Canonical Livepatch Client

livepatch status is less user-friendly once it gets kernel-upgrade-required "cannot send status to server: bad server status 403"

Bug #1852667 reported by Nobuto Murata
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Canonical Livepatch Client
Confirmed
Wishlist
Unassigned

Bug Description

I believe it's a known issue, but I couldn't find an existing bug.

Once the livepatch status gets kernel-upgrade-required, the status message turns into the followings after refreshing the status:

[after initial status check]
status:
- kernel: 4.15.0-58.64-generic
  running: true
  livepatch:
    checkState: checked
    patchState: kernel-upgrade-required
    version: "59.1"
    fixes: |-
      * CVE-2011-1079
      * CVE-2018-20976

[refresh manually]
$ sudo canonical-livepatch refresh

[status after refresh]
status:
- kernel: 4.15.0-58.64-generic
  running: true
  livepatch:
    checkState: check-failed
    checkInfo: 'cannot send status to server: bad server status 403 (URL: https://livepatch.canonical.com/api/machine/b7a6c33062c9427ab25dd5a95c9353bf):
      {"error": "Not checking for new patches based on reported livepatch state. State:
      kernel-upgrade-required"}'
    patchState: kernel-upgrade-required

This is not so user-friendly, and could be improved.

Revision history for this message
Nobuto Murata (nobuto) wrote :

Nov 15 02:01:33 livepatch canonical-livepatch[7195]: error in livepatch check state: needs-check
Nov 15 02:01:33 livepatch canonical-livepatch[7195]: Checking with livepatch service.
Nov 15 02:01:34 livepatch canonical-livepatch[7195]: updating last-check
Nov 15 02:01:34 livepatch canonical-livepatch[7195]: touched last check
Nov 15 02:01:50 livepatch canonical-livepatch[7195]: Applying update 59.1 for 4.15.0-58.64-generic
Nov 15 02:02:01 livepatch canonical-livepatch[7195]: Applied patch version 59.1 to 4.15.0-58.64-generic
Nov 15 02:04:52 livepatch canonical-livepatch[7195]: Client.Check
Nov 15 02:04:52 livepatch canonical-livepatch[7195]: Checking with livepatch service.
Nov 15 02:04:54 livepatch canonical-livepatch[7195]: Module already inserted.
Nov 15 02:04:54 livepatch canonical-livepatch[7195]: during refresh: cannot check: cannot send status to server: bad server status 403 (URL: https://livepatch.canonical.com/api/machine/b7a6c33062c9427ab25dd5a95c9353bf): {"error": "Not checking for new patches based on reported livepatch state. State: kernel-upgrade-required"}
Nov 15 02:04:54 livepatch canonical-livepatch[7195]: error in livepatch check state: check-failed
Nov 15 02:05:02 livepatch canonical-livepatch[7195]: error in livepatch check state: check-failed

summary: - livepatch status is less user-friendly once kernel-upgrade-required
- "cannot send status to server: bad server status 403"
+ livepatch status is less user-friendly once it gets kernel-upgrade-
+ required "cannot send status to server: bad server status 403"
Revision history for this message
Nobuto Murata (nobuto) wrote :

$ canonical-livepatch status --verbose
client-version: 9.4.6
machine-id: b7a6c33062c9427ab25dd5a95c9353bf
machine-token: XYZ
architecture: x86_64
cpu-model: QEMU Virtual CPU version 2.5+
last-check: 2019-11-15T02:01:34Z
boot-time: 2019-11-15T01:47:14Z
uptime: 38m28s
status:
- kernel: 4.15.0-58.64-generic
  running: true
  livepatch:
    checkState: check-failed
    checkInfo: 'cannot send status to server: bad server status 403 (URL: https://livepatch.canonical.com/api/machine/b7a6c33062c9427ab25dd5a95c9353bf):
      {"error": "Not checking for new patches based on reported livepatch state. State:
      kernel-upgrade-required"}'
    patchState: kernel-upgrade-required
    version: "59.1"
    fixes: |-
      * CVE-2011-1079
        The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux
        kernel before 2.6.39 does not ensure that a certain device field ends
        with a '\0' character, which allows local users to obtain potentially
        sensitive information from kernel stack memory, or cause a denial of
        service (BUG and system crash), via a BNEPCONNADD command.
...

Revision history for this message
Nobuto Murata (nobuto) wrote :

$ snap info canonical-livepatch
name: canonical-livepatch
summary: Canonical Livepatch Client
publisher: Canonical✓
contact: <email address hidden>
license: unset
description: |
  Canonical Livepatch Client
commands:
  - canonical-livepatch
services:
  canonical-livepatch.canonical-livepatchd: simple, enabled, active
snap-id: b96UJ4vttpNhpbaCWctVzfduQcPwQ5wn
tracking: stable
refresh-date: today at 01:53 UTC
channels:
  stable: 9.4.6 2019-10-24 (88) 8MB -
  candidate: ↑
  beta: ↑
  edge: ↑
installed: 9.4.6 (88) 8MB -

information type: Proprietary → Public
Revision history for this message
Roger Hofmann (rogomat) wrote :

client-version: 9.4.6
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7 CPU L 640 @ 2.13GHz
last-check: 2019-11-25T20:07:04+01:00
boot-time: 2019-11-25T20:04:21+01:00
uptime: 15m22s
status:
- kernel: 4.15.0-66.75-generic
  running: true
  livepatch:
    checkState: check-failed
    checkInfo: 'cannot send status to server: bad server status 403 (URL: https://livepatch.canonical.com/api/machine/8128e8c922e74bd6aecc4be576b5162c):
      {"error": "Not checking for new patches based on reported livepatch state. State:
      kernel-upgrade-required"}'
    patchState: kernel-upgrade-required
    version: "59.1"
    fixes: |-
      * CVE-2011-1079
      * CVE-2018-20976
      * CVE-2018-21008
      * CVE-2019-10126
      * CVE-2019-10207
      * CVE-2019-11477
      * CVE-2019-11478
      * CVE-2019-11815
      * CVE-2019-11833
      * CVE-2019-11884
      * CVE-2019-12614
      * CVE-2019-12818
      * CVE-2019-12819
      * CVE-2019-12984
      * CVE-2019-13233
      * CVE-2019-13272
      * CVE-2019-13648
      * CVE-2019-14283
      * CVE-2019-14284
      * CVE-2019-14814
      * CVE-2019-14821
      * CVE-2019-14835
      * CVE-2019-15030
      * CVE-2019-15031
      * CVE-2019-15098
      * CVE-2019-17666
      * CVE-2019-2101
      * CVE-2019-3846

Revision history for this message
Casey Marshall (cmars) wrote :

Log indicates that the kernel version cannot be patched and required upgrade.

Changed in canonical-livepatch-client:
status: New → Invalid
status: Invalid → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.