o K&bR@s:ddlZddlZddlZddlZddlZddlmZddlmZddlm Z m Z m Z m Z m Z mZmZddlmZmZmZmZmZmZddlmZmZmZddlmZddlmZmZdd l m!Z!d Z"d Z#d Z$d Z%dZ&dZ'dZ(dZ)e dde*fdee+fdee+fde*fgZ,ej-Gdddej.Z/Gdddej0Z1GdddZ2GdddZ3Gdd d Z4d!e e+e e+e+fffd"d#Z5d$e e4d%e e+e*fd!e e+e e+e e+e+ffffd&d'Z6d(d)Z7d*ed+e+d!e/fd,d-Z8d.d/Z9d0d1Z:d2e4d3e e+e e+e+ffd!e e+e2ffd4d5Z;d6e3d3e e+e e+e+ffd!e e+e2ffd7d8Zd?Z>d@dAZ?dBe ee+e2fdCe@dDe@d!e+fdEdFZAdGe+d*efdHdIZBdGe+d*ed!e*fdJdKZCd*edLe e+e ee+e2ffdMe e+e e+fdCe@dDe@d!e,f dNdOZDde e+d!e+fdPdQZEd*ed+e+d9e e+e2fd3e e+e e+e+ffdRe e+e e+e e+e+fffd!e/f dSdTZFdldUdVZGd*edWe+d!e*fdXdYZHd*ed!e*fdZd[ZId*ed\e+d!e*fd]d^ZJdGe+d*ed!e*fd_d`ZKd*ed!e*fdadbZLd*ed!e*fdcddZMd*edee e+dGe+d!e*fdfdgZNdhe+die+d!e*fdjdkZOdS)mN) defaultdict)datetime)AnyDictList NamedTupleOptionalSetTuple)apt exceptionsmessages serviceclientstatusutil)CLOUD_TYPE_TO_TITLE PRO_CLOUDSget_cloud_type)UAConfig) BASE_UA_URLPRINT_WRAP_WIDTH)entitlement_factoryz=((CVE|cve)-\d{4}-\d{4,7}$|(USN|usn|LSN|lsn)-\d{1,5}-\d{1,2}$)z cves.jsonzcves/{cve}.jsonz notices.jsonznotices/{notice}.jsonzUbuntu standard updateszUA InfrazUA AppsReleasedPackagesInstallResult fix_status unfixed_pkgsinstalled_pkgsall_already_installedc@seZdZdZdZdZdZdS) FixStatuszD An enum to represent the system status after fix operation rN)__name__ __module__ __qualname____doc__SYSTEM_NON_VULNERABLESYSTEM_STILL_VULNERABLESYSTEM_VULNERABLE_UNTIL_REBOOTr'r'3/usr/lib/python3/dist-packages/uaclient/security.pyr-s rcs6eZdZdZdZejZdee e fdee e ffddZ e j ejgdd d#fd d Z d$d ee d ee dee deedeedee dee deee dedfddZde ddfddZ d%dee dee deedeedee dedf ddZd e ddfd!d"ZZS)&UASecurityClientZ security_url query_paramsreturncCs.|jjdidi}|r|||S|S)zD Update query params with data from feature config. Zfeaturesextra_security_params)cfggetupdate)selfr+r-r'r'r(_get_query_params>s z"UASecurityClient._get_query_params)r)Z retry_sleepsNcs ||}tj|||||dS)N)pathdataheadersmethodr+)r2super request_url)r1r5r6r7r8r+ __class__r'r(r:Ns zUASecurityClient.request_urlqueryprioritypackagelimitoffset componentversionrCVEc s:||||||||d} jt| d\} } fdd| DS)znQuery to match multiple-CVEs. @return: List of CVE instances based on the the JSON response. )qr>r?r@rArBrCrr+csg|]}t|dqS)clientresponse)rD).0Zcve_mdr1r'r( wsz-UASecurityClient.get_cves..)r: API_V1_CVES) r1r=r>r?r@rArBrCrr+Z cves_response_headersr'rKr(get_cves[s  zUASecurityClient.get_cvescve_idcC"|tj|d\}}t||dS)zkQuery to match single-CVE. @return: CVE instance for JSON response from the Security API. )cverG)r:API_V1_CVE_TMPLformatrD)r1rP cve_responserNr'r'r(get_cvey  zUASecurityClient.get_cvedetailsreleaseorderUSNc sJ||||d}jt|d\}}tfdd|dgDdddS) zuQuery to match multiple-USNs. @return: Sorted list of USN instances based on the the JSON response. )rXrYr@rArZrFcs0g|]}dus|dgvrt|dqS)Ncves_idsrG)r/r[)rJZusn_mdrXr1r'r(rLs z0UASecurityClient.get_notices..noticescS|jSNidxr'r'r(z.UASecurityClient.get_notices..key)r:API_V1_NOTICESsortedr/) r1rXrYr@rArZr+Z usns_responserNr'r]r( get_noticess    zUASecurityClient.get_notices notice_idcCrQ)zbQuery to match single-USN. @return: USN instance