1794644 – dnf upgrade --security does not install all available security updates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1794644 - dnf upgrade --security does not install all available security updates

Summary: dnf upgrade --security does not install all available security updates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnf
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Marek Blaha
QA Contact:	Eva Mrakova
Docs Contact:
URL:
Whiteboard:
Depends On:	1770125
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-24 08:19 UTC by Jaroslav Mracek
Modified:	2023-02-12 20:54 UTC (History)
CC List:	13 users (show)
Fixed In Version:	libdnf-0.39.1-5.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1770125
Environment:
Last Closed:	2020-04-28 16:49:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-37148	0	None	None	None	2023-02-12 20:54:06 UTC
Red Hat Product Errata	RHBA-2020:1823	0	None	None	None	2020-04-28 16:49:22 UTC

Description Jaroslav Mracek 2020-01-24 08:19:59 UTC

+++ This bug was initially created as a clone of Bug #1770125 +++

Description of problem:

$ dnf updateinfo --security
Last metadata expiration check: 0:00:22 ago on Fri 08 Nov 2019 18:27:27 AEST.
Updates Information Summary: available
    1 Security notice(s)
        1 Moderate Security notice(s)

$ sudo dnf upgrade --security 
Last metadata expiration check: 0:09:42 ago on Fri 08 Nov 2019 18:18:27 AEST.
No security updates needed, but 225 updates available
Dependencies resolved.
Nothing to do.
Complete!

Version-Release number of selected component (if applicable):
$ rpm -q dnf
dnf-4.2.11-2.fc30.noarch

How reproducible:
always

Steps to Reproduce:
1. install F30
2. dnf upgrade --security
3. dnf updateinfo --security
4. dnf upgrade --security

Actual results:
some security updates are not applied

Expected results:
all security updates are applied

Additional info:
same story for bugfix updates

--- Additional comment from Marek Blaha on 2019-11-11 13:41:47 UTC ---

This could occur due to non installability of given security update.
You can check details about security updates found using command `dnf updateinfo list --security`

Then please add --best option to the upgrade command (`dnf upgrade --security --best`) to enforce using only the latest versions of packages. Then you could see that some updates cannot be installed and error message with more details why the package is not installable - usually some conflict is the cause.

There is also possibility, that security advisory is not installable because the package with update is not available in any of enabled repositories. This is usually the case for *-debuginfo or *-debugsource packages. In this case you need to enable *-debuginfo repositories (e.g. by adding --enablerepo=*-debuginfo switch: `dnf upgrade --security --best --enablerepo=*-debuginfo`).

--- Additional comment from  on 2019-11-11 17:00:52 UTC ---

You are correct. The security package that does not install is kernel-5.3.6, which I understand has been problematic, though the kernel currently installed is kernel-5.0.9. Manual updating of the kernel works.

I still have some bugfix updates that are not picked up by dnf upgrade --bugfix. They can be manually installed, with the exception of tracker, the version of which listed on updateinfo list --bugfix being the version currently installed.

$ dnf updateinfo list -q --security
FEDORA-2019-ab7d22a466 Moderate/Sec. gd-2.2.5-9.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-core-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-modules-5.3.6-200.fc30.x86_64
FEDORA-2019-057d691fd4 Moderate/Sec. kernel-modules-extra-5.3.6-200.fc30.x86_64
FEDORA-2019-e99b716a92 Moderate/Sec. python3-unbound-1.9.4-1.fc30.x86_64
FEDORA-2019-e99b716a92 Moderate/Sec. unbound-libs-1.9.4-1.fc30.x86_64

$ sudo dnf upgrade --security --best
Last metadata expiration check: 0:30:37 ago on Tue 12 Nov 2019 01:47:52 AEST.
Dependencies resolved.
================================================================================
 Package                Architecture  Version              Repository      Size
================================================================================
Upgrading:
 gd                     x86_64        2.2.5-9.fc30         updates        131 k
 python3-unbound        x86_64        1.9.4-1.fc30         updates        104 k
 unbound-libs           x86_64        1.9.4-1.fc30         updates        498 k

Transaction Summary
================================================================================
Upgrade  3 Packages

Total download size: 734 k
Is this ok [y/N]: 
Operation aborted.

$ dnf updateinfo list -q --bugfix
FEDORA-2019-f4eb34cf4c bugfix gjs-1.56.2-1.fc30.x86_64
FEDORA-2019-57b5902ed1 bugfix gjs-1.56.2-6.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix glib-networking-2.60.2-1.fc30.x86_64
FEDORA-2019-00d46ae95b bugfix glib-networking-2.60.3-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix gnome-calendar-3.32.1-1.fc30.x86_64
FEDORA-2019-ff0223e2ca bugfix gnome-calendar-3.32.2-5.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix gnome-maps-3.32.2-1.fc30.x86_64
FEDORA-2019-f753065e96 bugfix gnome-maps-3.32.2.1-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix gnome-software-3.32.2-1.fc30.x86_64
FEDORA-2019-48c225e982 bugfix gnome-software-3.32.4-3.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix libdazzle-3.32.2-1.fc30.x86_64
FEDORA-2019-e5389b8e30 bugfix libdazzle-3.32.3-1.fc30.x86_64
FEDORA-2019-f7675395b8 bugfix libgee-0.20.1-5.fc30.x86_64
FEDORA-2019-3341c2ef96 bugfix libgee-0.20.2-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix nautilus-3.32.1-1.fc30.x86_64
FEDORA-2019-2537cde88a bugfix nautilus-3.32.3-1.fc30.x86_64
FEDORA-2019-f4eb34cf4c bugfix nautilus-extensions-3.32.1-1.fc30.x86_64
FEDORA-2019-2537cde88a bugfix nautilus-extensions-3.32.3-1.fc30.x86_64
FEDORA-2019-b934acd8ae bugfix tracker-2.2.2-1.fc30.x86_64

