Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why are some security errata ignored? #13

Closed
dsumsky opened this issue Mar 10, 2017 · 5 comments
Closed

Why are some security errata ignored? #13

dsumsky opened this issue Mar 10, 2017 · 5 comments

Comments

@dsumsky
Copy link

dsumsky commented Mar 10, 2017

I successfully use the script to generate security errata metadata and to update updateinfo.xml file with it in my local CentOS6 repositories (with CLI args -t all -s all). All repositories are up-to-date (till the date today, 2017/03/10). Unfortunately, I noticed a small inconsistency in what's going to be updated when you run yum update --security command.

How to reproduce the issue (tested on CentOS 6.8, x86_64, but IMO, previous/newer versions suffer from the same issue):

  1. first, let's clean everything to start with clean table
yum clean all
  1. let's see what security updates are available (the system is not up-to-date)
yum check-update --security

...
56 package(s) needed for security, out of 28 available

kernel.x86_64                                 2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-devel.x86_64                           2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-firmware.noarch                        2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-headers.x86_64                         2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
libtiff.x86_64                                3.9.4-21.el6_8                              local-centos-6-x86_64-updates
openssl.x86_64                                1.0.1e-48.el6_8.4                           local-centos-6-x86_64-updates
sudo.x86_64                                   1.8.6p3-25.el6_8                            local-centos-6-x86_64-updates
  1. now, let's install e.g. squid package
yum install -y squid 

...
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
====================================================================================================================
 Package           Arch               Version                          Repository                              Size
====================================================================================================================
Installing:
 squid             x86_64             7:3.1.23-16.el6_8.6              lp-centos-6-x86_64-updates             1.8 M
 
Transaction Summary
====================================================================================================================
Install       1 Package(s)
 
Total download size: 1.8 M
Installed size: 6.3 M
Downloading Packages:
squid-3.1.23-16.el6_8.6.x86_64.rpm                                                           | 1.8 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : 7:squid-3.1.23-16.el6_8.6.x86_64                                                                 1/1
  Verifying  : 7:squid-3.1.23-16.el6_8.6.x86_64                                                                 1/1
 
Installed:
  squid.x86_64 7:3.1.23-16.el6_8.6
 
Complete!
  1. I would like to test update of the package so let's try to downgrade it first
yum downgrade -y squid

...
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.1.23-16.el6_8.5 will be a downgrade
---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be erased
--> Finished Dependency Resolution
 
Dependencies Resolved
 
====================================================================================================================
 Package           Arch               Version                          Repository                              Size
====================================================================================================================
Downgrading:
 squid             x86_64             7:3.1.23-16.el6_8.5              lp-centos-6-x86_64-updates             1.8 M
 
Transaction Summary
====================================================================================================================
Downgrade     1 Package(s)
 
Total download size: 1.8 M
Downloading Packages:
squid-3.1.23-16.el6_8.5.x86_64.rpm                                                           | 1.8 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 7:squid-3.1.23-16.el6_8.5.x86_64                                                                 1/2
  Cleanup    : 7:squid-3.1.23-16.el6_8.6.x86_64                                                                 2/2
  Verifying  : 7:squid-3.1.23-16.el6_8.5.x86_64                                                                 1/2
  Verifying  : 7:squid-3.1.23-16.el6_8.6.x86_64                                                                 2/2
 
Removed:
  squid.x86_64 7:3.1.23-16.el6_8.6
 
Installed:
  squid.x86_64 7:3.1.23-16.el6_8.5
 
Complete!
  1. let's rather double-check what it is installed
rpm -qa | grep -i squid

squid-3.1.23-16.el6_8.5.x86_64
  1. at this moment, I would expect that when I check security updates again the squid package should be newly listed but it isn't
yum check-update --security

...
56 package(s) needed for security, out of 28 available
 
kernel.x86_64                                 2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-devel.x86_64                           2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-firmware.noarch                        2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
kernel-headers.x86_64                         2.6.32-642.15.1.el6                         local-centos-6-x86_64-updates
libtiff.x86_64                                3.9.4-21.el6_8                              local-centos-6-x86_64-updates
openssl.x86_64                                1.0.1e-48.el6_8.4                           local-centos-6-x86_64-updates
sudo.x86_64                                   1.8.6p3-25.el6_8                            local-centos-6-x86_64-updates
  1. let's see what squid errata are installed on the system. This is somehow weird. From the above, I can see the squid was downgraded to squid-3.1.23-16.el6_8.5.x86_64 (CEBA_2016__1412 bugfix) but squid-3.1.23-16.el6_8.6.x86_64 (CESA_2016__1573) seems to be still marked as installed
 yum updateinfo list all | grep squid-3

