Bug 1794644 - dnf upgrade --security does not install all available security updates
Summary: dnf upgrade --security does not install all available security updates
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnf
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Marek Blaha
QA Contact: Eva Mrakova
Depends On: 1770125
TreeView+ depends on / blocked
Reported: 2020-01-24 08:19 UTC by Jaroslav Mracek
Modified: 2020-04-28 16:49 UTC (History)
13 users (show)

Fixed In Version: libdnf-0.39.1-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1770125
Last Closed: 2020-04-28 16:49:13 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1823 None None None 2020-04-28 16:49:22 UTC

Description Jaroslav Mracek 2020-01-24 08:19:59 UTC
+++ This bug was initially created as a clone of Bug #1770125 +++

Description of problem:

$ dnf updateinfo --security
Last metadata expiration check: 0:00:22 ago on Fri 08 Nov 2019 18:27:27 AEST.
Updates Information Summary: available
    1 Security notice(s)
        1 Moderate Security notice(s)

$ sudo dnf upgrade --security 
Last metadata expiration check: 0:09:42 ago on Fri 08 Nov 2019 18:18:27 AEST.
No security updates needed, but 225 updates available
Dependencies resolved.
Nothing to do.

Version-Release number of selected component (if applicable):
$ rpm -q dnf

How reproducible:

Steps to Reproduce:
1. install F30
2. dnf upgrade --security
3. dnf updateinfo --security
4. dnf upgrade --security

Actual results:
some security updates are not applied

Expected results:
all security updates are applied

Additional info:
same story for bugfix updates

--- Additional comment from Marek Blaha on 2019-11-11 13:41:47 UTC ---

This could occur due to non installability of given security update.
You can check details about security updates found using command `dnf updateinfo list --security`

Then please add --best option to the upgrade command (`dnf upgrade --security --best`) to enforce using only the latest versions of packages. Then you could see that some updates cannot be installed and error message with more details why the package is not installable - usually some conflict is the cause.

There is also possibility, that security advisory is not installable because the package with update is not available in any of enabled repositories. This is usually the case for *-debuginfo or *-debugsource packages. In this case you need to enable *-debuginfo repositories (e.g. by adding --enablerepo=*-debuginfo switch: `dnf upgrade --security --best --enablerepo=*-debuginfo`).

--- Additional comment from  on 2019-11-11 17:00:52 UTC ---

You are correct. The security package that does not install is kernel-5.3.6, which I understand has been problematic, though the kernel currently installed is kernel-5.0.9. Manual updating of the kernel works.

I still have some bugfix updates that are not picked up by dnf upgrade --bugfix. They can be manually installed, with the exception of tracker, the version of which listed on updateinfo list --bugfix being the version currently installed.

$ dnf updateinfo list -q --security
FEDORA-2019-ab7d22a466 Moderate/Sec. gd-2.2.5-9.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-core-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-modules-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-modules-extra-5.3.6-200.fc30.x86_64
FEDORA-2019-e99b716a92 Moderate/Sec. python3-unbound-1.9.4-1.fc30.x86_64
FEDORA-2019-e99b716a92 Moderate/Sec. unbound-libs-1.9.4-1.fc30.x86_64

$ sudo dnf upgrade --security --best
Last metadata expiration check: 0:30:37 ago on Tue 12 Nov 2019 01:47:52 AEST.
Dependencies resolved.
 Package                Architecture  Version              Repository      Size
 gd                     x86_64        2.2.5-9.fc30         updates        131 k
 python3-unbound        x86_64        1.9.4-1.fc30         updates        104 k
 unbound-libs           x86_64        1.9.4-1.fc30         updates        498 k

Transaction Summary
Upgrade  3 Packages

Total download size: 734 k
Is this ok [y/N]: 
Operation aborted.

