring-plugins- basic’s check_apt, please re-assign straight away if you think so. What I have is basically jessie systems, with backports enabled, using apt-preferences like this: Explanation: “Disable” all packages from Debian’s jessie-backports*-family of suites. Package: * Pin: release o=Debian Backports,a=jessie-backports* Pin-Priority: 1 Explanation: “Enable” some OpenJDK 8 package and its dependencies from Debian’s jessie-backports*-family of suites. Package: openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-jamvm openjdk-8-jre-zero openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-doc Pin: release o=Debian Backports,a=jessie-backports* Pin-Priority: 500 to pull in OpenJDK8. OpenJDK8 recently got openjdk-8-jre-headless added as dependency, so during the upgrade this would need to be freshly installed. aptitude, e.g. shows: # aptitude upgrade Resolving dependencies... The following NEW packages will be installed: openjdk-8-jdk-headless{a} The following packages will be upgraded: openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre- jamvm openjdk-8-jre-zero The following packages are RECOMMENDED but will NOT be installed: libgconf2-4 libgnome2-0 libgnomevfs2-0 libxt-dev 5 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 38,0 MB of archives. After unpacking 140 kB will be used. So it would do as expected. apt however, doesn't upgade: # apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... The following packages were automatically installed and are no longer required: cmake-curses-gui cmake-doc dbus-1-doc default-jdk-doc efibootmgr flex-doc gnutls-doc grub-coreboot-bin grub-efi-amd64-bin grub-efi-ia32- bin grub-ieee1275-bin grub-xen-bin iptables-persistent jvm-7-avian-jre krb5-pkinit lbzip2 libasn1-8- heimdal libefivar0 libgssapi3-heimdal libhcrypto4-heimdal libheimbase1- heimdal libheimntlm0-heimdal libhx509-5-heimdal libjs-sphinxdoc libkrb5-26-heimdal libroken18-heimdal libwind0- heimdal lunzip m4-doc openjdk-7-doc openjdk-7-jre-dcevm openjdk-7-jre- zero openjdk-8-doc openjdk-8-jre-zero openssh-blacklist openssh-blacklist-extra openssl-blacklist-extra pigz pixz policykit-1-doc tar-doc udisks2-doc unace-nonfree unrar-free wdiff-doc xzdec zp Use 'apt-get autoremove' to remove them. Done The following packages have been kept back: openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre- jamvm openjdk-8-jre-zero 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. even though the policy would say it should, e.g.: # apt-cache policy openjdk-8-jdk openjdk-8-jdk: Installed: 8u72-b15-1~bpo8+1 Candidate: 8u91-b14-1~bpo8+1 Package pin: 8u91-b14-1~bpo8+1 Version table: 8u91-b14-1~bpo8+1 500 1 http://debian.mirror.lrz.de/debian/ jessie-backports/main amd64 Packages *** 8u72-b15-1~bpo8+1 500 100 /var/lib/dpkg/status with a dist-upgrade, things would be upgraded however: # aptitude dist-upgrade The following NEW packages will be installed: openjdk-8-jdk-headless{a} The following packages will be upgraded: openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre- jamvm openjdk-8-jre-zero The following packages are RECOMMENDED but will NOT be installed: libgconf2-4 libgnome2-0 libgnomevfs2-0 libxt-dev 5 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 38,0 MB of archives. After unpacking 140 kB will be used. I'd guess that the check_apt Icinga/Nagios check uses apt-get upgrade to look for upgradable packages, because it returns: # /usr/lib/nagios/plugins/check_apt APT OK: 0 packages available for upgrade (0 critical updates). |available_upgrades=0;;;0 critical_updates=0;;;0 Which is bad of course, and the security problem here. So either, this is an issue in apt, not proposing to do these upgrades on "upgrade", or an issue in check_apt, using the wrong thing to find out on upgradeable packages. Cheers, Chris. -- Package-specific info: -- (no /etc/apt/preferences present) -- -- (/etc/apt/sources.list present, but not submitted) -- -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii debian-archive-keyring 2014.3 ii gnupg 1.4.18-7+deb8u1 ii libapt-pkg4.12 1.0.9.8.3 ii libc6 2.19-18+deb8u4 ii libgcc1 1:4.9.2-10 ii libstdc++6 4.9.2-10 apt recommends no packages. Versions of packages apt suggests: ii apt-doc 1.0.9.8.3 ii aptitude 0.6.11-1+b1 ii dpkg-dev 1.17.27 ii python-apt 0.9.3.12 -- no debconf information
Attachment:
smime.p7s
Description: S/MIME cryptographic signature