i CESA_2011__1791 Moderate/Sec.  squid-3.1.10-1.el6_2.1.x86_64
i CEBA_2012__0122 bugfix         squid-3.1.10-1.el6_2.2.x86_64
i CEBA_2012__0470 bugfix         squid-3.1.10-1.el6_2.3.x86_64
i CEBA_2012__0557 bugfix         squid-3.1.10-1.el6_2.4.x86_64
i CEBA_2012__1290 bugfix         squid-3.1.10-9.el6_3.x86_64
i CESA_2013__0505 Moderate/Sec.  squid-3.1.10-16.el6.x86_64
i CEBA_2013__0985 bugfix         squid-3.1.10-18.el6_4.x86_64
i CEBA_2013__1396 bugfix         squid-3.1.10-19.el6_4.x86_64
i CEBA_2014__0048 bugfix         squid-3.1.10-20.el6_5.x86_64
i CESA_2014__0597 Moderate/Sec.  squid-3.1.10-20.el6_5.3.x86_64
i CESA_2014__1148 Important/Sec. squid-3.1.10-22.el6_5.x86_64
i CEBA_2014__1446 bugfix         squid-3.1.10-29.el6.x86_64
i CEBA_2015__1314 bugfix         squid-3.1.23-9.el6.x86_64
i CEBA_2016__0896 bugfix         squid-3.1.23-16.el6.x86_64
i CESA_2016__1138 Moderate/Sec.  squid-3.1.23-16.el6_8.4.x86_64
i CEBA_2016__1412 bugfix         squid-3.1.23-16.el6_8.5.x86_64
i CESA_2016__1573 Moderate/Sec.  squid-3.1.23-16.el6_8.6.x86_64
  1. When I try to get information for that errata there's nothing
yum update info CESA_2016__1573

--- NOTHING NOTHING NOTHING ---
  1. When I try to list all errata but grep that one I can get it
yum updateinfo info all | grep CESA_2016__1573 -B3 -A8

===============================================================================
  Moderate CentOS squid Security Update
===============================================================================
  Update ID : CESA_2016__1573
    Release : CentOS 6
       Type : security
     Status : stable
     Issued : 2016-08-04 12:51:39
Description : Moderate CentOS squid Security Update
   Severity : Moderate
  Installed : true

I would like to point out that I tested this scenario (downgrade/upgrade) on RHEL6 and it worked. I also tried to install old version of squid package directly to avoid downgrade/upgrade sequence but the result was also the same. And the issue is not related to squid package only. Basically, I can reproduce the issue with any package.

Any idea what could be wrong?!? Why is it marked as installed when it is actually not?!? When testing on RHEL6, I can see it is not installed and then, it is included in the list of packages to be updated.

Thanks.
@Dan0maN
Copy link
Contributor

Dan0maN commented Mar 11, 2017

It appears that the generate_updateinfo script is working as expected, as the errata is parsed from the CEFS xml and the metadata file created and injected into the repository shows the relevant errata.

I'm not exactly sure what would be causing this without digging into the guts of yum. Perhaps the yum cache still thinks that errata is installed? Have you tried to clean the cache after downgrading the package then checking for errata?

@dsumsky
Copy link
Author

dsumsky commented Mar 13, 2017

Yes, I tried to clean the yum cache with yum clean all command. The result is the same. In the end, the issue is pretty marginal. But in the case when somebody downgrades a package intentionally and later, he would like to apply the latest security updates and he expects that they are applied it may be a bit confusing ...

@dsumsky
Copy link
Author

dsumsky commented Mar 27, 2017

Does anybody else has any suggestion what could cause described issue?

@stevemeier
Copy link

I ran into the same problem and just spend a few hours fixing it (at least for me).

Each RPM package has three attributes: Epoch, Version and Release (EVR). For most packages (around 70-80%), Epoch is set to "0". For some other packages (I discovered libpng and squid), the Epoch value is set to a numeric value greater than 0.

The generate_updateinfo script always sets Epoch to "0" which is why the errata are not matched up for packages where Epoch is not in fact 0, but higher.

The problem with this is that unlike Version and Release, the Epoch is not included in the filename. The only option to get it is to parse the sqlite database contained in the CentOS repositories. There is no way to fix this inside generate_updateinfo easily.

If you are interested, I have created a ready-made repository which you can find here:
https://updateinfo.cefs.steve-meier.de/

@kostecky
Copy link
Member

@stevemeier This is great news! Thank you for creating these repos.

@github-actions github-actions bot mentioned this issue May 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kostecky @stevemeier @dsumsky @Dan0maN