freebsd-update not working in FreeBSD 10.3-RELEASE. FreeBSD-SA-16:16.ntp installation failed on clean 10.3 release installation and on 10.3 after 10.2-->10.3 upgrade. Issue also reported by many people on furums. # freebsd-update fetch install Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. The update metadata is correctly signed, but failed an integrity check. Cowardly refusing to proceed any further.
Same here. Problem lies in the sanity check files it seems: # P="[-+./:=,%@_[~[:alnum:]]" # M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+" # H="[0-9a-f]{64}" # grep -E '^d' /var/db/freebsd-update/sanitycheck.tmp | grep -vE "^d\|${M}\|\|\$" d|0|0|0755|0|c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe| Somehow there is a SHA checksum in the file that should not be there. # gunzip < /var/db/freebsd-update/files/9cf1e357208f9af6874aafbf98c4092d71d1d4f827e249c8ae61284accfd0809.gz | grep c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe src|src|/|d|0|0|0755|0|c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe| Guess: Mayhaps this has become a link on the update-diff build host and handling of that is not correct yet?
I think the initial fix may have solved one issue, but now there is an issue with version(s) that is affecting people. After the installing the patch, I verified that I was on 10.3 p1 : root@www:~ # freebsd-version 10.3-RELEASE-p1 However, when I re-run fetch: " freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p0." It is indicating 10.3 p0 See the later comments on this thread, https://forums.freebsd.org/threads/56060/ Slightly more serious issue for people that have built their own kernels.
(In reply to Nick Hibma from comment #1) There was an issue in the metadata. See https://lists.FreeBSD.org/pipermail/freebsd-security/2016-May/008923.html.
(In reply to Michael Lewis from comment #2) 10.3-RELEASE-p1 wasn't a kernel update so that is expected.
(In reply to Jason Unovitch from comment #4) I don't think so. freebsd-update can be updated both kernel and userland. I want to update 10.3-RELEASE-p2 from 10.3-RELEASE-p1, but cannot update by freebsd-update. # freebsd-version -ku 10.3-RELEASE 10.3-RELEASE-p1 # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p0.
(In reply to Masachika ISHIZUKA from comment #5) Jason, Masachika is correct. The update servers are serving p2 for i386, but have been stuck at p0 ever since 10.3-RELEASE. You can verify this with for arch in i386 amd64; do \ URLBASE="http://update.freebsd.org/10.3-RELEASE/$arch"; \ fetch -qo- $URLBASE/latest.ssl \ | openssl rsautl -pubin -inkey \ =( fetch -qo- $URLBASE/pub.ssl ) -verify; \ done freebsd-update|i386|10.3-RELEASE|2|9292852427c7151fbe106b93c4e67be5fcfafc009c4e17ca0cbfca037c8a6b97|1525132800 freebsd-update|amd64|10.3-RELEASE|0|8797efb5915e47a0a9bbcd69e1389d010a8041f8f1ca2c0dcfc0c4e4eca3fa8c|1525132800 So, for whatever reason, the i386 updates are being built and published, but the amd64 updates haven't been yet.
recent updates released on 2016-05-04 are not available for 10.3-RELEASE amd64 # freebsd-version -ku 10.3-RELEASE 10.3-RELEASE-p1 # freebsd-update fetch install Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p0. No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first.
Apart from the headline, this seems not only to affect 10.3. With the recent SA 16:17-openssl announcing 10.3-RELEASE-p16, I am experiencing this: # freebsd-version -ku 10.2-RELEASE-p14 10.2-RELEASE-p15 # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.2-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.2-RELEASE-p15.
Might be unrelated, but similar to 10.2 and 10.3, there appears to be no 10.1-RELEASE-p33 on the update servers.
root@mx001:~ # freebsd-version 10.3-RELEASE-p1 root@mx001:~ # freebsd-update fetch src component not installed, skipped Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p0.
(In reply to gkontos from comment #10) Yes. Folks, you can stop pasting in your error message, everyone gets the same error. See https://docs.freebsd.org/cgi/getmsg.cgi?fetch=45930+0+current/freebsd-security for confirmation. There is clearly a problem with amd64 updates not being built. The solution will come from a combination of the security team and the server admin team. I guarantee you both teams are aware of the problem.
(In reply to Adam Weinberger from comment #11) > (In reply to gkontos from comment #10) > > Yes. Folks, you can stop pasting in your error message, everyone gets the > same error. > > See > https://docs.freebsd.org/cgi/getmsg.cgi?fetch=45930+0+current/freebsd- > security for confirmation. > > There is clearly a problem with amd64 updates not being built. The solution > will come from a combination of the security team and the server admin team. > I guarantee you both teams are aware of the problem. Yet those in the know, felt they couldn't afford to squander the 120 seconds required to inform the FreeBSD Community -- those whom use, and depend on FreeBSD. About their concerns -- especially in light of the recent SA? It's been better than 2 days, after all. :(
(In reply to Chris Hutchinson from comment #12) When it relates to a security issue (all updates to a -RELEASE branch are under the control of the SO), there's no external statement until they're ready to make one. I wish I had a better answer, Chris, but I'm waiting for those binary updates same as you are.
https://docs.freebsd.org/cgi/getmsg.cgi?fetch=79566+0+current/freebsd-security The updates are on the server now. Closing this PR.