representing the JSON response. )noticerG)r:API_V1_NOTICE_TMPLrTr[)r1rlZnotice_responserNr'r'r( get_noticerWzUASecurityClient.get_notice)NNNN)NNNNNNNN)NNNNN)r r!r"Z url_timeoutZcfg_url_base_attrr SecurityAPIErrorZ api_error_clsrstrrr2rZretrysocketZtimeoutr:rintrrOrVrkro __classcell__r'r'r;r(r)8sv       r)c@seZdZdZdeeeffddZeddZ eddZ ed d Z ed d Z ed dZ eddZedefddZeddZdS)CVEPackageStatuszAClass representing specific CVE PackageStatus on an Ubuntu seriesrUcCs ||_dSr`rI)r1rUr'r'r(__init__s zCVEPackageStatus.__init__cC |jdSN descriptionrvrKr'r'r(rz zCVEPackageStatus.descriptioncCr_r`)rzrKr'r'r( fixed_versionszCVEPackageStatus.fixed_versioncCrx)NpocketrvrKr'r'r(r}r{zCVEPackageStatus.pocketcCrx)Nrelease_codenamervrKr'r'r(r~r{z!CVEPackageStatus.release_codenamecCrx)NrrvrKr'r'r(rr{zCVEPackageStatus.statuscCsz|jdkrdS|jdkrdS|jdkrdS|jdvrdS|jd kr#d S|jd kr*d S|jd kr7tjj|jdSd|jS)NZneededzSorry, no fix is available yet.z needs-triagez7Ubuntu security engineers are investigating this issue.Zpendingz)A fix is coming soon. Try again tomorrow.)ignoreddeferredzSorry, no fix is available.ZDNEz.Source package does not exist on this release. not-affectedz/Source package is not affected on this release.released)Z fix_streamz UNKNOWN: {})rr ZSECURITY_FIX_RELEASE_STREAMrT pocket_sourcerKr'r'r(status_messages"        zCVEPackageStatus.status_messager,cCst|jtkS)z>Return True if the package requires an active UA subscription.)boolrUBUNTU_STANDARD_UPDATES_POCKETrKr'r'r( requires_uazCVEPackageStatus.requires_uacCsP|jdkr t}|S|jdkrt}|S|jdvrt}|Sd|jvr$t}|St}|S)z>Human-readable string representing where the fix is published. esm-infraesm-apps)ZupdatesZsecurityZesm)r}UA_INFRA_POCKETUA_APPS_POCKETrr|)r1Z fix_sourcer'r'r(rs    zCVEPackageStatus.pocket_sourceN)r r!r"r#rrqrrwpropertyrzr|r}r~rrrrrr'r'r'r(rus&      ruc@seZdZdZdedeeeffddZde fddZ e d d Z d d Z e deefd dZe dedfddZe ddZe deeeffddZdS)rDz7Class representing CVE response from the SecurityClientrHrIcC||_||_dSr`rIrHr1rHrIr'r'r(rw z CVE.__init__r,cCt|tsdS|j|jkSNF) isinstancerDrIr1otherr'r'r(__eq__  z CVE.__eq__cC|jddS)NrbZUNKNOWN_CVE_IDrIr/upperrKr'r'r(rbzCVE.idcCs>|j}|jD]}|j}dj|j|dd|jg}d|S)z2Return a string representing the URL for this cve.{issue}: {title}issuetitlehttps://ubuntu.com/security/{} )rzr^rrTrbjoin)r1rrmlinesr'r'r(get_url_headers   zCVE.get_url_headercC|jdgS)N notices_idsrIr/rKr'r'r(rszCVE.notices_idsr[c<tdstfddjdgDdddd_jS) zReturn a list of USN instances from API response 'notices'. Cache the value to avoid extra work on multiple calls. _noticescg|]}tj|qSr')r[rH)rJrmrKr'r(rL zCVE.notices..r^cSr_r`ranr'r'r(re rfzCVE.notices..Trhreverse)hasattrrjrIr/rrKr'rKr(r^   z CVE.noticescC |jdSryrrKr'r'r(rz% zCVE.descriptioncCsdt|dr|jSi|_td}|jdD]}|dD]}|d|kr-t||j|d<qq|jS)zDict of package status dicts for the current Ubuntu series. Top-level keys are source packages names and each value is a CVEPackageStatus object _packages_statusseriesZpackagesZstatusesr~name)rrrget_platform_inforIru)r1rr? pkg_statusr'r'r(packages_status)s    zCVE.packages_statusN)r r!r"r#r)rrqrrwrrrrbrrrr^rzrurr'r'r'r(rDs   rDc @seZdZdZdedeeeffddZde fddZ e defd d Z e de efd d Ze de efd dZe ddZe ddZddZe deeeeeeeffffddZdS)r[z7Class representing USN response from the SecurityClientrHrIcCrr`rrr'r'r(rw@rz USN.