Ubuntu
apt package

apt documentation for APT::Default-Release is not clear regarding security updates

Bug #295448 reported by Yan Li
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: apt

This is related to all versions before Hardy (include). I haven't tested this on Intrepid so I'm not sure about those versions after Hardy.

According to apt_preferences manpage, the target release can be set on the apt-get command line or in the APT configuration file /etc/apt/apt.conf, and "APT::Default-Release "stable";" is given out as an example. This is a very common and popular practice used in Debian community to set the default release and using apt-pin, but doing this in Ubuntu leads to serious security impact with no obvious warning.

After setting APT::Default-Release to "hardy", which is the "Suite" name for main hardy source, no security fixes nor updates would be installed unless their priorities are also set explicitly in apt_preferences. This is because that in Ubuntu's world, security fixes are from "hardy-security" source and other updates are from "hardy-updates" source, which bear different "Suite" from the main source. Setting APT::Default-Release rises the priority of packages from main source to 990, but doesn't cover packages from hardy-security and hardy-updates, so the latter are ignored since their packages now has lower priority (priority 500 only) than those old ones in main source (990).

I set APT::Default-Release to "hardy" on Sep this year until I found this problem today. Removed that setting and I'm surprised to found that I can install 46 security fixes and updates accumulated. Which is pretty sad to me that got known I haven't got security fixes for more than 2 months.

This is a radical deviation from the Debian practice. In Debian all security fixes and updates bear the same "Suite" (etch or lenny) so setting APT::Default-Release to "etch" covers all security fixes and updates.

I think it's unlikely that Ubuntu changes the organization of it's source, so at least a fix to this problem is patching the apt_preferences manpage, alerting people not to use APT::Default-Release like they have used this in Debian and the reason and the following impacts.

Version information of my apt from Hardy:
Architecture: i386
Version: 0.7.9ubuntu17.1

Thanks!

Revision history for this message
Alexandre Maciel (amaciel81) wrote :

Same here.

I have Kubuntu Hardy Heron, but I want to use the most recent version of KMyMoney. In Debian, I can do this just setting default version to Etch and pinning some packages from Lenny, but in Ubuntu, hardy, hardy-security, hardy-updates and hardy-backports are different distributions.

Thanks,
Alexandre

Revision history for this message
Gert Wollny (gert-die) wrote :

Same goes for pinning. Here one can work around this bug by pinning all the releases, e.g. to get package foo from jaunty any everything else from interpid your /etc/apt/preferences should look somewhat like this:

Package: foo
Pin: release a=jaunty
Pin-Priority: 991

Package: *
Pin: release a=intrepid
Pin-Priority: 990

Package: *
Pin: release a=intrepid-updates
Pin-Priority: 990

Package: *
Pin: release a=intrepid-security
Pin-Priority: 990

Package: *
Pin: release a=intrepid-backports
Pin-Priority: 990

Revision history for this message
Claude Brisson (claude-renegat) wrote :

This problem could be solved by changing APT::Default-Release behaviour: it could only consider the first part of a package suite name whenever it contains a dash.

helix84 (helix84)
Changed in apt (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please don't assign the security team to bugs. If a bug is deemed a security issue, subscribe the team instead.

Changed in apt (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Just tested on Jaunty and confirmed the issue. However, I don't consider this a security bug because one can simply set the default release to 'hardy-security' as opposed to 'hardy'. This is at worst a documentation issue.

Changed in apt (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
summary: - Setting APT::Default-Release blocks security fix and updates
+ apt documentation for APT::Default-Release is not clear regarding
+ security updates
Revision history for this message
Leonid Evdokimov (darkk) wrote :

As far as I see, karmic is not affected, right?

Revision history for this message
Julian Andres Klode (juliank) wrote :

In apt 0.8.X, you can just pin by regex or glob:

  Package: *
  Pin: release a=natty*
  Pin-Priority: 990

or
  Package: *
  Pin: release a=/natty.*/
  Pin-Priority: 990

Same goes for Default-Release:
  Apt::Default-Release "natty*";
or
  Apt::Default-Release "/natty.*/";

It's not documented, though.

Revision history for this message
Paul Donohue (s-launchpad-paulsd-com) wrote :

You can also set Apt::Default-Release to the Version instead of the Suite. In other words, 'Apt::Default-Release "16.04";' will match all of the package sources for xenial.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.