Hello
So I have tried to update from 23.7.12 to 24.1.8 and Opnsense dosent wont to update past 23.7.12.
- webgui performs the update and shows 23.7.12 each time.
- via ssh and option 12 (Update all from console), I just get presented with a text of the update to 24.1.8 but it dosent appear do the actual update.
- via ssh option 8 (shell), I tried opnsense-update -up and get the message "No known packages set to fetch was specified."
Short of doing doing a complete install from scratch, what are my other options..? or am I missiong something major/obvious..?
update - For the solution go to my 14th reply.
Not sure what state you seem to be stuck in now. 23.7.12 doesn't present 24.1.8 directly.
Do you have the upgrade audit log?
Cheers,
Franco
Hi Franco
I dont know where to obtain that from, but (see below) for the system>firmware> audit outputs.
And I have attached a copy of the update ppoup I get when trying to do an update via the web-GUI.
Connectivity:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7 at Thu Jun 13 12:13:09 BST 2024
Checking connectivity for host: www.mirrorservice.org -> 212.219.56.184
PING 212.219.56.184 (212.219.56.184): 1500 data bytes
1508 bytes from 212.219.56.184: icmp_seq=1 ttl=53 time=10.464 ms
1508 bytes from 212.219.56.184: icmp_seq=2 ttl=53 time=8.980 ms
1508 bytes from 212.219.56.184: icmp_seq=3 ttl=53 time=9.976 ms
--- 212.219.56.184 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 8.980/9.807/10.464/0.617 ms
Checking connectivity for repository (IPv4): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 863 packages processed.
All repositories are up to date.
Checking connectivity for host: www.mirrorservice.org -> 2001:630:341:12::184
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***
Health:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.7 at Thu Jun 13 12:20:00 BST 2024
>>> Check installed kernel version
Version 23.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: .
beep-1.0_1 version mismatch, expected 1.0_2
Checking packages: .
ca_root_nss-3.91 version mismatch, expected 3.93
Checking packages: .
choparp-20150613 version mismatch, expected 20150613_1
Checking packages: ......
filterlog-0.7 version mismatch, expected 0.7_1
Checking packages: ...
hostapd-2.10_5 version mismatch, expected 2.10_8
Checking packages: .....
lighttpd-1.4.71 version mismatch, expected 1.4.73
Checking packages: ..
mpd5-5.9_16 version mismatch, expected 5.9_17
Checking packages: .
ntp-4.2.8p17 version mismatch, expected 4.2.8p17_1
Checking packages: .
openssh-portable-9.3.p2,1 version mismatch, expected 9.6.p1_1,1
Checking packages: .
openvpn-2.6.5 version mismatch, expected 2.6.8_1
Checking packages: .
opnsense-23.7 version mismatch, expected 23.7.12_5
Checking packages: .
opnsense-installer-23.1 version mismatch, expected 24.1
Checking packages: .
opnsense-lang-22.7.3 version mismatch, expected 23.7.11
Checking packages: .
opnsense-update-23.7 version mismatch, expected 23.7.10_1
Checking packages: ..
pftop-0.8_4 version mismatch, expected 0.10
Checking packages: .
php82-ctype-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-curl-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-dom-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-filter-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-gettext-8.2.8 version mismatch, expected 8.2.14
Checking packages: ..
php82-ldap-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-pdo-8.2.8 version mismatch, expected 8.2.14
Checking packages: ...
php82-phalcon-5.2.3 version mismatch, expected 5.3.1
Checking packages: .
php82-phpseclib-3.0.19 version mismatch, expected 3.0.34
Checking packages: .
php82-session-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-simplexml-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-sockets-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-sqlite3-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-xml-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-zlib-8.2.8 version mismatch, expected 8.2.14
Checking packages: ...
py39-dnspython-2.4.0,1 version mismatch, expected 2.4.2,1
Checking packages: ..
py39-netaddr-0.8.0 version mismatch, expected 0.10.1
Checking packages: .
py39-numpy-1.25.0,1 version mismatch, expected 1.25.0_4,1
Checking packages: ...
py39-sqlite3-3.9.17_7 version mismatch, expected 3.9.18_7
Checking packages: .
py39-ujson-5.8.0 version mismatch, expected 5.9.0
Checking packages: ...
rrdtool-1.8.0_2 version mismatch, expected 1.8.0_3
Checking packages: ..
squid-5.9 version mismatch, expected 6.6
Checking packages: .
strongswan-5.9.10_2 version mismatch, expected 5.9.13
Checking packages: .
sudo-1.9.14p3 version mismatch, expected 1.9.15p5
Checking packages: .
suricata-6.0.13_1 version mismatch, expected 6.0.15
Checking packages: .
