Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vuln jails stuck on old releases #1009

Closed
dlangille opened this issue Aug 1, 2019 · 25 comments

Comments

@dlangille
Copy link
Contributor

commented Aug 1, 2019

I have multiple vuln jails stuck on old releases. They cannot be upgraded.

see #892

The advice in the original issue:

  • Bump in iocage conf version
  • Apply next update with iocage when it's available

My queries asking when the above might occur have gone unanswered. Now that the jails contain vulns, this block has become more pressing then before.

Help please.

[dan@r710-01:~] $ iocage --version
Version 1.2 RC

Which is really a check out of master from 2019-06-16:

[dan@r710-01:~] $ pkg info -x iocage
py36-iocage-devel-1.0.0.20190616,1
[dan@r710-01:~] $ 

Command issued:

[dan@r710-01:~] $ uname -a
FreeBSD r710-01.int.unixathome.org 12.0-RELEASE-p8 FreeBSD 12.0-RELEASE-p8 GENERIC  amd64


[dan@r710-01:~] $ sudo iocage update pg02
Snapshot: tank_fast/iocage/jails/pg02.int.unixathome.org@ioc_update_12.0-RELEASE_2019-08-01 12:04:55.145394 created.
Updating jail...

* Updating pg02.int.unixathome.org to the latest patch level... 
src component not installed, skipped
You have a partially completed upgrade pending
Run '/tmp/tmptaueh43_ install' first.
Run '/tmp/tmptaueh43_ fetch -F' to proceed anyway.

[dan@r710-01:~] $ /tmp/tmptaueh43_ install
src component not installed, skipped
You must be root to run this.
[dan@r710-01:~] $ sudo /tmp/tmptaueh43_ install
src component not installed, skipped
No updates are available to install.
Run '/tmp/tmptaueh43_ fetch' first.
[dan@r710-01:~] $ sudo /tmp/tmptaueh43_ fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.0-RELEASE-p8.

This jail is not on -p8 as shown here:

[dan@r710-01:/iocage/jails] $ pg02.int.unixathome.org/root/bin/freebsd-version -u
12.0-RELEASE-p5

FYI:

[dan@r710-01:/iocage/jails] $ grep -i release pg02.int.unixathome.org/config.json 
    "cloned_release": "12.0-RELEASE-p3",
    "release": "12.0-RELEASE",

A jail which does not have this problem:

[dan@r710-01:/iocage/jails] $ grep -i release pg03.int.unixathome.org/config.json 
    "cloned_release": "12.0-RELEASE-p3",
    "release": "12.0-RELEASE-p8",

Why do I want to upgrade these jails?

jail: ioc-pg02_int_unixathome_org
Database fetched: Tue Jul 30 18:20:02 UTC 2019
FreeBSD-12.0_5 is vulnerable:
FreeBSD -- telnet(1) client multiple vulnerabilities
CVE: CVE-2019-0053
WWW: https://vuxml.FreeBSD.org/freebsd/39f6cbff-b30a-11e9-a87f-a4badb2f4699.html

FreeBSD-12.0_5 is vulnerable:
FreeBSD -- iconv buffer overflow
CVE: CVE-2019-5600
WWW: https://vuxml.FreeBSD.org/freebsd/f62bba56-b309-11e9-a87f-a4badb2f4699.html

@sonicaj sonicaj self-assigned this Aug 1, 2019

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

@dlangille can you please update your iocage to the latest version ? There have been 2 conf bumps i believe from your version date. Also it seems your jails are already up to date, iocage is just not showing the correct release version for them because they weren't updated via iocage ( when it happened successfully ) - though i believe this might now need a new intuitive way as i see another potential issue with how it is done right now for base jails ( different use case from yours though ).

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Also if i am correct about you being on the latest patch level, then be assured that there is no security threat ;)

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

@dlangille i think those commands should be run inside the jail, not outside ( the /tmp ones ). I'll get back to you on a few hours on this after confirming, though if you have time, please have a go at it inside, you can use iocage console jailname to be in the jail console.

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

@dlangille can you please update your iocage to the latest version ?

