OPNsense Forum

English Forums => General Discussion => Topic started by: sToRmInG on March 09, 2023, 08:39:06 am

Title: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: sToRmInG on March 09, 2023, 08:39:06 am

Hi all

I just wanted to update my DEC2750 with the latest firmware but didn't realize that the firmware on the board was newer than the one downloaded.

It seems that the firmware updater doesn't do anything. Is it safe to reboot?

*EDIT*
Nevermind, I just rebooted and everything is fine.

Out of curiosity: Why isn't this firmware version online available?
05.32.50.0014-A10.24

Title: Re: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: Mbl on April 26, 2023, 03:55:18 pm

I do have (and had already many times) the same issue on my DEC3860.

https://forum.opnsense.org/index.php?topic=28664.msg141766#msg141766 (https://forum.opnsense.org/index.php?topic=28664.msg141766#msg141766)

Update started this morning and is still running.

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.10.2 (amd64/OpenSSL) at Wed Apr 26 11:02:44 CEST 2023
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 826 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 826 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (6 candidates): ...... done
Processing candidates (6 candidates): .. done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
opnsense-business: 22.10.2 -> 22.10.2_1 [OPNsense]

Number of packages to be upgraded: 1

4 MiB to be downloaded.
[1/1] Fetching opnsense-business-22.10.2_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading opnsense-business from 22.10.2 to 22.10.2_1...
[1/1] Extracting opnsense-business-22.10.2_1: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh'

Title: Re: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: Mbl on April 26, 2023, 04:25:57 pm

Since the update I also experiance this kind of reports:

Code: [Select]

2023-04-26T15:59:26 Error firewall There were error(s) loading the rules: /tmp/rules.debug:326: cannot load "/usr/local/etc/bogons": No such file or directory - The line in question reads [326]: table <bogons> persist file "/usr/local/etc/bogons"
2023-04-26T15:59:26 Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was '/tmp/rules.debug.old:326: cannot load "/usr/local/etc/bogons": No such file or directory pfctl: Syntax error in config file: pf rules not loaded'
2023-04-26T14:00:59 Error firewall There were error(s) loading the rules: /tmp/rules.debug:326: cannot load "/usr/local/etc/bogons": No such file or directory - The line in question reads [326]: table <bogons> persist file "/usr/local/etc/bogons"
2023-04-26T14:00:59 Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was '/tmp/rules.debug.old:326: cannot load "/usr/local/etc/bogons": No such file or directory pfctl: Syntax error in config file: pf rules not loaded'
2023-04-26T12:21:12 Error firewall There were error(s) loading the rules: /tmp/rules.debug:326: cannot load "/usr/local/etc/bogons": No such file or directory - The line in question reads [326]: table <bogons> persist file "/usr/local/etc/bogons"
2023-04-26T12:21:12 Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was '/tmp/rules.debug.old:326: cannot load "/usr/local/etc/bogons": No such file or directory pfctl: Syntax error in config file: pf rules not loaded'
2023-04-26T12:20:10 Error firewall There were error(s) loading the rules: /tmp/rules.debug:326: cannot load "/usr/local/etc/bogons": No such file or directory - The line in question reads [326]: table <bogons> persist file "/usr/local/etc/bogons"
2023-04-26T12:20:10 Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was '/tmp/rules.debug.old:326: cannot load "/usr/local/etc/bogons": No such file or directory pfctl: Syntax error in config file: pf rules not loaded'

Title: Re: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: franco on April 27, 2023, 08:52:50 am

I'd propose a health audit. This doesn't look normal...


Cheers,
Franco

Title: Re: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: Mbl on April 29, 2023, 12:51:34 pm

Thanks Franco.

I have rebooted the firewall and updated to 23.4 and ran health audit with the following output.

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.4 at Sat Apr 29 12:45:41 CEST 2023
>>> Check installed kernel version
Version 23.1.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.1.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
SunnyValley
>>> Check installed plugins
os-OPNBEcore 1.1
os-acme-client 3.16
os-etpro-telemetry 1.6_1
os-net-snmp 1.5_2
os-nut 1.8.1_2
os-sensei 1.12.4
os-sensei-updater 1.12
os-sunnyvalley 1.2_3
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .....
openldap26-client-2.6.4: checksum mismatch for /usr/local/bin/ldapvc
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense-business" has 67 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Security audit looks like the following (after 23.4 update  :o )

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.4 at Sat Apr 29 12:51:00 CEST 2023
vulnxml file up-to-date
libxml2-2.10.3_1 is vulnerable:
  libxml2 -- multiple vulnerabilities
  CVE: CVE-2023-29469
  CVE: CVE-2023-28484
  WWW: https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html

curl-7.88.1 is vulnerable:
  curl -- multiple vulnerabilities
  CVE: CVE-2023-27538
  CVE: CVE-2023-27537
  CVE: CVE-2023-27536
  CVE: CVE-2023-27535
  CVE: CVE-2023-27534
  CVE: CVE-2023-27533
  WWW: https://vuxml.FreeBSD.org/freebsd/0d7d104c-c6fb-11ed-8a4b-080027f5fec9.html

py39-setuptools-63.1.0 is vulnerable:
  py39-setuptools -- denial of service vulnerability
  CVE: CVE-2022-40897
  WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html

3 problem(s) in 3 installed package(s) found.
***DONE***

Title: Re: DEC2750 firmware upgrade stuck (current firmware newer)
Post by: Mbl on April 29, 2023, 01:00:27 pm

After reinstalling the package openldap26, health check was successful again. So problem seams to be solved for now.

Never the less I had this issue with stuck updates already view times and I'm not an user who is altering core files or configurations... So the question still resists - why does this come up again and again?