syslog-ng-4.2.0 version mismatch, expected 4.4.0
Checking packages: .
unbound-1.17.1_3 version mismatch, expected 1.19.0
Checking packages: .
wpa_supplicant-2.10_6 version mismatch, expected 2.10_10
Checking packages: . done
***DONE***
Security:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.7 at Thu Jun 13 12:23:41 BST 2024
Fetching vuln.xml.xz: .......... done
unbound-1.17.1_3 is vulnerable:
DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities
CVE: CVE-2023-50868
CVE: CVE-2023-50387
WWW: https://vuxml.FreeBSD.org/freebsd/21a854cc-cac1-11ee-b7a7-353f1e043d9a.html
openssl-1.1.1u,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2023-6237
CVE: CVE-2024-0727
WWW: https://vuxml.FreeBSD.org/freebsd/10dee731-c069-11ee-9190-84a93843eb75.html
OpenSSL -- Vector register corruption on PowerPC
CVE: CVE-2023-6129
WWW: https://vuxml.FreeBSD.org/freebsd/8337251b-b07b-11ee-b0d7-84a93843eb75.html
OpenSSL -- Denial of Service vulnerability
CVE: CVE-2024-4603
WWW: https://vuxml.FreeBSD.org/freebsd/b88aa380-1442-11ef-a490-84a93843eb75.html
OpenSSL -- Excessive time spent checking DH q parameter value
CVE: CVE-2023-3817
WWW: https://vuxml.FreeBSD.org/freebsd/bad6588e-2fe0-11ee-a0d1-84a93843eb75.html
OpenSSL -- Use after free vulnerability
CVE: CVE-2024-4741
WWW: https://vuxml.FreeBSD.org/freebsd/73a697d7-1d0f-11ef-a490-84a93843eb75.html
OpenSSL -- DoS in DH generation
CVE: CVE-2023-5678
WWW: https://vuxml.FreeBSD.org/freebsd/a5956603-7e4f-11ee-9df6-84a93843eb75.html
OpenSSL -- potential loss of confidentiality
CVE: CVE-2023-5363
WWW: https://vuxml.FreeBSD.org/freebsd/4a4712ae-7299-11ee-85eb-84a93843eb75.html
OpenSSL -- Unbounded memory growth with session handling in TLSv1.3
CVE: CVE-2024-2511
WWW: https://vuxml.FreeBSD.org/freebsd/7c217849-f7d7-11ee-a490-84a93843eb75.html
openvpn-2.6.5 is vulnerable:
openvpn -- 2.6.0...2.6.6 --fragment option division by zero crash, and TLS data leak
CVE: CVE-2023-46850
CVE: CVE-2023-46849
WWW: https://vuxml.FreeBSD.org/freebsd/2fe004f5-83fd-11ee-9f5d-31909fb2f495.html
krb5-1.21.1 is vulnerable:
krb5 -- Double-free in KDC TGS processing
CVE: CVE-2023-39975
WWW: https://vuxml.FreeBSD.org/freebsd/a6986f0f-3ac0-11ee-9a88-206a8a720317.html
python39-3.9.17 is vulnerable:
Python -- multiple vulnerabilities
CVE: CVE-2023-40217
WWW: https://vuxml.FreeBSD.org/freebsd/a57472ba-4d84-11ee-bf05-000c29de725b.html
php82-8.2.8 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2024-2757
CVE: CVE-2024-3096
CVE: CVE-2024-2756
CVE: CVE-2024-1874
WWW: https://vuxml.FreeBSD.org/freebsd/6d82c5e9-fc24-11ee-a689-04421a1baf97.html
curl-8.1.2 is vulnerable:
curl -- HTTP headers eat all memory
CVE: CVE-2023-38039
WWW: https://vuxml.FreeBSD.org/freebsd/833b469b-5247-11ee-9667-080027f5fec9.html
curl -- SOCKS5 heap buffer overflow
CVE: CVE-2023-38545
WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html
curl -- OCSP verification bypass with TLS session reuse
CVE: CVE-2024-0853
WWW: https://vuxml.FreeBSD.org/freebsd/02e33cd1-c655-11ee-8613-08002784c58d.html
suricata-6.0.13_1 is vulnerable:
suricata -- multiple vulnerabilities
CVE: CVE-2024-23837
CVE: CVE-2024-24568
CVE: CVE-2024-23835
CVE: CVE-2024-23836
CVE: CVE-2024-23839
WWW: https://vuxml.FreeBSD.org/freebsd/979dc373-d27d-11ee-8b84-b42e991fc52e.html
squid-5.9 is vulnerable:
squid -- Multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/a8fb8e3a-730d-11ee-ab61-b42e991fc52e.html
strongswan-5.9.10_2 is vulnerable:
strongSwan -- vulnerability in charon-tkm
CVE: CVE-2023-41913
WWW: https://vuxml.FreeBSD.org/freebsd/a62c0c50-8aa0-11ee-ac0d-00e0670f2660.html
19 problem(s) in 10 installed package(s) found.