To be clear, do you mean the latest master in git?

The latest version at https://github.com/iocage/iocage/releases is 1.1 from Jan.

https://www.freshports.org/sysutils/iocage-devel/ says 1.0.0.20190308,1 from Mar.

There have been 2 conf bumps i believe from your version date.

Also it seems your jails are already up to date, iocage is just not showing the correct release version for them because they weren't updated via iocage ( when it happened successfully ) - though i believe this might now need a new intuitive way as i see another potential issue with how it is done right now for base jails ( different use case from yours though ).

That conclusion seems to conflict with freebsd-version -u pasted above. Please elaborate.

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

Also if i am correct about you being on the latest patch level, then be assured that there is no security threat ;)

I believe you are wrong about the patch levels as shown above.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Yes latest master. We are close to a release but we are fixing some minor bugs ( potential regressions ) from changes introduced during this time period but i suspect we are almost done now. I think you'll have to build it directly, not sure if you would like to do that ? If yes, i can help you walk through the process of achieving this

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

@dlangille i think those commands should be run inside the jail, not outside ( the /tmp ones ). I'll get back to you on a few hours on this after confirming, though if you have time, please have a go at it inside, you can use iocage console jailname to be in the jail console.

They work inside and outside the jail. iocage code does the same thing. For your interest, here it is inside the jail:

[dan@pg02:~] $ freebsd-version -u
12.0-RELEASE-p5
[dan@pg02:~] $ 

The /tmp ones, not freebsd-version. So you can try iocage update again. Once done with that, it will show you to run those /tmp commands, then run those inside the jail

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Also if i am correct about you being on the latest patch level, then be assured that there is no security threat ;)

I believe you are wrong about the patch levels as shown above.

Yes i am, you edited your answer later and showed the patch levels ;)

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

@dlangille i think those commands should be run inside the jail, not outside ( the /tmp ones ). I'll get back to you on a few hours on this after confirming, though if you have time, please have a go at it inside, you can use iocage console jailname to be in the jail console.

Those command do not work inside the jail:

[root@pg02 ~]# /tmp/tmptaueh43_ install
bash: /tmp/tmptaueh43_: No such file or directory
[root@pg02 ~]#

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

Also if i am correct about you being on the latest patch level, then be assured that there is no security threat ;)

I believe you are wrong about the patch levels as shown above.

Yes i am, you edited your answer later and showed the patch levels ;)

This is because the original comment was incomplete. I did not see any of your posts before replying.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Ah yes, they wouldn't because they were never run inside the jail. Sorry. So i think in this case you can update the jail with freebsd update while being in the jail. Else when you run the /tmp commands, it checks the host system and finds it at the latest patch level, so says no update required.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Also if i am correct about you being on the latest patch level, then be assured that there is no security threat ;)

I believe you are wrong about the patch levels as shown above.

Yes i am, you edited your answer later and showed the patch levels ;)

This is because the original comment was incomplete. I did not see any of your posts before replying.

I think we sort of overlapped ;)

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

I can build it. Thanks. Should be ready soon.

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

Results of latest master:

[dan@r710-01:~] $ pkg info -x iocage
py36-iocage-devel-1.0.0.20190801,1

I believe this is expected:

[dan@r710-01:~] $ iocage list -l
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
You need to be root to convert the configurations to the new format!
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+
| JID |              NAME               | BOOT |  STATE  | TYPE | RELEASE | IP4 | IP6 | TEMPLATE | BASEJAIL |
+=====+=================================+======+=========+======+=========+=====+=====+==========+==========+
| -   | bacula-sd-02.int.unixathome.org | off  | CORRUPT | N/A  | N/A     | N/A | N/A | -        | no       |
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+
| -   | dev-pgeu                        | off  | CORRUPT | N/A  | N/A     | N/A | N/A | -        | no       |
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+
| -   | mqtt01                          | off  | CORRUPT | N/A  | N/A     | N/A | N/A | -        | no       |
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+
| -   | pg02.int.unixathome.org         | off  | CORRUPT | N/A  | N/A     | N/A | N/A | -        | no       |
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+
| -   | pg03.int.unixathome.org         | off  | CORRUPT | N/A  | N/A     | N/A | N/A | -        | no       |
+-----+---------------------------------+------+---------+------+---------+-----+-----+----------+----------+

