This bug was fixed in the package apt - 2.8.3
---------------
apt (2.8.3) noble; urgency=medium
* Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
- Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
- Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
- Revert rsa1024 to warnings again
This leaves the mechanisms in place and no longer warns about NIST curves.
* Fix keeping back removals of obsolete packages; and return an error if
ResolveByKeep() is unsuccessful (LP: #2078720)
* Fix buffer overflow, stack overflow, exponential complexity in
apt-ftparchive Contents generation (LP: #2083697)
- ftparchive: Mystrdup: Add safety check and bump buffer size
- ftparchive: contents: Avoid exponential complexity and overflows
- test framework: Improve valgrind support
- test: Check that apt-ftparchive handles deep paths
- Workaround valgrind "invalid read" in ExtractTar::Go by moving large
buffer from stack to heap. The large buffer triggered some bugs in
valgrind stack clash protection handling.
apt (2.8.2) noble; urgency=medium
* Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
(follow-up for LP: #2073126)
apt (2.8.1) noble; urgency=medium
* Only revoke weak RSA keys for now, add 'next' and 'future' levels
(backported from 2.9.7)
Note that the changes to warn about keys not matching the future level
in the --audit level are not fully included, as the --audit feature
has not yet been backported. (LP: #2073126)
* Introduce further mitigation on upgrades from 2.7.x to allow these
systems to continue using rsa1024 repositories with warnings
until the 24.04.2 point release (LP: #2073126)
apt (2.8.0) noble; urgency=medium
[ Julian Andres Klode ]
* Revert "Temporarily downgrade key assertions to "soon worthless""
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want. (LP: #2060721)
* Branch off the stable 2.8.y branch for noble:
- CI: Test in ubuntu:noble images for 2.8.y
- debian/gbp.conf: Point at the 2.8.y branch
[ David Kalnischkies ]
* Test suite fixes:
- Avoid subshell hiding failure report from testfilestats
- Ignore umask of leftover diff_Index in failed pdiff test
* Documentation translation fixes:
- Fix and unfuzzy previous VCG/Graphviz URI change
-- Julian Andres Klode <[email protected]> Tue, 22 Oct 2024 15:02:22
+0200
** Changed in: apt (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/2078720
Title:
Upgrading from jammy to noble results in a linux-headers package being
in a broken state
Status in apt package in Ubuntu:
Fix Released
Status in linux-aws package in Ubuntu:
Confirmed
Status in linux-gcp package in Ubuntu:
Confirmed
Status in ubuntu-release-upgrader package in Ubuntu:
Fix Released
Status in apt source package in Jammy:
Fix Released
Status in linux-aws source package in Jammy:
New
Status in linux-gcp source package in Jammy:
New
Status in apt source package in Noble:
Fix Released
Status in linux-aws source package in Noble:
New
Status in linux-gcp source package in Noble:
New
Status in ubuntu-release-upgrader source package in Noble:
Fix Released
Bug description:
(For APT SRU versioning, see https://wiki.ubuntu.com/AptUpdates)
[Impact]
Obsolete packages can be removed despite still having reverse dependencies
installed, for example:
Now that 24.04.1 has been released, 22.04 users are encouraged to upgrade to
24.04 via the `do-release-upgrade` command. This issue was seen whilst testing
this upgrade path.
Upgrading and later rebooting a jammy GCP instance results in
`linux-headers-6.5.0-1025-gcp` being a broken state.
```
$ sudo apt install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
linux-headers-6.5.0-1025-gcp : Depends: linux-gcp-6.5-headers-6.5.0-1025 but
it is not installable
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or
specify a solution).
```
`linux-gcp-6.5-headers-6.5.0-1025` is a dependency of
`linux-image-6.5.0-1025-gcp` which is also not removed during the upgrade.
```
$ apt-cache rdepends linux-headers-6.5.0-1025-gcp
linux-headers-6.5.0-1025-gcp
Reverse Depends:
linux-image-6.5.0-1025-gcp
$ apt-cache rdepends linux-image-6.5.0-1025-gcp
linux-image-6.5.0-1025-gcp
Reverse Depends:
```
Running `apt --fix-broken install` resolves the error.
```
$ sudo apt --fix-broken install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Correcting dependencies... Done
The following packages will be REMOVED:
linux-headers-6.5.0-1025-gcp
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 27.9 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 83770 files and directories currently installed.)
Removing linux-headers-6.5.0-1025-gcp (6.5.0-1025.27~22.04.1) ...
$ sudo apt install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
```
This issue was also observed after upgrading a jammy AWS instance to
noble.
```
$ sudo apt install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
linux-headers-6.5.0-1024-aws : Depends: linux-aws-6.5-headers-6.5.0-1024 but
it is not installable
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or
specify a solution).
```
[Test plan]
## Jammy APT verification
To prepare the VMs, follow the following scheme:
$ lxc launch ubuntu:jammy jammy-to-noble --vm
If using lxc shell or exec to connect to it, also perform the step
below:
$ lxc exec jammy-to-noble apt-mark lxd-agent-launcher # otherwise it
resets
On this jammy VM, edit /etc/update-manager/release-upgrades and set
Prompt to "normal" (since release upgrades to noble via the lts prompt
are temporarily blocked due to this bug)
If this test run is meant to test the fix, then at this point you
should install apt from jammy proposed. Otherwise, continue directly
with the release upgrade.
Then to continue with the test, proceed to the release upgrade:
$ sudo do-release-upgrade
Check that currently booted linux-headers- are *not* removed as
obsolete.
After the reboot at the end, in the rebooted system, issue:
$ sudo apt upgrade
With the bug present, you will get an error like this:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
linux-headers-5.15.0-1065-kvm : Depends: linux-kvm-headers-5.15.0-1065 but
it is not installable
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or
specify a solution).
## Noble APT verification
To validate the APT change on noble, we must rely on the test suite as
we won't have a noble->oracular upgrade bug causing it, most likely.
To validate an ubuntu-release-upgrader change, instead run:
ubuntu@jammy-to-noble$ do-release-upgrade -p
ubuntu@mantic-to-noble$ do-release-upgrade -p
[Where problems could occur: APT SRU]
For the APT change, the function in question is used in a small number
of places:
In APT library:
- In the `upgrade` command and library function. Removals are already undone
there before calling it so we never reach the new code path.
- In the phased update implementation, during dist-upgrade. I expect a
failure is lurking there that is fixed by this, but I haven't been able to
write a reproducer to trigger it just yet.
In aptitude:
- The function is wrapped, but the wrapper never called
In QApt:
- QApt seems to rely on it for upgrading and doesn't seem to have any error
checking of the return value. I expect it will read the error
[Where problems could occur: u-r-u SRU]
Upgrades will now result in a consistent state, but may spend hours searching
for obsolete software again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2078720/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
