Different pkg upgrade behavior on different machines
David Newman
dnewman at networktest.com
Wed Sep 7 23:15:19 UTC 2016
On 9/7/16 3:56 PM, Ben Woods wrote:
> On Thursday, 8 September 2016, David Newman <dnewman at networktest.com
> <mailto:dnewman at networktest.com>> wrote:
>
> Greetings. How to get pkg to upgrade a package with a security
> vulnerability?
>
> I have four identical virtual machines, all running 10.3-RELEASE and
> bind910 installed using pkg and not ports. The 'pkg audit' command
> reports a vulnerability in bind910-9.10.4P2.
>
> One of the four machines successfully upgrades to bind910-9.10.4P2_1
> using the commands 'sudo pkg update && sudo pkg upgrade bind910'.
>
> The other three machines report all repositories and packages are up to
> date.
>
> This behavior has existed for at least a couple of weeks, so I don't
> think it's a repository sync issue.
>
> Thanks in advance for advice on getting the updated pkg on all four VMs.
>
> dn
>
>
> Strange behavior indeed!
>
> Can you provide the output of these commands for troubleshooting? Please
> provide for the box that works ok, and for one of the boxes that doesn't.
>
> cat /etc/pkg/FreeBSD.conf
> cat /usr/local/etc/pkg/repos/*
> cat /usr/local/etc/pkg.conf
> pkg info bind910
> pkg audit -F
Bingo. The boxes that won't update do not have a pkg/repos directory
under /usr/local/etc, so they also lack a FreeBSD.conf file. After
creating that directory and that file, 'pkg update' rebuilds the pkg
database, and then 'pkg upgrade' works as expected.
I've attached the output from the two boxes in case anyone else hits
this issue. I've no idea why that directory and config file were missing
but I'm good now.
Many thanks!
dn
-------------- next part --------------
BAD BOX:
# cat /etc/pkg/FreeBSD.conf
# $FreeBSD: releng/10.3/etc/pkg/FreeBSD.conf 296373 2016-03-04 01:27:38Z marius $
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
# mkdir -p /usr/local/etc/pkg/repos
# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
#
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
# cat /usr/local/etc/pkg/repos/*
cat: No match.
# cat /usr/local/etc/pkg.conf
# System-wide configuration file for pkg(8)
# For more information on the file format and
# options please refer to the pkg.conf(5) man page
# Note: you don't need to have a pkg.conf file. Many installations
# will work well with no pkg.conf at all or with an empty pkg.conf
# (other than comment lines). You can also override any of these
# settings from the environment.
# Configuration options -- default values.
#PKG_DBDIR = "/var/db/pkg";
#PKG_CACHEDIR = "/var/cache/pkg";
#PORTSDIR = "/usr/ports";
#INDEXDIR = "";
#INDEXFILE = "INDEX-10"; # Autogenerated
#HANDLE_RC_SCRIPTS = false;
