Security updates are not marked as security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptitude (Debian) |
Confirmed
|
Unknown
|
|||
aptitude (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
muon (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have two machines, both on Kubuntu 14.04 amd64, one on the German package server, one on the central one.
/etc/apt/
/etc/apt/
Both have the same version of openjdk-7-jre installed according to aptitude (7u65-2.
Both show an update to 7u65-2.5.2-3~14.04 in aptitude.
However, the one with the German server shows it as security update according to aptitude, while the central server shows it as regular update. The package list was updated on both in the same interval of a few seconds.
Why?
[Notice that this might affect other packages, I am seeing more differing updates, only bothering to check the versions for this one.]
Notice that this was preceded by weeks of aptitude telling me about bad signature / bad checksum when updating the package list (which made me switch the server to central server on one machine), and your recent update of apt which seemed to fix security issues in apt according to the changelog. This is very suspicious to me. Are you hacked? Am I being hacked? I work on a high value target software (Internet anonymization), so this scares me.
Please reply soon if you need further information about the state of my apt, I can only postpone the security updates for a short time, and afterwards the state of apt might have changed in a way which makes it impossible to debug.
information type: | Private Security → Public Security |
Changed in ubuntu: | |
status: | New → Invalid |
summary: |
- Central and German package servers ship different state of the same - package marked as the same version + Security updates are not marked as security |
Changed in aptitude (Debian): | |
status: | Unknown → Confirmed |
# Machine with German package servers 5.1-4ubuntu1~ 0.14.04. 2 2.5.2-3~ 14.04 0 de.archive. ubuntu. com/ubuntu/ trusty-updates/main amd64 Packages security. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages 5.1-4ubuntu1~ 0.14.04. 2 0 dpkg/status 2.4.6-1ubuntu4 0 de.archive. ubuntu. com/ubuntu/ trusty/main amd64 Packages
$ apt-cache policy openjdk-7-jre
openjdk-7-jre:
Installed: 7u65-2.
Candidate: 7u65-2.5.2-3~14.04
Version table:
7u65-
500 http://
500 http://
*** 7u65-2.
100 /var/lib/
7u51-
500 http://
# Machine with central package servers 5.1-4ubuntu1~ 0.14.04. 2 2.5.2-3~ 14.04 0 archive. ubuntu. com/ubuntu/ trusty-updates/main amd64 Packages archive. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages 5.1-4ubuntu1~ 0.14.04. 2 0 dpkg/status 2.4.6-1ubuntu4 0 archive. ubuntu. com/ubuntu/ trusty/main amd64 Packages
$ apt-cache policy openjdk-7-jre
openjdk-7-jre:
Installed: 7u65-2.
Candidate: 7u65-2.5.2-3~14.04
Version table:
7u65-
500 http://
500 http://
*** 7u65-2.
100 /var/lib/
7u51-
500 http://