Packages with security updates kept back

  • I have started getting emails from my server during unattended upgrade that says these packages are being held back (OMV 7):


    Seems dangerous to hold back updates to things like ssh-server. Is this an OMV thing or how can I find out what's causing it?

    • New
    • Official Post

    OMV only updates things in the security repo automatically. Any other updates, you are responsible for.

    omv 7.4.0-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.1 | k8s 7.2.0-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.8


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • New
    • Official Post

    These are packages from the security repo, if I am not mistaken.

    I didn't look at what packages were being held back but you are correct.


    If apt on the system has issues and/or the user has added changes, this could happen. I would just run omv-upgrade and see what the problem is.

    omv 7.4.0-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.1 | k8s 7.2.0-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.8


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Could it have something to do with the label? It says:

    Code
    Allowed origins are: origin=Debian,codename=bookworm,label=Debian-Security, origin=Debian,codename=bookworm-security,label=Debian-Security

    The packages in question have the label Debian stable-security somehow. Not bookworm-security.

    Code
    Packages with upgradable origin but kept back: Debian stable-security:

    The config file on my system (/etc/apt/apt.conf.d/95openmediavault-unattended-upgrades) says:

    Code
    Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
    };

    and the allowed origins are the same in the messages from unattended-upgrades:

    Code
    origin=Debian,codename=bookworm,label=Debian, origin=Debian,codename=bookworm,label=Debian-Security, origin=Debian,codename=bookworm-security,label=Debian-Security, origin=Debian,codename=bookworm,label=Debian-Security, origin=Debian,codename=bookworm-security,label=Debian-Security


    Nowhere does it say stable-security. I am no expert in apt or in unattended-upgrades. But this called my attention. Could this have anything to do with the recent update to 7.3.1? ("Fixed a bug in unattended-upgrades that causes all new packages to be installed instead of just security updates.")

    • New
    • Official Post

    Indeed that looks strange, but OMV is configured more or less like the original unattended-upgrades default config, except that OMV does not install upgrades from defaut version repo ("origin=Debian,codename=${distro_codename},label=Debian";). So, in this case unattended-upgrades has a faulty default configuration or Debian is doing something wong and undocumented. If someone can point to an official Debian documentation which points out how security repos in unattended-upgrades have to be configured correctly, i' happy to adapt and fix that in OMV. Please open a GitHub feature request for that.


    References:

    - https://github.com/mvo5/unatte…ended-upgrades.Debian#L31

    - https://www.cyberciti.biz/faq/…ty-updates-automatically/

    • New
    • Official Post

    On my machine the openssh-client package is coming from bookworm-security.

    Bash
    root@omv7box:/home/vagrant# apt-cache policy openssh-client
    openssh-client:
      Installed: 1:9.2p1-2+deb12u3
      Candidate: 1:9.2p1-2+deb12u3
      Version table:
     *** 1:9.2p1-2+deb12u3 500
            500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
            100 /var/lib/dpkg/status
         1:9.2p1-2+deb12u2 500
            500 https://deb.debian.org/debian bookworm/main amd64 Packages
  • Indeed that looks strange, but OMV is configured more or less like the original unattended-upgrades default config, except that OMV does not install upgrades from defaut version repo ("origin=Debian,codename=${distro_codename},label=Debian";). So, in this case unattended-upgrades has a faulty default configuration or Debian is doing something wong and undocumented. If someone can point to an official Debian documentation which points out how security repos in unattended-upgrades have to be configured correctly, i' happy to adapt and fix that in OMV. Please open a GitHub feature request for that.


    References:

    - https://github.com/mvo5/unatte…ended-upgrades.Debian#L31

    - https://www.cyberciti.biz/faq/…ty-updates-automatically/

    After doing some reading I am probably wrong:


    stable-security is the "suite" while bookworm-security is the "codename". According to this page "In Debian repositories the indices are stored in a directory named after Suite or Codename (actually one is symlinked to the other)." So stable-security is probably linking to bookworm-security or the other way around. The unattended-upgrades default configuration you linked also shows the option to either use codename based matching or archive/suite based matching.


