OPNsense Forum
English Forums => 23.7 Legacy Series => Topic started by: gerald_martin on October 08, 2023, 02:13:03 am
-
Hello all,
I'm unable to complete an update to one of my servers.
Usually it appears to download the package, and says reboot - but reboot brings back up the current 23.1.11 version.
Today I get this:
***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.1.11_2 at Sat Oct 7 18:12:39 CDT 2023
Fetching packages-23.7-amd64.tar: ...
Would appreciate ideas! Could there be a conflicting package? Is there more I can try short of upgrading from a new system image?
Gerald
-
Actually, since that attempt seemed to hang, I rebooted and re-downloaded update. This is the result.
***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.1.11_2 at Sat Oct 7 19:28:20 CDT 2023
Fetching packages-23.7-amd64.tar: .......................................... done
Extracting packages-23.7-amd64.tar... done
Please reboot.
>>> Invoking upgrade script 'unbound-duckdb.py'
Unbound DNS database export not required.
***DONE***
PS: I rebooted. No change, still 23.1.11_2 version
-
Do you have a specific mirror set? What happens if you change it?
Have you run any of the audits?
Worst cause you can export your config and do a full reinstall.
-
Have used multiple mirrors, no apparent change.
But this is WEIRD - do I have an update partially completed?
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1.11_2 at Mon Oct 9 21:06:28 CDT 2023
>>> Check installed kernel version
Version 23.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-nextcloud-backup 1.0_1
os-upnp 1.5_3
os-wireguard 1.13_5
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..
ca_root_nss-3.91 version mismatch, expected 3.89.1
Checking packages: ........................
opnsense-update-23.7 version mismatch, expected 23.1.11
Checking packages: .......................
py39-dnspython-2.4.0,1 version mismatch, expected 2.3.0,1
Checking packages: .
py39-duckdb-0.8.1 version mismatch, expected 0.6.1
Checking packages: ..
py39-numpy-1.25.0,1 version mismatch, expected 1.24.1_4,1
Checking packages: .
py39-pandas-2.0.3,1 version mismatch, expected 2.0.2,1
Checking packages: ....
py39-vici-5.9.11 version mismatch, expected 5.9.10
Checking packages: ......
sudo-1.9.14p3 version mismatch, expected 1.9.13p3
Checking packages: .
suricata-6.0.13_1 version mismatch, expected 6.0.13
Checking packages: ..
unbound-1.17.1_3 version mismatch, expected 1.17.1_2
Checking packages: .. done
***DONE***
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.1.11_2 at Mon Oct 9 21:08:28 CDT 2023
Checking connectivity for host: mirrors.nycbug.org -> 66.111.2.15
PING 66.111.2.15 (66.111.2.15): 1500 data bytes
1508 bytes from 66.111.2.15: icmp_seq=0 ttl=56 time=33.917 ms
1508 bytes from 66.111.2.15: icmp_seq=1 ttl=56 time=33.892 ms
1508 bytes from 66.111.2.15: icmp_seq=2 ttl=56 time=33.918 ms
1508 bytes from 66.111.2.15: icmp_seq=3 ttl=56 time=33.869 ms
--- 66.111.2.15 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 33.869/33.899/33.918/0.020 ms
Checking connectivity for repository (IPv4): http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 835 packages processed.
All repositories are up to date.
No IPv6 address could be found for host: mirrors.nycbug.org
***DONE***
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.11_2 at Mon Oct 9 21:09:06 CDT 2023
vulnxml file up-to-date
openssl-1.1.1u,1 is vulnerable:
OpenSSL -- Excessive time spent checking DH q parameter value
CVE: CVE-2023-3817
WWW: https://vuxml.FreeBSD.org/freebsd/bad6588e-2fe0-11ee-a0d1-84a93843eb75.html
krb5-1.21.1 is vulnerable:
krb5 -- Double-free in KDC TGS processing
CVE: CVE-2023-39975
WWW: https://vuxml.FreeBSD.org/freebsd/a6986f0f-3ac0-11ee-9a88-206a8a720317.html
python39-3.9.17 is vulnerable:
Python -- multiple vulnerabilities
CVE: CVE-2023-40217
WWW: https://vuxml.FreeBSD.org/freebsd/a57472ba-4d84-11ee-bf05-000c29de725b.html
curl-8.1.2 is vulnerable:
curl -- HTTP headers eat all memory
CVE: CVE-2023-38039
WWW: https://vuxml.FreeBSD.org/freebsd/833b469b-5247-11ee-9667-080027f5fec9.html
4 problem(s) in 4 installed package(s) found.
***DONE***
-
Yes you're in between 23.7 and 23.1, but nothing stands out as a blocker so you should be able to check for updates and it should complete.
Please post here the full output if something doesn't work, and try doing the upgrade in the console
-
There should be an upgrade log in the audit options...
Cheers,
Franco
-
Hello Franco, I've looked but have not found it. Is this the correct place? Appreciate any help you can offer.
-
same here
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.4 at Tue Oct 10 12:21:54 EDT 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Unknown resolver error
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Unknown resolver error
-
> same here
Not the same. Check your DNS or IPv6. (Unknown resolver error)
-
hi @gerald_martin,
ok very odd. Let's try to upgrade again then from the shell...
# opnsense-update -up
If it says reboot then:
# opnsense-shell reboot
After reboot is done there should be log in the location you've shown. Otherwise something really strange is going on, but I'm sure we can find the problem either way. :)
Cheers,
Franco
-
@franco Thank you, this solved it! Here's output from the upgrade audit, which is now there as expected:
The Lobby now says running 23.7.5
However - the check for updates now returns this (see image) Why would it be wanting to download 23.7.4 packages if we are now running 23.7.5?
Or maybe I'm not understanding something.
GM
-
Ok good :)
Looks like you attempted to upgrade a longer time ago and this is the former result of the partial upgrade (as expected only packages were bad). This situation can be normal. Just take these updates at your earliest convenience as well (they require another reboot).
Cheers,
Franco
-
franco
my issue was an orphaned adguard plugin. removing it resolved the issue. thanks
-
Ah ok, so adguard was defunct and not properly resolving it seems. Makes sense. :)
Cheers,
Franco