$ sudo dnf upgrade --bugfix --best
Last metadata expiration check: 0:22:49 ago on Tue 12 Nov 2019 01:47:52 AEST.
No security updates needed, but 227 updates available
Dependencies resolved.
Nothing to do.
Complete!

$ sudo dnf upgrade --best $(dnf updateinfo list -q --bugfix | cut -d' ' -f3)
Last metadata expiration check: 0:28:19 ago on Tue 12 Nov 2019 01:47:52 AEST.
No match for argument: gjs-1.56.2-1.fc30.x86_64
No match for argument: glib-networking-2.60.2-1.fc30.x86_64
No match for argument: gnome-calendar-3.32.1-1.fc30.x86_64
No match for argument: gnome-maps-3.32.2-1.fc30.x86_64
No match for argument: gnome-software-3.32.2-1.fc30.x86_64
No match for argument: libdazzle-3.32.2-1.fc30.x86_64
No match for argument: libgee-0.20.1-5.fc30.x86_64
No match for argument: nautilus-3.32.1-1.fc30.x86_64
No match for argument: nautilus-extensions-3.32.1-1.fc30.x86_64
No match for argument: tracker-2.2.2-1.fc30.x86_64
Dependencies resolved.
================================================================================
 Package                  Arch        Version                Repository    Size
================================================================================
Upgrading:
 gjs                      x86_64      1.56.2-6.fc30          updates      418 k
 glib-networking          x86_64      2.60.3-1.fc30          updates      141 k
 gnome-calendar           x86_64      3.32.2-5.fc30          updates      561 k
 gnome-maps               x86_64      3.32.2.1-1.fc30        updates      636 k
 gnome-software           x86_64      3.32.4-3.fc30          updates       15 M
 libdazzle                x86_64      3.32.3-1.fc30          updates      395 k
 libgee                   x86_64      0.20.2-1.fc30          updates      254 k
 nautilus                 x86_64      3.32.3-1.fc30          updates      2.6 M
 nautilus-extensions      x86_64      3.32.3-1.fc30          updates       33 k

Transaction Summary
================================================================================
Upgrade  9 Packages

Total download size: 20 M
Is this ok [y/N]: 
Operation aborted.

$ rpm -q tracker
tracker-2.2.1-1.fc30.x86_64

--- Additional comment from Marek Blaha on 2019-11-12 06:40:00 UTC ---

Kernel is sort of specific - updateinfo used to print advisories for all installed kernels but this has changed recently and only advisories for the newest installed version of the kernel plus advisories for the running  kernel are printed. So you will receive security advisories until you reboot with the latest kernel.

As far as bugfixes are concerned - partly that is the nature of fedora-updates repository. You have only the latest update available in the repo. But on the other hand installing of gjs-1.56.2-6.fc30.x86_64 will resolve also advisories for older version (FEDORA-2019-f4eb34cf4c bugfix gjs-1.56.2-1.fc30.x86_64).

What does need closer look is why `sudo dnf upgrade --bugfix --best` does not want to install any packages although there are upgrades available. Can you please provide the currently installed versions of those packages (rpm -q gjs glib-networking gnome-calendar...) so I could try to reproduce the issue and hopefully resolve it.

--- Additional comment from  on 2019-11-12 06:57:52 UTC ---

The versions are just those that ship with F30. I'm running in Boxes and haven't updated these (and a bunch of other) packages yet.

$ rpm -q gjs glib-networking gnome-calendar gnome-maps gnome-software libdazzle libgee nautilus nautilus-extensions tracker
gjs-1.56.1-1.fc30.x86_64
glib-networking-2.60.1-2.fc30.x86_64
gnome-calendar-3.32.0-1.fc30.x86_64
gnome-maps-3.32.1-2.fc30.x86_64
gnome-software-3.32.1-2.fc30.x86_64
libdazzle-3.32.1-2.fc30.x86_64
libgee-0.20.1-4.fc30.x86_64
nautilus-3.32.0-1.fc30.x86_64
nautilus-extensions-3.32.0-1.fc30.x86_64
tracker-2.2.1-1.fc30.x86_64

--- Additional comment from Marek Blaha on 2019-11-12 07:11:21 UTC ---

Thanks! I'll look into it.

--- Additional comment from Marek Blaha on 2020-01-21 10:38:44 UTC ---

PR https://github.com/rpm-software-management/libdnf/pull/883 fixes upgrading packages using security advisories.

Comment 12 errata-xmlrpc 2020-04-28 16:49:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1823

Note You need to log in before you can comment on or make changes to this bug.