Package: apt
Version: 1.0.9.8.3
Severity: important
Tags: security
Hey.
Actually the following may be rather an issue in monitoring-plugins-
basic’s check_apt, please re-assign straight away if you think so.
What I have is basically jessie systems, with backports enabled, using
apt-preferences like this:
Explanation: “Disable” all packages from Debian’s jessie-backports*-family of suites.
Package: *
Pin: release o=Debian Backports,a=jessie-backports*
Pin-Priority: 1
Explanation: “Enable” some OpenJDK 8 package and its dependencies from Debian’s jessie-backports*-family of suites.
Package: openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-jamvm openjdk-8-jre-zero openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-doc
Pin: release o=Debian Backports,a=jessie-backports*
Pin-Priority: 500
to pull in OpenJDK8.
OpenJDK8 recently got openjdk-8-jre-headless added as dependency, so
during the upgrade this would need to be freshly installed.
aptitude, e.g. shows:
# aptitude upgrade
Resolving dependencies...
The following NEW packages will be installed:
openjdk-8-jdk-headless{a}
The following packages will be upgraded:
openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-
jamvm openjdk-8-jre-zero
The following packages are RECOMMENDED but will NOT be installed:
libgconf2-4 libgnome2-0 libgnomevfs2-0 libxt-dev
5 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 38,0 MB of archives. After unpacking 140 kB will be used.
So it would do as expected.
apt however, doesn't upgade:
# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... The following packages were automatically
installed and are no longer required:
cmake-curses-gui cmake-doc dbus-1-doc default-jdk-doc efibootmgr
flex-doc gnutls-doc grub-coreboot-bin grub-efi-amd64-bin grub-efi-ia32-
bin grub-ieee1275-bin grub-xen-bin
iptables-persistent jvm-7-avian-jre krb5-pkinit lbzip2 libasn1-8-
heimdal libefivar0 libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-
heimdal libheimntlm0-heimdal libhx509-5-heimdal
libjs-sphinxdoc libkrb5-26-heimdal libroken18-heimdal libwind0-
heimdal lunzip m4-doc openjdk-7-doc openjdk-7-jre-dcevm openjdk-7-jre-
zero openjdk-8-doc openjdk-8-jre-zero
openssh-blacklist openssh-blacklist-extra openssl-blacklist-extra
pigz pixz policykit-1-doc tar-doc udisks2-doc unace-nonfree unrar-free
wdiff-doc xzdec zp
Use 'apt-get autoremove' to remove them.
Done
The following packages have been kept back:
openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-
jamvm openjdk-8-jre-zero
0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.
even though the policy would say it should, e.g.:
# apt-cache policy openjdk-8-jdk
openjdk-8-jdk:
Installed: 8u72-b15-1~bpo8+1
Candidate: 8u91-b14-1~bpo8+1
Package pin: 8u91-b14-1~bpo8+1
Version table:
8u91-b14-1~bpo8+1 500
1 http://debian.mirror.lrz.de/debian/ jessie-backports/main
amd64 Packages
*** 8u72-b15-1~bpo8+1 500
100 /var/lib/dpkg/status
with a dist-upgrade, things would be upgraded however:
# aptitude dist-upgrade
The following NEW packages will be installed:
openjdk-8-jdk-headless{a}
The following packages will be upgraded:
openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-
jamvm openjdk-8-jre-zero
The following packages are RECOMMENDED but will NOT be installed:
libgconf2-4 libgnome2-0 libgnomevfs2-0 libxt-dev
5 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 38,0 MB of archives. After unpacking 140 kB will be used.
I'd guess that the check_apt Icinga/Nagios check uses apt-get upgrade
to look for upgradable packages, because it returns:
# /usr/lib/nagios/plugins/check_apt
APT OK: 0 packages available for upgrade (0 critical updates). |available_upgrades=0;;;0 critical_updates=0;;;0
Which is bad of course, and the security problem here.
So either, this is an issue in apt, not proposing to do these upgrades
on "upgrade", or an issue in check_apt, using the wrong thing to find
out on upgradeable packages.
Cheers,
Chris.
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii debian-archive-keyring 2014.3
ii gnupg 1.4.18-7+deb8u1
ii libapt-pkg4.12 1.0.9.8.3
ii libc6 2.19-18+deb8u4
ii libgcc1 1:4.9.2-10
ii libstdc++6 4.9.2-10
apt recommends no packages.
Versions of packages apt suggests:
ii apt-doc 1.0.9.8.3
ii aptitude 0.6.11-1+b1
ii dpkg-dev 1.17.27
ii python-apt 0.9.3.12
-- no debconf informationAttachment:
smime.p7s
Description: S/MIME cryptographic signature