__init__r,cCrr)rr[rIrr'r'r(rDrz USN.__eq__cCr)NrbZUNKNOWN_USN_IDrrKr'r'r(rbIrzUSN.idcCr)z$List of CVE IDs related to this USN.r\rrKr'r'r(r\Mrz USN.cves_idscr) zList of CVE instances based on API response 'cves' key. Cache the values to avoid extra work for multiple call-sites. _cvescrr')rDrH)rJrRrKr'r(rLZrzUSN.cves..cvescSr_r`rarr'r'r(re^rfzUSN.cves..Tr)rrjrIr/rrKr'rKr(rRrzUSN.cvescCr)NrrrKr'r'r(rcrz USN.titlecCr)N referencesrrKr'r'r(rgrzUSN.referencescCsrdj|j|jdg}|jr!|d|jD] }|d|qn|jr4|d|jD]}||q,d|S)z5Return a string representing the URL for this notice.rrz Found CVEs:rzFound Launchpad bugs:r)rTrbrr\appendrr)r1rrRZ referencer'r'r(rks      zUSN.get_url_headercCsJt|dr|jStd}i|_|jdi|gD]}|drW|d|jvrMd|j|dvrCtjdj|j |dd|j d ||j|dd<qd|i|j|d<q|d sltjd j|j |dd |j d d |d vrtjdj|j |d|d d|j d |d  d d}||jvri|j|<||j||d<q|jS)aWBinary package information available for this release. Reformat the USN.release_packages response to key it based on source package name and related binary package names. :return: Dict keyed by source package name. The second-level key will be binary package names generated from that source package and the values will be the dict response from USN.release_packages for that binary package. The binary metadata contains the following keys: name, version. Optional additional keys: pocket and component. _release_packagesrrelease_packagesZ is_sourcersourcez6{usn} metadata defines duplicate source packages {pkg})usnpkgissue_idZ source_linkzL{issue} metadata does not define release_packages source_link for {bin_pkg}.)rbin_pkg/zX{issue} metadata has unexpected release_packages source_link value for {bin_pkg}: {link})rrlink) rrrrrIr/r SecurityAPIMetadataErrorrTrbsplit)r1rrsource_pkg_namer'r'r(rzsN         zUSN.release_packagesN)r r!r"r#r)rrqrrwrrrrbrr\rDrrrrrr'r'r'r(r[=s"  ,r[r,c Cstd}|dkr d}nd}tdd|ddg\}}i}|D]%}|d \}}}} |s2|}d | vr7q#||vrB||||<q#||i||<q#|S) zReturn a dict of all source packages installed on the system. The dict keys will be source package name: "krb5". The value will be a dict with keys binary_pkg and version. rZtrustyz ${Status}z${db:Status-Status}z dpkg-queryz#-f=${Package},${Source},${Version},rz-W,Z installed)rrsubp splitlinesr) rZ status_fieldoutZ_errinstalled_packagesZpkg_linepkg_namerZ pkg_versionrr'r'r(#query_installed_source_pkg_versionss*   rusns beta_pocketsc si}|D]O}|jD]G\}}fdd|D}||vr%|r%|||<q ||vrR||}|D] \}} ||vr>| ||<q1||d} | d} t| | sQ| ||<q1q q|S)aWalk related USNs, merging the released binary package versions. For each USN, iterate over release_packages to collect released binary package names and required fix version. If multiple related USNs require different version fixes to the same binary package, track the maximum version required across all USNs. :param usns: List of USN response instances from which to calculate merge. :param beta_pockets: Dict keyed on service name: esm-infra, esm-apps the