misc/137514: freebsd-update doesn't update the system under some circumstances

Vedad KAJTAZ vedad at kajtaz.net
Fri Aug 7 09:40:03 UTC 2009 

>Number:         137514
>Category:       misc
>Synopsis:       freebsd-update doesn't update the system under some circumstances
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 07 09:40:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Vedad KAJTAZ
>Release:        7.0-RELEASE-p7
>Organization:
>Environment:
FreeBSD ns1.osilex.net 7.0-RELEASE-p7 FreeBSD 7.0-RELEASE-p7 #0: Sun Dec 21 12:33:45 UTC 2008     root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Hello,

freebsd-update is unable to update my system and my jails.

ns1.******.net is my name server jail. It is vulnerable to the bind DOS discovered in july 2009, but freebsd-update doesn't upgrade it:

[root at ns1 /]$ freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 7.0-RELEASE from update5.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 7.0-RELEASE-p12.

WARNING: FreeBSD 7.0-RELEASE-p7 HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Fri May  1 02:00:00 CEST 2009
will not have been corrected.


BUT, when cloning the jail, freebsd-update works on the clone:

[root at kenny jails]$ /etc/rc.d/jail stop ns1
[root at kenny jails]$ rsync -a -A -X -x -P ns1/ ns1ghost

I've then duplicated jail's entry in host's /etc/rc.conf, duplicated the fstab file and changed named's listen ip adress, and finally started the clone:

[root at kenny jails]$ /etc/rc.d/jail start ns1ghost
[root at kenny jails]$ jexec 17 /usr/local/bin/bash -l
[root at ns1ghost /]$ freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 7.0-RELEASE from update5.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

The following files will be updated as part of updating to 7.0-RELEASE-p12:
/usr/sbin/named
/usr/sbin/named-compilezone

WARNING: FreeBSD 7.0-RELEASE-p7 HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Fri May  1 02:00:00 CEST 2009
will not have been corrected.


I have no idea why this works on the clone and not the original jail.

diff -r shows totally identical systems.

Restarting the original jail doesn't help either.

Therefore I guess it is somehow related to file timestamps.

Thanks,
Best regards

>How-To-Repeat:
Always reproduceable on my server. ns1 never patches, ns1ghost always patches.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list