fail to fetch vulnxml file each night, as seen in daily security, run output.

Matthew Seaman matthew at FreeBSD.org
Wed Sep 2 14:09:53 UTC 2015 

On 2015/09/02 14:59, Ernie Luzar wrote:
> I get the following message in the daily security run output on both my
> 10.1 and 10.2 systems. Both which were installed from scratch using a
> cdisc1.iso file.
> 
> Checking for packages with security vulnerabilities:
> pkg: 
: No route to host
> pkg: cannot fetch vulnxml file

Well? Did you verify if you could fetch the audit file manually?  Try:

# pkg audit -F

If that doesn't work, start investigating why your jails can't connect
properly.  vuxml.freebsd.org is on a GeoIP load balancer, so you should
get directed to a nearby mirror.

Try this -- you should see similar output, but probably to a different
IP number:

# curl -v -o /dev/null http://vuxml.freebsd.org/freebsd/vuln.xml.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
Current
                                 Dload  Upload   Total   Spent    Left
Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
    0*   Trying 2001:41c8:112:8300::50:5...
* Connected to vuxml.freebsd.org (2001:41c8:112:8300::50:5) port 80 (#0)
> GET /freebsd/vuln.xml.bz2 HTTP/1.1
> Host: vuxml.freebsd.org
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 02 Sep 2015 14:05:36 GMT
< Content-Type: application/x-bzip
< Content-Length: 538363
< Last-Modified: Wed, 02 Sep 2015 00:35:15 GMT
< Connection: keep-alive
< ETag: "55e64443-836fb"
< Server: ToTheCloud/v0.01beta
< Accept-Ranges: bytes
<
{ [11164 bytes data]
100  525k  100  525k    0     0  4511k      0 --:--:-- --:--:-- --:--:--
4571k
* Connection #0 to host vuxml.freebsd.org left intact

If it doesn't work, it should at least give you some clues as to what is
going wrong.  If it does work, then see if the daily cron job has
mysteriously started working again, in which case you can put the
problem down to something temporary; outside your network and beyond
your control.

> -- End of security output --
> 
> 
> Is this normal by design?

Why would we publish a script that intentionally doesn't work?  No, it
isn't normal and neither is it by design.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150902/22e6f9d3/attachment.bin>

More information about the freebsd-questions mailing list