Bug 1091210

Summary: yast2-online-update-configuration 3.1.5 update script skips (security) patches!
Product: [openSUSE] openSUSE Distribution Reporter: Forgotten User kUoNdAp-ej <forgotten_kUoNdAp-ej>
Component: SecurityAssignee: YaST Team <yast-internal>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: dgonzalez, forgotten_kUoNdAp-ej, jdsn, meissner
Version: Leap 42.3   
Target Milestone: ---   
Hardware: All   
OS: openSUSE 42.3   
URL: https://trello.com/c/bODZy5JH
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1044018
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch to resolve the updating bug

Description Forgotten User kUoNdAp-ej 2018-04-27 11:10:03 UTC 
Created attachment 768516 [details]
Patch to resolve the updating bug

Noticed that my system was missing security patches while Recommended, Packagemanager, and Security were all configured in Yast.

cron.daily was running yast-online-update successfully, but it was not patching everything -> manually running Yast usually often showed new security updates that were not auto-installed!

Traced the cause down to a onliner in /usr/lib/YaST2/bin/online_update : seems resolved in factory 4.0.0; but given the severity this should be pushed to all affected opensuse versions. 

This bug exists since at least Nov 2017, judging from https://build.opensuse.org/package/revisions/openSUSE:Leap:42.3/yast2-online-update-configuration maybe even for years, leaving systems such as mine vulnerable.
Comment 1 Marcus Meissner 2018-04-28 06:46:12 UTC 
yes. please fix
Comment 2 J. Daniel Schmidt 2018-05-09 08:51:52 UTC 
Assigning to maintainer.
Comment 3 David Diaz 2018-12-07 14:09:47 UTC 
Already fixed.

See the MR at https://build.opensuse.org/request/show/656070
Comment 4 Swamp Workflow Management 2018-12-09 23:09:02 UTC 
openSUSE-RU-2018:4058-1: An update that has two recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1044018,1091210
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    yast2-online-update-configuration-3.1.6-9.4.1