Package: software-properties-gtk Version: 0.60.debian-1.1 Severity: grave Tags: security Justification: user security hole
software-properties-gtk uses wrong url for the Debian security updates. It does not recognize security.debian.org in the /etc/apt/sources.list. It also adds incorrect security repository address to sources.list. Steps how to reproduce this bug: 1) I have these lines in my /etc/apt/sources.list: deb http://security.debian.org/ lenny/updates main non-free contrib deb-src http://security.debian.org/ lenny/updates main non-free contrib 2) I start software-properties-gtk 3) I go to Updates tab: The Security updates checkbox is shown as unselected. It should be selected. 4) I go to Third-Party Software tab: security.debian.org repository is listed here as a 3rd-party repository. 5) I go back to Updates tab 6) I Select the Security updates checkbox 7) I click close -button 8) I click reload button to reload package database: I get errors like these: Could not download all repository indexes http://ftp.fi.debian.org/debian/dists/lenny/updates/non-free/binary-i386/Packages.gz: 404 Not Found [IP: 130.230.54.99 80] http://ftp.fi.debian.org/debian/dists/lenny/updates/contrib/binary-i386/Packages.gz: 404 Not Found [IP: 130.230.54.99 80] http://ftp.fi.debian.org/debian/dists/lenny/updates/main/binary-i386/Packages.gz: 404 Not Found [IP: 130.230.54.99 80] http://ftp.fi.debian.org/debian/dists/lenny/updates/non-free/source/Sources.gz: 404 Not Found [IP: 130.230.54.99 80] http://ftp.fi.debian.org/debian/dists/lenny/updates/contrib/source/Sources.gz: 404 Not Found [IP: 130.230.54.99 80] http://ftp.fi.debian.org/debian/dists/lenny/updates/main/source/Sources.gz: 404 Not Found [IP: 130.230.54.99 80] 9) I open /etc/apt/sources.list from the commandline: software-properties-gtk did add these lines: deb http://ftp.fi.debian.org/debian/ lenny/updates non-free contrib main deb-src http://ftp.fi.debian.org/debian/ lenny/updates non-free contrib main But lenny/updates is not available at that mirror address. 10) I start software-properties-gtk again. 11) I go to Updates tab 12) I unselect the Security updates checkbox 13) I click close button. 14) I start software-properties-gtk again and go to updates tab again: the Security updates checkbox is still selected. I unselected it last time but it's again selected. No matter how many times I repeat steps 10-14 Security updates checkbox is always selected. Software-properties-gtk also does not remove or disable those incorrect lines it added from the /etc/apt/sources.list. I have to manually remove those lines from the sources.list. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages software-properties-gtk depends on: ii gksu 2.0.0-5 graphical frontend to su ii python 2.5.2-2 An interactive high-level object-o ii python-glade2 2.12.1-6 GTK+ bindings: Glade support ii python-gtk2 2.12.1-6 Python bindings for the GTK + widge ii python-software-properti 0.60.debian-1.1 manage the repositories that you i ii python-support 0.8.4 automated rebuilding support for P ii synaptic 0.62.1 Graphical package manager software-properties-gtk recommends no packages. software-properties-gtk suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
