SOLVED: Packages not updating (heartbleed)

[laddhouse]

Sorry if this has been addressed elsewhere. When I connected to my server via SSH to update the OpenSSL package (which is vulnerable to the heartbleed exploit) yum told me that 59 packages and 111 dependent packages had updates available. Is this normal or should some of these be updating automatically? I saw OpenSSL in the list.

I understand this page states that OS updates are not automatic but shouldn't the OpenSSL update be considered a "major security update"?

Thanks!

[bigfoot65]

Does not matter, OS updates are disabled by default. Amahi has operated this way for quite some time at the request of the user community.

Users want control of what updates they install on their HDA. Only way to do this is disable automatic updates. The category of update does not matter, disabled means none.

I recommend users install all updates. Most fix bugs or are for security as is this case.

[laddhouse]

But the page says, "Amahi updates are automatic. Major security updates from the base distribution will also be made available for automatic updates." Wouldn't the heartbleed patch be a major security update?

[bigfoot65]

No., you mistunderstand the statement.

Amahi updates are to the platform and greyhole. OS updates are OpenSSL and all other packages native to Fedora.

EDIT: Another way to think of it is Amahi updates are only those that come from the Amahi repo. All others are OS specific, like OpenSSL, httpd, etc.

[laddhouse]

Okay, thanks. Just kind of scary that all of these Amahi boxes could be running unpatched with VPN ports open but I guess that's the nature of the beast.

[bigfoot65]

Yes, but not likely we need to worry about getting hacked. Most vulnerabilities are exploited on a larger scale environment. home users are not worth chasing in most cases.

This is a good reason for users to always get OS updates. I typically have mine set to once daily, but have been doing manual lately. That way I know what is being installed in case something breaks.

I think folks make too much of these vulnerabilities. If it's not financial, government or healthcare related, not a big concern in my opinion.

[iluciv]

Hey There I've got an Amahi 6 box and went to yum update and it appears the Fedora Repos are unavailable?

Code: Select all

## yum clean all && yum update -y Loaded plugins: fastestmirror, langpacks, presto, refresh-packagekit Adding en_US to language list Cleaning repos: amahi fedora rpmfusion-free rpmfusion-free-updates : rpmfusion-nonfree rpmfusion-nonfree-updates updates Cleaning up Everything Cleaning up list of fastest mirrors 0 delta-package files removed, by presto Loaded plugins: fastestmirror, langpacks, presto, refresh-packagekit Adding en_US to language list Determining fastest mirrors Error: Cannot retrieve metalink for repository: fedora. Please verify its path and try again

If I do a URL debug then it steams out all the grab checks and at the bottom is the following

Code: Select all

#URLGRABBER_DEBUG=1 yum check-update 2014-04-12 09:25:23,296 attempt 1/10: https://mirrors.fedoraproject.org/metalink?repo=fedora-14&arch=x86_64 INFO:urlgrabber:attempt 1/10: https://mirrors.fedoraproject.org/metalink?repo=fedora-14&arch=x86_64 2014-04-12 09:25:23,297 opening local file "/var/cache/yum/x86_64/14/fedora/metalink.xml.tmp" with mode wb INFO:urlgrabber:opening local file "/var/cache/yum/x86_64/14/fedora/metalink.xml.tmp" with mode wb * Could not resolve host: mirrors.fedoraproject.org; Connection refused * Closing connection #0 * Couldn't resolve host name 2014-04-12 09:25:23,298 exception: [Errno 14] PYCURL ERROR 6 - "" INFO:urlgrabber:exception: [Errno 14] PYCURL ERROR 6 - "" 2014-04-12 09:25:23,298 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising INFO:urlgrabber:retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising Error: Cannot retrieve metalink for repository: fedora. Please verify its path and try again

I can go to the url in a browser though and grab the xml file.

I tried to reinstall the repo certificates and I get the same type of error also. I've changed nothing on the box as I'm backing up the data atm (only reason its on) as I move to my new amahi 7 vm server.

Anyone got any other tips I can try seems like the repos are up and reachable but my box is being refused conneciton. Perhaps it has something to do with the vulnrabilty this week and I need to do something to the box before it's seen as trustworthy to access the repo?

Any assistance greatly appreciated.

[bigfoot65]

Hard to say. I am surprised the repos would be still operations since Fedora 14 reached end of life years ago.

Have you checked out the Fedora forums or consider asking for assistance in the IRC channel.

[PatrickDickey]

No., you mistunderstand the statement.

Amahi updates are to the platform and greyhole. OS updates are OpenSSL and all other packages native to Fedora.

EDIT: Another way to think of it is Amahi updates are only those that come from the Amahi repo. All others are OS specific, like OpenSSL, httpd, etc.

I know in Ubuntu, you can set it to download and install security updates automatically. If that feature is available in Fedora also, wouldn't it be prudent for Amahi to leave that enabled? I totally understand users not wanting every single update, but I can't imagine anyone in their right minds not wanting security updates. (Just my opinion, of course).

Also, I would have interpreted the updates page the same way that the original poster did too. "Major security updates will be available for automatic install" means that if it's a security update, it will get installed. At least that's how I read that. Of course, a quick search of the wiki doesn't find that page or text.

Have a great day.
Patrick.

[bigfoot65]

Don't know if Fedora has that capability or not. Since many users requested no automatic updates, we obliged by turning them off.

I mentioned changing the web page as it can be misleading. We do have capability to force an update of a specific package I believe, but would have to check.

I agree about updates. I cannot understand why a user would not want security and/or all updates. They are there to correct bugs and vulnerabilities. I personally check for updates daily and install them myself. I typically install all so my system stays current.

This has been the policy for years, so maybe it's time to take another look. I would not be opposed to having security updates enabled (if possible). As a matter a fact, I would encourage it as I think it's common sense.