Unattended-upgrades failed to install exim4-daemon-heavy 4.89-2+deb9u4
Phil Endecott
phil_ltdnf_endecott at chezphil.org
Tue Jun 11 21:02:38 BST 2019
Hi Andreas,
Andreas Metzler wrote:
> On 2019-06-06 Phil Endecott <phil_ltdnf_endecott at chezphil.org> wrote:
>> I have a system running exim4-daemon-heavy on Stretch
>> with unattended-upgrades. This morning I checked to see
>> if the security upgrade to 4.89-2+deb9u4 had been
>> installed and I found this:
>
>> $ dpkg -l '*exim*'
>> (edited output)
>> ii exim4-base 4.89-2+deb9u4 amd64
>> ii exim4-config 4.89-2+deb9u4 all
>> ii exim4-daemon-heavy 4.89-2+deb9u3 amd64
>
>> Note the daemon-heavy package has not been upgraded.
[snip]
> I am no expert on unattended-upgrades,
> unattended-upgrades at packages.debian.org might know better. However what
> I am actually wondering about is why it did not automatically upgrade
> libmariadbclient18 before? Did you limit unattended-upgrades to
> security, excluding main?
Yes, the default configuration for unattended-upgrades, at
least in the cloud images for Stretch, is security-upgrades only.
I have reported the issue to unattended-upgrades at packages.debian.org
and they say the issues, i.e. (a) the message saying everything was
installed when it wasn't, and (b) the fact that it doesn't install
non-security dependencies of security upgrades, have both been
resolved in newer versions of unattended-upgrades. I have suggested
that they consider pushing these changes as security upgrades.
From my point of view as a user, this is a rare case - possibly the
first time - that a package that I have on an "internet-facing" system has
been vulnerable to such a serious remotely-exploitable bug - and the
system that I had expected to protect me failed, and then hid the fact
that it had failed! I think anyone using Exim on systems using the
official Debian cloud images will be in the same situation. I'm
wondering how many other important security upgrades have not been
installed and how I can audit that. Anyway, that's not your problem,
rant over!
Thanks for your quick reply.
Regards, Phil.
More information about the Pkg-exim4-maintainers
mailing list