***DONE***
What's configured under Firmware: Settings and what does Firmware: Status page say?
What I find odd is that you don't have an upgrade log.
Cheers,
Franco
Atm its default>community, but get the same issue if I specify a local mirror. Checking my post above it looks like one of the errors is "Error updating repositories!" and its trying to connect via IPV6 only, why isnt it trying to also update via IPV4 or is that a red hearring..?
That and why isnt connecting to whats looks like the repo for the version on my box (https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7) why isnt not looking update to a later version..?
Where there might be an upgrade log, but Ive not been able to find it. Where 'exacty' is it supposed to be lcoations? as im not seeing antying with the keyword 'upgrade' in the section "System: Log Files: Audit" for example.
You posted all the audit output. It should have been there. Still can't see the reason your install is stuck (or where it is at with individual components).
PS: Not sure why your health audit claims everything is on 23.7, but in this case going to 23.7.12 should be trivial?
Quote from: franco on June 13, 2024, 06:24:39 PM
PS: Not sure why your health audit claims everything is on 23.7, but in this case going to 23.7.12 should be trivial?
How would I do this is both attempting via the webGui and manually via SSH and the console fail..?
And when doing so bia ssh and the console, I mean it displays a readme/txt outbut, but I dont know how to continue from that point. Pressing escape, space or enter does nothing
Press "Q"
Hah, bloody surmised it might be something smple that.. bah!
Well between my reply above and now I did a search "trying to do update from console stuck on readable opnsense" which then led me to the following post -
- https://forum.opnsense.org/index.php?topic=30836.0
This then made me aware that "opnsense-update" was changed to "opnsense-update -bkp", and I obviously wasnt aware of this. So an doing an update via the CLI as I type this...
Will be back with the result.
So that worked, but i had to manually reboot via ssh despite being asked to and rebooting after doing the upgrade. So now I am on 23.7.13_5.
But im having to type this reply from my phone, because i am getting access denied on the desktop, wtf? Its like ive been ip blocked for some reason, if so why?
If something is blocking you moving the desktop to the next available IP in the network should suffice
You still need to do the 24.1.upgrade and then apply the patches to 24.1.8, either with option 12 in the shell or GUI
So upgrading with the Webgui never seems to actually do an upgrade/update. I have had to do every update/upgrade via the console via SSH.
I'm now running 24.1.5_3 and am trying to update to 24.1.8...
If I recall the landing is now on 24.1.5 and then you go to 24.1.8
So I am now running 24.1.8 and the 3 things I learned were -
- use SSH/console for updating/upgrading, as doing this through the webGUI is unreliable or wont work at all.
- pressing Q (not esc, space, enter) will quit the text file when attempting an update via the console.
- even though progress would appear to have hung when doing the update via the console via SSH, clicking into and pressing enter will refresh the window.
So thank you everyone that helped and gave advice (Franco, Patrick and Newsense), that helped me to help myself. The issue can be marked as resolved :-)
You can actually edit the thread title and mark it [Solved]
Quote from: b1k3rdude on June 15, 2024, 11:17:54 PM
So I am now running 24.1.8 and the 3 things I learned were -
- use SSH/console for updating/upgrading, as doing this through the webGUI is unreliable or wont work at all.
- pressing Q (not esc, space, enter) will quit the text file when attempting an update via the console.
- even though progress would appear to have hung when doing the update via the console via SSH, clicking into and pressing enter will refresh the window.
So thank you everyone that helped and gave advice (Franco, Patrick and Newsense), that helped me to help myself. The issue can be marked as resolved :-)
Just an update to first point. I just noticed that on the update tab on the webGUI, I had NOT been scrolling all the way to the bottom. So all this time when checking for updates I thought it was failing, you live and learn. Just updated to 24.1.9_3, doh!
No worries. The placement on the bottom was a deliberate choice to make people aware of all the things that are going to be changed during the update process.
Cheers,
Franco
Quote from: franco on June 20, 2024, 01:05:53 PM
No worries. The placement on the bottom was a deliberate choice to make people aware of all the things that are going to be changed during the update process.
Cheers,
Franco
...bought, but the scroll bar could be slightly more obvious for beginners...
That's just a theme tweak I think. Suggestions welcome.
Cheers,
Franco