values of which will be true of USN response instances from which to calculate merge. :return: Dict keyed by source package name. Under each source package will be a dict with binary package name as keys and binary package metadata as the value. c s.i|]\}}d|dddur||qS)Fr}Noner/)rJZ bin_pkg_nameZ bin_pkg_mdrr'r( sz>merge_usn_released_binary_package_versions..rC)ritemsversion_cmp_le) rrZusn_pkg_versionsrsrc_pkgZbinary_pkg_versionsZpublic_bin_pkg_versionsZ usn_src_pkgrZ binary_pkg_mdZ prev_versionZcurrent_versionr'rr(*merge_usn_released_binary_package_versionss(      rcCsX|js|gSi}|jD]}|jD]}||vr|j|d||<qq tt|dddS)zFor a give usn, get the related USNs for it. For each CVE associated with the given USN, we capture other USNs that are related to the CVE. We consider those USNs related to the original USN. rlcSr_r`rarcr'r'r(rerfz"get_related_usns..rg)rrrolistrjvalues)rrHZ related_usnsrRZrelated_usn_idr'r'r(get_related_usns s    rr.rc Csr|}t|d}t}tt|tt|d}d|vr_z|j|d}|j|d}Wn#tj yL}zt |}d| vrCt j j|d}t|d}~wwt||d} t|t||} nQz |j|d } t| |}Wn#tj y}zt |}d| vrt j j|d}t|d}~wwt| |d } t||} t| | jd stjd ||dt||| || d S)N)r.)rrrD)rP)rXz not foundr)rRrrrrrz.{} metadata defines no fixed package versions.)r.raffected_pkg_statusrusn_released_pkgs)rr)r_is_pocket_used_by_beta_servicerrrVrkr rprqlowerr ZSECURITY_FIX_NOT_FOUND_ISSUErTZUserFacingError'get_cve_affected_source_packages_statusprintrrror get_usn_affected_packages_statusrIrprompt_for_affected_packages) r.rrHrrrRremsgrrrr'r'r(fix_security_issue_id"sv          rcCsZi}|D]&}t||D]\}}||vr|||<q ||j}t||js)|||<q q|Sr`)rrr|r)rr affected_pkgsrRrrZ current_verr'r'r(get_affected_packages_from_cvescs     rcCsi}|jD]7\}}||vrqtt}d|d<dd|D}|s1d}tj||j|jd||d<t |d||<q|S) NrrcSs"h|] \}}|dr|dqS)r}r)rJ_Z pkg_bin_infor'r'r( ~s z1get_affected_packages_from_usn..zC{} metadata defines no pocket information for any release packages.rr})rU) rrrrqr rrTrbpopru)rrrrZpkg_inforUZ all_pocketsrr'r'r(get_affected_packages_from_usnts$ rrrcCs|jr t|j|St||S)zWalk CVEs related to a USN and return a dict of all affected packages. :return: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. )rrrrr'r'r(rs  rrRcCs8i}|jD]\}}|jdkrq||vr|||<q|S)zGet a dict of any CVEPackageStatuses affecting this Ubuntu release. :return: Dict of active CVEPackageStatus keyed by source package names. r)rrr)rRrZaffected_pkg_versionsZ source_pkgZpackage_statusr'r'r(rs rrcCst|}|dkrttjjddddttjj|ddS|dkr&d }nd}tjj||dd d t|}tt j |t d d dS)a Print header strings describing affected packages related to a CVE/USN. :param issue_id: String of USN or CVE issue id. :param affected_pkg_status: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. rZNozs are)count plural_str.rNrz isz: ,  widthsubsequent_indent) lenrr ZSECURITY_AFFECTED_PKGSrTZSECURITY_ISSUE_UNAFFECTEDrrjkeystextwrapfillr)rrrrrr'r'r(print_affected_packages_headers. rrusn_src_released_pkgscCsht|}|r2|dr2d|jd<|dd|jd<|D]\}}|d}|r1||jd<|Sq|S)aParse release status based on both pkg_status and USN.release_packages. Since some source packages in universe are not represented in CVEPackageStatus, rely on