#ASSUME_ALWAYS_YES = false;
#REPOS_DIR [
# "/etc/pkg/",
# "/usr/local/etc/pkg/repos/",
#]
#PLIST_KEYWORDS_DIR = "";
#SYSLOG = true;
#ABI = "freebsd:10:x86:64"; # Autogenerated
#DEVELOPER_MODE = false;
#VULNXML_SITE = "http://www.vuxml.org/freebsd/vuln.xml.bz2";
#FETCH_RETRY = 3;
#PKG_PLUGINS_DIR = "/usr/local/lib/pkg/";
#PKG_ENABLE_PLUGINS = true;
#PLUGINS [
#]
#DEBUG_SCRIPTS = false;
#PLUGINS_CONF_DIR = "/usr/local/etc/pkg/";
#PERMISSIVE = false;
#REPO_AUTOUPDATE = true;
#NAMESERVER = "";
#EVENT_PIPE = "";
#FETCH_TIMEOUT = 30;
#UNSET_TIMESTAMP = false;
#SSH_RESTRICT_DIR = "";
#PKG_ENV {
#}
#PKG_SSH_ARGS = "";
#DEBUG_LEVEL = 0;
#ALIAS {
#}
#CUDF_SOLVER = "";
#SAT_SOLVER = "";
#RUN_SCRIPTS = true;
#CASE_SENSITIVE_MATCH = false;
#IP_VERSION = 0
# Sample alias settings
ALIAS : {
all-depends: query %dn-%dv,
annotations: info -A,
build-depends: info -qd,
download: fetch,
iinfo: info -ix,
cinfo: info -Cx,
isearch: search -ix,
csearch: search -Cx,
leaf: query -e "%a == 0" "%n-%v",
list: info -ql,
origin: info -qo,
provided-depends: info -qb,
raw: info -R,
required-depends: info -qr,
shared-depends: info -qB,
show: info -f -k,
size: info -sq,
}
# pkg info bind910
bind910-9.10.4P2
Name : bind910
Version : 9.10.4P2
Installed on : Fri Aug 12 09:09:00 2016 PDT
Origin : dns/bind910
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : net dns ipv6
Licenses : ISCL
Maintainer : mat at FreeBSD.org
WWW : https://www.isc.org/software/bind
Comment : BIND DNS suite with updated DNSSEC and DNS64
Options :
DLZ_BDB : off
DLZ_FILESYSTEM : on
DLZ_LDAP : off
DLZ_MYSQL : off
DLZ_POSTGRESQL : off
DLZ_STUB : off
DOCS : on
FETCHLIMIT : off
FILTER_AAAA : off
FIXED_RRSET : off
GEOIP : off
GOST : off
GOST_ASN1 : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : on
IDN : on
IPV6 : on
LARGE_FILE : off
LINKS : off
MINCACHE : off
NATIVE_PKCS11 : off
NEWSTATS : off
PORTREVISION : off
PYTHON : off
QUERYTRACE : off
RPZ_NSDNAME : off
RPZ_NSIP : off
RRL : on
SIGCHASE : on
SSL : on
START_LATE : off
THREADS : on
Shared Libs required:
libedit.so.0
libidnkit.so.1
libxml2.so.2
Annotations :
cpe : cpe:2.3:a:isc:bind:9.10.4:p2::::freebsd10:x64
repo_type : binary
repository : FreeBSD
Flat size : 49.4MiB
Description :
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture. Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
See the CHANGES file for more information on new features.
WWW: https://www.isc.org/software/bind
# pkg audit -F
vulnxml file up-to-date
bind910-9.10.4P2 is vulnerable:
BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers
CVE: CVE-2016-6173
CVE: CVE-2016-6172
CVE: CVE-2016-6171
CVE: CVE-2016-6170
WWW: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
1 problem(s) in the installed packages found.
-------------- next part --------------
GOOD BOX
# cat /etc/pkg/FreeBSD.conf
# $FreeBSD: releng/10.3/etc/pkg/FreeBSD.conf 296373 2016-03-04 01:27:38Z marius $
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
# mkdir -p /usr/local/etc/pkg/repos
# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
#
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
# cat /usr/local/etc/pkg/repos/*
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
# cat /usr/local/etc/pkg.conf
# System-wide configuration file for pkg(8)
# For more information on the file format and
# options please refer to the pkg.conf(5) man page
# Note: you don't need to have a pkg.conf file. Many installations
# will work well with no pkg.conf at all or with an empty pkg.conf
# (other than comment lines). You can also override any of these
# settings from the environment.
# Configuration options -- default values.
#PKG_DBDIR = "/var/db/pkg";
#PKG_CACHEDIR = "/var/cache/pkg";
#PORTSDIR = "/usr/ports";
#INDEXDIR = "";
#INDEXFILE = "INDEX-10"; # Autogenerated
#HANDLE_RC_SCRIPTS = false;
#DEFAULT_ALWAYS_YES = false;
#ASSUME_ALWAYS_YES = false;
#REPOS_DIR [
# "/etc/pkg/",
# "/usr/local/etc/pkg/repos/",
#]
#PLIST_KEYWORDS_DIR = "";
#SYSLOG = true;
#ABI = "freebsd:10:x86:64"; # Autogenerated
#DEVELOPER_MODE = false;
#VULNXML_SITE = "http://vuxml.freebsd.org/freebsd/vuln.xml.bz2";
#FETCH_RETRY = 3;
#PKG_PLUGINS_DIR = "/usr/local/lib/pkg/";
#PKG_ENABLE_PLUGINS = true;
#PLUGINS [
#]
#DEBUG_SCRIPTS = false;
#PLUGINS_CONF_DIR = "/usr/local/etc/pkg/";
#PERMISSIVE = false;
#REPO_AUTOUPDATE = true;
#NAMESERVER = "";
#HTTP_USER_AGENT = "Custom_User_Manager";
#EVENT_PIPE = "";
#FETCH_TIMEOUT = 30;
#UNSET_TIMESTAMP = false;
#SSH_RESTRICT_DIR = "";
#PKG_ENV {
#}
#PKG_SSH_ARGS = "";
#DEBUG_LEVEL = 0;
#ALIAS {
#}
#CUDF_SOLVER = "";
#SAT_SOLVER = "";
#RUN_SCRIPTS = true;
#CASE_SENSITIVE_MATCH = false;
#IP_VERSION = 0
# Sample alias settings
ALIAS : {
all-depends: query %dn-%dv,
annotations: info -A,
build-depends: info -qd,
cinfo: info -Cx,
comment: query -i "%c",
csearch: search -Cx,
desc: query -i "%e",
download: fetch,
iinfo: info -ix,
isearch: search -ix,
prime-list: "query -e '%a = 0' '%n'",
leaf: "query -e '%#r == 0' '%n-%v'",
list: info -ql,
noauto = "query -e '%a == 0' '%n-%v'",
options: query -i "%n - %Ok: %Ov",
origin: info -qo,
provided-depends: info -qb,
raw: info -R,
required-depends: info -qr,
roptions: rquery -i "%n - %Ok: %Ov",
shared-depends: info -qB,
show: info -f -k,
size: info -sq,
}
# pkg info bind910
bind910-9.10.4P2_1
Name : bind910
Version : 9.10.4P2_1
Installed on : Thu Sep 1 11:04:03 2016 PDT
Origin : dns/bind910
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : net dns ipv6
Licenses : ISCL
Maintainer : mat at FreeBSD.org
WWW : https://www.isc.org/software/bind
Comment : BIND DNS suite with updated DNSSEC and DNS64
Options :
DLZ_BDB : off
DLZ_FILESYSTEM : on
DLZ_LDAP : off
DLZ_MYSQL : off
DLZ_POSTGRESQL : off
DLZ_STUB : off
DOCS : on
FETCHLIMIT : off
FILTER_AAAA : off
FIXED_RRSET : off
GEOIP : off
GOST : off
GOST_ASN1 : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : on
IDN : on
IPV6 : on
LARGE_FILE : off
LINKS : off
MINCACHE : off
NATIVE_PKCS11 : off
PORTREVISION : off
PYTHON : off
QUERYTRACE : off
RPZ_NSDNAME : on
RPZ_NSIP : on
SIGCHASE : on
SSL : on
START_LATE : off
THREADS : on
Shared Libs required:
libedit.so.0
libidnkit.so.1
libxml2.so.2
Annotations :
cpe : cpe:2.3:a:isc:bind:9.10.4:p2::::freebsd10:x64:1
repo_type : binary
repository : FreeBSD
Flat size : 49.4MiB
Description :
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture. Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
See the CHANGES file for more information on new features.
WWW: https://www.isc.org/software/bind
# pkg audit -F
Fetching vuln.xml.bz2: 100% 635 KiB 650.6kB/s 00:01
0 problem(s) in the installed packages found.
#
#
More information about the freebsd-questions
mailing list