Once again, as root:

[dan@r710-01:~] $ sudo iocage list -l
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| JID  |              NAME               | BOOT | STATE | TYPE |     RELEASE     |            IP4             | IP6 | TEMPLATE | BASEJAIL |
+======+=================================+======+=======+======+=================+============================+=====+==========+==========+
| 3    | bacula-sd-02.int.unixathome.org | on   | up    | jail | 12.0-RELEASE-p8 | ix0|10.55.0.33             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| -    | dev-pgeu                        | off  | down  | jail | 12.0-RELEASE-p8 | ix0|10.55.0.35             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 1057 | mqtt01                          | on   | up    | jail | 12.0-RELEASE-p5 | 127.1.0.201,ix0|10.55.0.10 | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 4    | pg02.int.unixathome.org         | on   | up    | jail | 12.0-RELEASE-p5 | ix0|10.55.0.32             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 1    | pg03.int.unixathome.org         | on   | up    | jail | 12.0-RELEASE-p8 | ix0|10.55.0.34             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+

For those following along at home, this was the original output. Note the lack of -p5 suffixes:

[dan@r710-01:~] $ iocage list -l
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| JID  |              NAME               | BOOT | STATE | TYPE |     RELEASE     |            IP4             | IP6 | TEMPLATE | BASEJAIL |
+======+=================================+======+=======+======+=================+============================+=====+==========+==========+
| 3    | bacula-sd-02.int.unixathome.org | on   | up    | jail | 12.0-RELEASE-p8 | ix0|10.55.0.33             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| -    | dev-pgeu                        | off  | down  | jail | 12.0-RELEASE-p8 | ix0|10.55.0.35             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 1057 | mqtt01                          | on   | up    | jail | 12.0-RELEASE    | 127.1.0.201,ix0|10.55.0.10 | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 4    | pg02.int.unixathome.org         | on   | up    | jail | 12.0-RELEASE    | ix0|10.55.0.32             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+
| 1    | pg03.int.unixathome.org         | on   | up    | jail | 12.0-RELEASE-p8 | ix0|10.55.0.34             | -   | -        | no       |
+------+---------------------------------+------+-------+------+-----------------+----------------------------+-----+----------+----------+

Good, it got the config updated correctly:

[dan@r710-01:/iocage/jails] $ grep -i release pg02.int.unixathome.org/config.json nfig.json 
    "cloned_release": "12.0-RELEASE",
    "release": "12.0-RELEASE-p5",

Confirmed.

Let's try upgrading this jail:

[dan@r710-01:~] $ sudo iocage update pg02
Snapshot: tank_fast/iocage/jails/pg02.int.unixathome.org@ioc_update_12.0-RELEASE-p5_2019-08-01_12-32-23 created.
Updating jail...

* Updating pg02.int.unixathome.org to the latest patch level... 
src component not installed, skipped
You have a partially completed upgrade pending
Run '/tmp/tmpehz8oap6 install' first.
Run '/tmp/tmpehz8oap6 fetch -F' to proceed anyway.

[dan@r710-01:~] $ sudo /tmp/tmpehz8oap6 install
src component not installed, skipped
No updates are available to install.
Run '/tmp/tmpehz8oap6 fetch' first.
[dan@r710-01:~] $ sudo /tmp/tmpehz8oap6 fetch -F
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.0-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.0-RELEASE-p8.

