Skip to main content

Like many security professionals I use automation to watch for issues in systems I maintain.

Recently (see "The following security updates require Ubuntu Pro with 'esm-apps' enabled: Learn more about Ubuntu Pro" ) I had noticed that the automated security updates for Ubuntu were bricking HP laptops and so started doing manual updates on a few models that were bricking to try to understand what was going on. That's when I noticed messages from Canonical's "Ubuntu Pro" regarding security patches being held back. Let's look into this in more detail:

Let's look at "22.04.1 LTS (Jammy Jellyfish)"

Running sudo apt upgrade gets us (non relevant stuff removed)

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
 libopenexr25 libmagickcore-6.q16-6-extra libmagickwand-6.q16-6
 libmagickcore-6.q16-6 imagemagick-6-common
Learn more about Ubuntu Pro at https://ubuntu.com/pro

 

which was a surprise because those packages that are held back

  • * do not appear in any of the logs in /var/log and especially not in /var/log/apt/*.log
  • * are not listed  when one runs 'apt list --upgradable' 
  • * are not listed when one runs  apt-get -u upgrade --assume-no
  • * do not appear with apt-get upgrade
  • * are not part of the upgrades logged with  with /etc/apt/apt.conf.d/50unattended-upgrades

So what's going on? Why are we no longer getting notified about these security upgrades. And looking into these upgrades, they seem serious as they mention injecting code with TIFF or PDF files.

The first thing we need to do is find out which security packages are held back. Since these don't appear to be in any of the logs and don't appear with the standard --upgradable flags we need to parse this from the apt command output

 

HELD_BACK_BY_PRO=$(sudo apt -q upgrade | awk '/require\ Ubuntu\ Pro/,/Learn\ more/' | sed -e /Ubuntu\ Pro/d)

 

This gets us the list of which packages are held back and we can script something to let us know when that happens.