presence of such source packages in usn_src_released_pkgs to represent package as a "released" status. :param pkg_status: the CVEPackageStatus for this source package. :param usn_src_released_pkgs: The USN.release_packages representing only this source package. Normally, release_packages would have data on multiple source packages. :return: Tuple of: human-readable status message, boolean whether released, boolean whether the fix requires access to UA rrrrCrzr})copyZdeepcopyr/rIr)rrusn_pkg_statusrZusn_released_pkgr}r'r'r(#override_usn_release_package_statuss     rcCsdi}t|D]'\}}||i}t||}|jdd}||vr&g||<||||fq|S)Nrr)rjrr/rrreplacer)rrZ status_groupsrrusn_released_srcrZ status_groupr'r'r(group_by_usn_package_statuss rpkg_status_list pkg_indexnum_pkgscCs|sdSg}g}|D]\}}|d7}|d||||q tjddd|ddt|tdd }d ||jS) z;Format the packages and status to an user friendly message.rz{}/{}z{} {}:(r)rrz{} {})rrTrrrrjrr)r r r Z msg_indexZsrc_pkgsrrZ msg_headerr'r'r(_format_packages_messages   rr}cCs6d}|tkr d}n|tkrd}t|}|r||SdS)Nzno-service-neededrr)rrr)r}r.Zservice_to_checkZent_clsr'r'r(_get_service_for_pocketsrcCs6t||}|r|\}}|tjjkrdS|j SdS)zBCheck if the pocket where the fix is at belongs to a beta service.F)ruser_facing_statusrUserFacingStatusACTIVEZ valid_service)r}r.ent ent_statusrr'r'r(r(s   rsrc_pocket_pkgsbinary_pocket_pkgsc Csd}d}t}t}|rUtttfD]C} || } || } |rBt| ||d} | r4t| | s2ttjqd}|t| 7}|t || | M}|sO| dd| Dq| | qt ||||dS)a%Handle the packages that could be fixed and have a released status. :returns: Tuple of boolean whether all packages were successfully upgraded, list of strings containing the packages that were not upgraded, boolean whether all packages were already installed Tr r r FcSg|]\}}|qSr'r'rJrrr'r'r(rLlz2_handle_released_package_fixes..)rrrr) setrrrrrr ZSECURITY_UPDATE_INSTALLEDrupgrade_packages_and_attachr0r) r.rrr r rZupgrade_statusrrr}Z pkg_src_groupZ binary_pkgsrr'r'r(_handle_released_package_fixes8sH   rc CsFt|}tjd||dkrdnd|dkrdnddt|tdd S) zFormat the list of unfixed packages into an message. :returns: A string containing the message output for the unfixed packages. z"{} package{} {} still affected: {}rsr Zareisrrr)rrrrTrrjr)rZnum_pkgs_unfixedr'r'r(_format_unfixed_packages_msgxs r!rcCsBt|}t|||dkrtjStjj|d}tt}tt}d} t ||} g} t | D]\} } | dkrVtj j|d}t t| | |d| t| 7} | dd| D7} q.| D]T\}}||j||f|| D]?\}}||i}||vr| dd| D7} dj||d }|t| 7}t||||}|d }t||s||j|qlqXq.t|||| |d }| |j7} | rt t| |jr|jrt t|| rtjStjStj|jd rtjjd d}t || d|t ttj j|dtj!St t|| rtjStjSt ttj j|dtjS)aProcess security CVE dict returning a CVEStatus object. Since CVEs point to a USN if active, get_notice may be called to fill in CVE title details. :returns: An FixStatus enum value corresponding to the system state after processing the affected packages rrrrcSrr'r'rr'r'r(rLrz0prompt_for_affected_packages..cSrr'r'rr'r'r(rLsz5{issue} metadata defines no fixed version for {pkg}. )rrrC)r.rrr r )rz fix operation)Z operationr )"rrrr$r ZSECURITY_ISSUE_RESOLVEDrTrrrrjrZSECURITY_ISSUE_NOT_RESOLVEDrrrrr/r!r rrrrrrrZhandle_unicode_charactersr%Z should_rebootrZENABLE_REBOOT_REQUIRED_TMPLZ add_noticer&)r.rrrrrZ fix_messagerrr Zpkg_status_groupsrZ status_valueZpkg_status_grouprrZ binary_pkgrCrrZ fixed_pkgr|Zreleased_pkgs_install_resultZ reboot_msgr'r'r(rs             rcCs4t\}}|tvrttjjt||ddSdS)z9Alert the user when running UA on cloud with PRO support.)rZcloudN)rrrr ZSECURITY_USE_PRO_TMPLrTrr/)Z cloud_typerr'r'r(*_inform_ubuntu_pro_existence_if_applicables  r"tokenc CsLddl}ddlm}ttdd|ggtd||j|dddd|kS) zkAttach to a UA subscription with a given token. :return: True if attach performed without errors. rNcliuaZattachTr%)r#Z auto_enablerTZ attach_config) argparseuaclientr%rrcolorize_commandsrZ action_attach Namespace)r.r#r'r%r'r'r(_run_ua_attachs r+cCsptttjtjdgdd}|dkrdS|dkr$ttjtd|dvr6ttj td }t ||Sd S) zZPrompt for attach to a subscription or token. :return: True if attach performed. zBChoose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancel)racZ valid_choicesr-Frz*Hit [Enter] when subscription is complete.)r,r> T) r"rr Z*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONrprompt_choicesrZPROMPT_UA_SUBSCRIPTION_URLinputZPROMPT_ENTER_TOKENr+)r.choicer#r'r'r(_prompt_for_attach.s     r3servicec Csddl}ddlm}ttjj|dtjd|ddgd}|dkr?tt d d |ggt d| |j |gd d d |kSd S)zLPrompt for enable a ua service. :return: True if enable performed. rNr$r4zChoose: [E]nable {} [C]ancelrr-r.r&ZenableTF)r4 assume_yesZbeta)r'r(r%rr ZSECURITY_SERVICE_DISABLEDrTrr0rr)rZ action_enabler*)r.r4r'r%r2r'r'r(_prompt_for_enableGs(  r7cCst||}|r?|\}}|tjjkrdS|\}}|tjjkr5t||j r)dSt t j j |j ddSt t jj |j ddS)z?Verify if the ua subscription has the required service enabled.Tr5F)rrrrrapplicability_statusZApplicabilityStatusZ APPLICABLEr7rrr ZSECURITY_UA_SERVICE_NOT_ENABLEDrTZ SECURITY_UA_SERVICE_NOT_ENTITLED)r}r.rrrr8r'r'r((_check_subscription_for_required_servicees*       r9cCsddl}ddlm}tttjtjd t ddgd}|dkrDtt j t d}tt d d gg||jd d |t||Sd S)zdPrompt for attach a new subscription token to the user. :return: True if attach performed. rNr$z2Choose: [R]enew your subscription (at {}) [C]ancelrr-r.r/r&detachT)r6F)r'r(r%r"rr Z%SECURITY_UPDATE_NOT_INSTALLED_EXPIREDrr0rTrrZPROMPT_EXPIRED_ENTER_TOKENr1r)Z action_detachr*r+)r.r'r%r2r#r'r'r(_prompt_for_new_tokens"    r<cCs(|j}|j}|t|krt| SdS)znCheck if user UA subscription is expired. :returns: True if subscription is expired and not renewed. F)contract_expiry_datetimetzinforZnowr<)r.r=r>r'r'r(_check_subscription_is_expireds  r?upgrade_packagescCs|sdStdkrttjdS|tkr,|jst|sdSnt|r%dSt ||s,dStt gdgdt |gt jddgtjjdt jgd |tjjd d id dS) aUpgrade available packages to fix a CVE. Upgrade all packages in upgrades_packages and, if necessary, prompt regarding system attach prior to upgrading UA packages. :return: True if package upgrade completed or unneeded, False otherwise. TrF)r r0z&&)r install--only-upgrade-yapt-getr0)cmd error_msg)rDrArBrCZDEBIAN_FRONTENDZnoninteractive)rErFenv)osgetuidrr ZSECURITY_APT_NON_ROOTrZ is_attachedr3r?r9rr)rjr Zrun_apt_commandZAPT_UPDATE_FAILEDrZAPT_INSTALL_FAILED)r.r@r}r'r'r(rsB      rversion1version2cCs2z tdd|d|gWdStjyYdSw)zs  $       vEJ|!  /A      " #   @        2