Let's confirm the above is not true:

[dan@r710-01:/iocage/jails] $ sudo iocage console pg02
Last login: Thu Aug  1 12:25:01 on pts/2
FreeBSD 12.0-RELEASE-p8 GENERIC 

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@pg02:~ # freebsd-version -u
12.0-RELEASE-p5
root@pg02:~ # 

And that file is not in the jail, it's in the host:

root@pg02:~ # ls -l /tmp/tmpehz8oap6
ls: /tmp/tmpehz8oap6: No such file or directory
root@pg02:~ # logout
[dan@r710-01:/iocage/jails] $ ls -l /tmp/tmpehz8oap6
-rwxr-xr-x  1 root  wheel  92522 Aug  1 12:32 /tmp/tmpehz8oap6
[dan@r710-01:/iocage/jails] $ 
@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

@dlangille well it works as expected ;) Please update this jail by being inside the jail with freebsd-update as i advised above.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Though it will not show the correct patch version in iocage after this and that is expected as well. That will only happen on conf bump or when the jail is updated again via iocage successfully

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

@dlangille well it works as expected ;) Please update this jail by being inside the jail with freebsd-update as i advised above.

Opps, do you happen to know how to fix this, I'm happy to look it up.

Updates cannot be installed when the system securelevel
is greater than zero.

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

Let's try via console, not ssh.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Ah, yes that is also expected :P In the original issue you referenced, @skarekrow explained how to get around this.

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

Let's try via console, not ssh.

Won't help ;)

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

Ah, yes that is also expected :P In the original issue you referenced, @skarekrow explained how to get around this.

securelevel is mentioned, but how to set it is not. I stumbled across:

[dan@r710-01:/iocage/jails] $ grep secure pg02.int.unixathome.org/config.json 
    "securelevel": "2",
[dan@r710-01:/iocage/jails] $ sudo iocage set securelevel=0 pg02
securelevel: 2 -> 0

After running freebsd-update in the jail, we have success:

[dan@r710-01:/iocage/jails] $ pg02.int.unixathome.org/root/bin/freebsd-version 
12.0-RELEASE-p8

Thank you.

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

As for

Though it will not show the correct patch version in iocage after this and that is expected as well. That will only happen on conf bump or when the jail is updated again via iocage successfully

What can go wrong by manually amending release in config.json to the correct value?

i.e.

[dan@r710-01:/iocage/jails] $ grep -i release pg02.int.unixathome.org/config.json  mqtt01/config.json 
pg02.int.unixathome.org/config.json:    "cloned_release": "12.0-RELEASE",
pg02.int.unixathome.org/config.json:    "release": "12.0-RELEASE-p5",
mqtt01/config.json:    "cloned_release": "12.0-RELEASE",
mqtt01/config.json:    "release": "12.0-RELEASE-p5",
[dan@r710-01:/iocage/jails] $ 

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

You're welcome.

Closing this as the issue has been resolved. The potential base jails conflict is different from this, so does not relate to the issue.

@sonicaj sonicaj closed this Aug 1, 2019

@sonicaj

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

As for

Though it will not show the correct patch version in iocage after this and that is expected as well. That will only happen on conf bump or when the jail is updated again via iocage successfully

What can go wrong by manually amending release in config.json to the correct value?

i.e.

[dan@r710-01:/iocage/jails] $ grep -i release pg02.int.unixathome.org/config.json  mqtt01/config.json 
pg02.int.unixathome.org/config.json:    "cloned_release": "12.0-RELEASE",
pg02.int.unixathome.org/config.json:    "release": "12.0-RELEASE-p5",
mqtt01/config.json:    "cloned_release": "12.0-RELEASE",
mqtt01/config.json:    "release": "12.0-RELEASE-p5",
[dan@r710-01:/iocage/jails] $ 

Nothing as far as i know but it is not advised.

@sonicaj sonicaj added duplicate and removed investigating labels Aug 1, 2019

@dlangille

This comment has been minimized.

Copy link
Contributor Author

commented Aug 1, 2019

To recap for those following, I think I should have done this:

  • on host: sudo iocage set securelevel=0 JAIL
  • in jail: freebsd-update fetch install
  • on host: sudo iocage set securelevel=2 JAIL
  • on host: install the last iocage from master
  • on host: sudo iocage list -l

Those steps would results in the correct patch version being shown in iocage list -l

EDIT: confirmed this on another host.

@dlangille dlangille referenced this issue Aug 1, 2019
5 of 5 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.