Bug 160968 - rhn_applet wronly shows no updates needed
rhn_applet wronly shows no updates needed
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rhn-applet (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Robin Norwood
Beth Nackashi
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-19 07:16 EDT by Andrew Gormanly
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-05 11:33:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Gormanly 2005-06-19 07:16:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
rhn-applet shows the system as fully up-to-date when it is not.

Version-Release number of selected component (if applicable):
rhn-applet-2.1.17-3

How reproducible:
Always

Steps to Reproduce:
1. Look at rhn-applet
2. run yum update
3.
  

Actual Results:  On a clean install of FC4-x86_64, rhn-applet shows the system as fully up to date, with a nice, reassuring blue tick.

yum shows 53 packages out of date, some with security issues (remote DoS)

Expected Results:  rhn-applet does it's job, and shows the user when updates are available.

Additional info:

This is a security issue: most users of FC rely on this applet to let them know when updates are available.

If users are given the impression (by the big, safe, blue tick!) that there are no updates which need to be applied they will be put at risk.  This needs to be fixed before there's something really nasty like a big hole in firefox.

There's already one remote DoS in spamassassin and 2 in gaim being hidden from users by this false reassurance, the latter of which I suspect will go largely unnoticed until this rhn_applet bug is fixed.  Most people don't subscribe to the -announce list...
Comment 1 Paul Howarth 2005-06-20 08:47:41 EDT
This appears to be a dupe of bug #160921, which is probably a result of bug #160873.
Comment 2 Andrew Gormanly 2005-06-20 10:12:32 EDT
You're right, but this is definitely a secuirty bug - something which the other
2 reports don't address.  (Think how many users look at the rhn-applet
tick/exclamations point as their sole vector for security info...)
Comment 3 Hans de Goede 2005-06-29 07:46:04 EDT
This is definetly a dup of bug 160873, resolve as such please.
Comment 4 David A. Cafaro 2005-09-02 11:17:37 EDT
I have also seen this problem with all four Fedora Core 4 installs I've done. 
The first two were upgrades from FC2 so I thought it was something just hosed
because of that.  The second to installs were new installs on bare machines and
both are showwing the samy symptom.  The network alert applet fails to see any
updates.  I have verified that they are registered (atleast according to the gui
tools) and I've manually run check for updates with no change.  Running yum
update shows that there are over 100 updates waiting to be downloaded and
installed, yet all I see is the nice little blue check icon saying allclear.  
Comment 5 John Thacker 2006-10-29 17:37:32 EST
rhn-applet was replaced by pirut and put (package pirut) as of FC5.  Only FC5
and FC6 are currently fully supported; FC3 and FC4 are supported for security
fixes only.  If this bug occurs in FC3 or FC4 and is a security bug, please
change the product to Fedora Extras and the version to match.  If you can verify
that the bug exists in RHEL as well, please change the product and version
appropriately.

The codebase for pirut and pup is quite different, but if a similar bug exists
in pirut and pup in FC5 or FC6, please change the product to pirut and the
version appropriately and update the bug report.

We apologize that the bug was not fixed before now.  The status will be changed
to NEEDINFO, and if the bug is not updated with evidence that it is a security
bug or a bug that affects RHEL, it will be closed.

Note that rhn-applet may still be present on upgraded systems, and in general
will not function correctly on such systems.  That is not a bug; anaconda does
not generally erase removed packages upon upgrades.
Comment 6 John Thacker 2006-11-05 11:33:45 EST
Closing per previous comment.

Note You need to log in before you can comment on or make changes to this bug.