Debugging ubuntu security updates

girish

Just my debuggin notes

Recently, I noticed that on my home machine, security updates are not getting applied. Atleast the motd says it's not being applied:

207 updates can be applied immediately.
100 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

For example, the openssl package is not updated.

# apt policy openssl
openssl:
  Installed: 3.0.2-0ubuntu1.7
  Candidate: 3.0.2-0ubuntu1.8
  Version table:
     3.0.2-0ubuntu1.8 500
        500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
 *** 3.0.2-0ubuntu1.7 100
        100 /var/lib/dpkg/status
     3.0.2-0ubuntu1 500
        500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Strangely:

# unattended-upgrade -d -v
System is on battery power, stopping

This is Intel NUC. Looks some detection goes wrong. But https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1773033 is fixed

girish

This is workaround:

# cat > /etc/apt/apt.conf.d/51unattended-upgrades-on-battery
 Unattended-Upgrade::OnlyOnACPower "false";

Then, unattended-upgrade -d -v works. /var/log/unattended-upgrades/unattended-upgrades-dpkg.log has the info on what gets installed.

girish

So, in another machine (DigitalOcean) which has 22.04.2 LTS :

128 updates can be applied immediately.
78 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

However:

$ apt list --upgradable | grep security
<empty>

Looks like I have to debug this motd script - /etc/update-motd.d/90-updates-available

girish

The /etc/update-motd.d/90-updates-available relies on /var/lib/update-notifier/updates-available which is created by /usr/lib/update-notifier/apt-check. But...

# /usr/lib/update-notifier/apt-check 
E: Unknown Error: '<class 'KeyError'>' ("The cache has no package named 'python3-magic:amd64'")

Looks like some python3 package is missing! So apt install python3-magic and then apt update makes it "work".

Now, on login, I see:

32 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

girish

tl;dr - If you have the above problem apt install python3-magic . Then, run apt update . On another server, unattended-upgrades package was missing as well (!) Not sure how because Cloudron installs it at install time. So, install it and run unattended-upgrade -d.