    Unless something very funny and undocumented has been happening on the Debian servers I don't believe this is the cause of the problem. Sorry for interfering.


    Edit:

    Could you please post the APT package list configuration that is configuring stable-security? Only <RELEASE_NAME>-security is configured by OMV. What Debian derivate are you using? Is it for a ARM device?


    The only page i found anything about stable-security is a German Debian Wiki, but I don't think you can declare this as official or it s outdated.

    Yeah. That page says more or less the same . If you configure stable and stable-security as your sources, you automatically get upgraded once a new stable version is released (and probably the symlinks are changed).


    If you use the codename you stay with whatever release you are using (and can even follow it from testing to oldstable).


    P.S.: I am not OP. I hope I didn't confuse anybody. :)

    • New
    • Official Post

    The only page i found anything about stable-security is a German Debian Wiki, but I don't think you can declare this as official or it s outdated.

    This is the best I know of - https://github.com/mvo5/unattended-upgrades

    omv 7.4.0-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.1 | k8s 7.2.0-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.8


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • New
    • Official Post

    There is indeed a stable-security repo, but i don't think it is a wise decision to configure this in the APT source lists because stable can become oldstable after a new release and this will break your APT configuration. Using <RELEASE_NAME>-security is more safe and mentioned in the official docs.


    References:

    - https://manpages.debian.org/bo…SRC_TYPES:_GENERAL_FORMAT

    - https://wiki.debian.org/SourcesList#Example_sources.list

    - https://wiki.debian.org/LTS/Using

  • votdev

    Added the Label OMV 7.x
    • New
    • Official Post

    Agreed. The link I posted confirm that you should use the lsb_release value

    Variable substitution is supported for ${distro_id} that contains the output of lsb_release -i and ${distro_codename} that contains the output of lsb_release -c.

    Example:

    Code
    Unattended-Upgrade::Allowed-Origins {   "${distro_id}:${distro_codename}-security";

    omv 7.4.0-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.1 | k8s 7.2.0-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.8


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Could you please run

    Code
    # apt-cache policy openssh-client

    and post the output here.

    Mine looks similar to yours but slightly different:

    Code
    openssh-client:
      Installed: 1:9.2p1-2+deb12u2
      Candidate: 1:9.2p1-2+deb12u2
      Version table:
         1:9.2p1-2+deb12u3 500
            500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
     *** 1:9.2p1-2+deb12u2 990
            990 https://deb.debian.org/debian bookworm/main amd64 Packages
            100 /var/lib/dpkg/status
    Quote


    Could you please post the APT package list configuration that is configuring stable-security?

    Sorry, I'm not familiar. Where do I find that? I should mention that this install was first on OMV 5 then upgraded to OMV 6 then to OMV 7. Should I run something to try and reset my sources?

  • The config file on my system (/etc/apt/apt.conf.d/95openmediavault-unattended-upgrades) says:

    Code
    Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
    };

    Mine reads the same as yours

    • New
    • Official Post

    Mine looks similar to yours but slightly different:

    Code
    openssh-client:
      Installed: 1:9.2p1-2+deb12u2
      Candidate: 1:9.2p1-2+deb12u2
      Version table:
         1:9.2p1-2+deb12u3 500
            500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
     *** 1:9.2p1-2+deb12u2 990
            990 https://deb.debian.org/debian bookworm/main amd64 Packages
            100 /var/lib/dpkg/status

    Sorry, I'm not familiar. Where do I find that? I should mention that this install was first on OMV 5 then upgraded to OMV 6 then to OMV 7. Should I run something to try and reset my sources?

    The package is held back because it has a lower priority (500) than the package that is coming from the main repo (990).

  • What is the output of


    Bash
    # cat /etc/apt/preferences.d/*

    Here it is:


Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!