$ dnf updateinfo list -q --bugfix
FEDORA-2019-f4eb34cf4c bugfix gjs-1.56.2-1.fc30.x86_64
FEDORA-2019-57b5902ed1 bugfix gjs-1.56.2-6.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix glib-networking-2.60.2-1.fc30.x86_64
FEDORA-2019-00d46ae95b bugfix glib-networking-2.60.3-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix gnome-calendar-3.32.1-1.fc30.x86_64
FEDORA-2019-ff0223e2ca bugfix gnome-calendar-3.32.2-5.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix gnome-maps-3.32.2-1.fc30.x86_64
FEDORA-2019-f753065e96 bugfix gnome-maps-
FEDORA-2019-f4eb34cf4c bugfix gnome-software-3.32.2-1.fc30.x86_64
FEDORA-2019-48c225e982 bugfix gnome-software-3.32.4-3.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix libdazzle-3.32.2-1.fc30.x86_64
FEDORA-2019-e5389b8e30 bugfix libdazzle-3.32.3-1.fc30.x86_64
FEDORA-2019-f7675395b8 bugfix libgee-0.20.1-5.fc30.x86_64
FEDORA-2019-3341c2ef96 bugfix libgee-0.20.2-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix nautilus-3.32.1-1.fc30.x86_64
FEDORA-2019-2537cde88a bugfix nautilus-3.32.3-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix nautilus-extensions-3.32.1-1.fc30.x86_64
FEDORA-2019-2537cde88a bugfix nautilus-extensions-3.32.3-1.fc30.x86_64
FEDORA-2019-b934acd8ae bugfix tracker-2.2.2-1.fc30.x86_64

$ sudo dnf upgrade --bugfix --best
Last metadata expiration check: 0:22:49 ago on Tue 12 Nov 2019 01:47:52 AEST.
No security updates needed, but 227 updates available
Dependencies resolved.
Nothing to do.

$ sudo dnf upgrade --best $(dnf updateinfo list -q --bugfix | cut -d' ' -f3)
Last metadata expiration check: 0:28:19 ago on Tue 12 Nov 2019 01:47:52 AEST.
No match for argument: gjs-1.56.2-1.fc30.x86_64
No match for argument: glib-networking-2.60.2-1.fc30.x86_64
No match for argument: gnome-calendar-3.32.1-1.fc30.x86_64
No match for argument: gnome-maps-3.32.2-1.fc30.x86_64
No match for argument: gnome-software-3.32.2-1.fc30.x86_64
No match for argument: libdazzle-3.32.2-1.fc30.x86_64
No match for argument: libgee-0.20.1-5.fc30.x86_64
No match for argument: nautilus-3.32.1-1.fc30.x86_64
No match for argument: nautilus-extensions-3.32.1-1.fc30.x86_64
No match for argument: tracker-2.2.2-1.fc30.x86_64
Dependencies resolved.
 Package                  Arch        Version                Repository    Size
 gjs                      x86_64      1.56.2-6.fc30          updates      418 k
 glib-networking          x86_64      2.60.3-1.fc30          updates      141 k
 gnome-calendar           x86_64      3.32.2-5.fc30          updates      561 k
 gnome-maps               x86_64        updates      636 k
 gnome-software           x86_64      3.32.4-3.fc30          updates       15 M
 libdazzle                x86_64      3.32.3-1.fc30          updates      395 k
 libgee                   x86_64      0.20.2-1.fc30          updates      254 k
 nautilus                 x86_64      3.32.3-1.fc30          updates      2.6 M
 nautilus-extensions      x86_64      3.32.3-1.fc30          updates       33 k

Transaction Summary
Upgrade  9 Packages

Total download size: 20 M
Is this ok [y/N]: 
Operation aborted.

$ rpm -q tracker

--- Additional comment from Marek Blaha on 2019-11-12 06:40:00 UTC ---

Kernel is sort of specific - updateinfo used to print advisories for all installed kernels but this has changed recently and only advisories for the newest installed version of the kernel plus advisories for the running  kernel are printed. So you will receive security advisories until you reboot with the latest kernel.

As far as bugfixes are concerned - partly that is the nature of fedora-updates repository. You have only the latest update available in the repo. But on the other hand installing of gjs-1.56.2-6.fc30.x86_64 will resolve also advisories for older version (FEDORA-2019-f4eb34cf4c bugfix gjs-1.56.2-1.fc30.x86_64).

What does need closer look is why `sudo dnf upgrade --bugfix --best` does not want to install any packages although there are upgrades available. Can you please provide the currently installed versions of those packages (rpm -q gjs glib-networking gnome-calendar...) so I could try to reproduce the issue and hopefully resolve it.

--- Additional comment from  on 2019-11-12 06:57:52 UTC ---

The versions are just those that ship with F30. I'm running in Boxes and haven't updated these (and a bunch of other) packages yet.

$ rpm -q gjs glib-networking gnome-calendar gnome-maps gnome-software libdazzle libgee nautilus nautilus-extensions tracker

--- Additional comment from Marek Blaha on 2019-11-12 07:11:21 UTC ---

Thanks! I'll look into it.

--- Additional comment from Marek Blaha on 2020-01-21 10:38:44 UTC ---

PR https://github.com/rpm-software-management/libdnf/pull/883 fixes upgrading packages using security advisories.

Comment 12 errata-xmlrpc 2020-04-28 16:49:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.