# How to feed patches on internal Update Server



## awenger (Apr 11, 2014)

Dear forum,

I built a FreeBSD 10.0 image on an internal FreeBSD Update Server using the latest available ISO image dated January 16th (ftp://ftp.freebsd.org/pub/FreeBSD/relea ... -disc1.iso)

When updating a client using our own Update Server, I get not the same results as when using update.FreeBSD.org. What am I doing wrong, where can I retrieve those patches installed by update.FreeBSD.org?


----------



## SirDice (Apr 14, 2014)

awenger said:
			
		

> What am I doing wrong,


Maybe if you showed us what's actually happening and what you were expecting? We can't guess what you're seeing.


----------



## awenger (Apr 15, 2014)

*My issue is related to openssl-heartbleed*.

In the Security Advisory (http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc),
there are 3 methods listed to update a vulnerable system.

The method I am interested in is via the freebsd-update utility.

Unfortunately when updating a client using "freebsd-update, I did not get the new binary file:


```
# freebsd-update -v debug fetch
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
pub.ssl                                       100% of  800  B 3929 kBps 00m00s
done.
Fetching metadata signature for 10.0-RELEASE from [b]update5.freebsd.org[/b]...
latest.ssl                                    100% of  512  B 2807 kBps 00m00s
done.
Fetching metadata index...
9fe7f4171c7c209febe2a8e57f4c972a997fd7676d2cd0100% of  225  B  309 kBps 00m00s
done.
Fetching 2 metadata patches...
/usr/libexec/phttpget update5.freebsd.org 10.0-RELEASE/amd64/tp/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-5bba5f7bc5c4b169a272bacc8abc186adce346ba605a25c76d1ac0d09f202a8e.gz 10.0-RELEASE/amd64/tp/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-0ba78d2ec09505d952755a878f6e802f9fbd7b8d2d2ae29112b5f3065ef82a26.gz
http://update5.freebsd.org/10.0-RELEASE/amd64/tp/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-5bba5f7bc5c4b169a272bacc8abc186adce346ba605a25c76d1ac0d09f202a8e.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/tp/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-0ba78d2ec09505d952755a878f6e802f9fbd7b8d2d2ae29112b5f3065ef82a26.gz: 200 OK
 done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 10 patches...
/usr/libexec/phttpget update5.freebsd.org 10.0-RELEASE/amd64/bp/8d9d85c2c6d24a47cadc45dc1074d5c09ac1bfbda719598e28e84c20c4e3ffaf-e61999a51d27ca86918c8072c5f0990c76cbf156ecc0adc74e0e819974d65764 10.0-RELEASE/amd64/bp/8b3435ccd930442eb77f5e95353b7126dc3419c6136f299ee70570b2b9a3abdc-f46f74940c43c95ec0a205509995a017914848f0dc6ecb653440870e2039d997 10.0-RELEASE/amd64/bp/ea94fb04754c472cef0a8d15b20ee13b81348327c800545ed6578f6bb59963a9-66206205de7040e9bd14ac0ba06738c66d77bde4900db2620e6bad74c5c0cbcf 10.0-RELEASE/amd64/bp/c6b481893634e3c9ce4a31e792dde265adc0a118131d5197d0a498603ec14f81-9f0b37b926f8c52250e5a556dae0a9dab667333e39f4c78ce2070a9c206e4e7a 10.0-RELEASE/amd64/bp/d3f4491a9468caf35b5b1f6908e9139f4117079ea388d4679cf5c46e2df7e28e-d7e5d8e51a7a39e22017e727d1dd225bf03c3908e6b351bbd684b42e26be32a9 10.0-RELEASE/amd64/bp/fa59dbb4a273a612fbbe663bf393182cbc0f6020a3e6069aed6fe6d51dad6a6e-20d9f95c6cbd2e23f17dccd33b392157e0bf41147fee55d51da31df50b95e4ad 10.0-RELEASE/amd64/bp/adc294225808ea448fa142e86cf3f7fc194da7f33e66526c52628d25d699a7a6-76b44c467b392cd43e47c3ac72e2b84942d06f0164fe6702f39f5735eac16774 10.0-RELEASE/amd64/bp/e475d730a7e435789f67e599b2496061af3a68e2acb21aa3be6328e6404a1d2b-8d8714dfebbef0143da73b5294250eae42391739c37247a9d09cbf9c658a1d17 10.0-RELEASE/amd64/bp/b08a32201c27540df54fde5df6a54533ec952a57f40e15a29acfbc3d7555530a-fa17a892b40d754bf440b3ca95330f1932cbfdcdb950bc0ec5ec72111de9f3cc 10.0-RELEASE/amd64/bp/4b795f976e43041e15913d382d8449ce5f0942d49336c944384b7d140bfa828a-713b3cf1b1cef8109ddf41f98724265e73d926c4192f68c95b98025ee8a8c673
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/8d9d85c2c6d24a47cadc45dc1074d5c09ac1bfbda719598e28e84c20c4e3ffaf-e61999a51d27ca86918c8072c5f0990c76cbf156ecc0adc74e0e819974d65764: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/8b3435ccd930442eb77f5e95353b7126dc3419c6136f299ee70570b2b9a3abdc-f46f74940c43c95ec0a205509995a017914848f0dc6ecb653440870e2039d997: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/ea94fb04754c472cef0a8d15b20ee13b81348327c800545ed6578f6bb59963a9-66206205de7040e9bd14ac0ba06738c66d77bde4900db2620e6bad74c5c0cbcf: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/c6b481893634e3c9ce4a31e792dde265adc0a118131d5197d0a498603ec14f81-9f0b37b926f8c52250e5a556dae0a9dab667333e39f4c78ce2070a9c206e4e7a: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/d3f4491a9468caf35b5b1f6908e9139f4117079ea388d4679cf5c46e2df7e28e-d7e5d8e51a7a39e22017e727d1dd225bf03c3908e6b351bbd684b42e26be32a9: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/fa59dbb4a273a612fbbe663bf393182cbc0f6020a3e6069aed6fe6d51dad6a6e-20d9f95c6cbd2e23f17dccd33b392157e0bf41147fee55d51da31df50b95e4ad: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/adc294225808ea448fa142e86cf3f7fc194da7f33e66526c52628d25d699a7a6-76b44c467b392cd43e47c3ac72e2b84942d06f0164fe6702f39f5735eac16774: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/e475d730a7e435789f67e599b2496061af3a68e2acb21aa3be6328e6404a1d2b-8d8714dfebbef0143da73b5294250eae42391739c37247a9d09cbf9c658a1d17: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/b08a32201c27540df54fde5df6a54533ec952a57f40e15a29acfbc3d7555530a-fa17a892b40d754bf440b3ca95330f1932cbfdcdb950bc0ec5ec72111de9f3cc: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/bp/4b795f976e43041e15913d382d8449ce5f0942d49336c944384b7d140bfa828a-713b3cf1b1cef8109ddf41f98724265e73d926c4192f68c95b98025ee8a8c673: 200 OK
 done.
Applying patches... done.
Fetching 9 files...
/usr/libexec/phttpget update5.freebsd.org 10.0-RELEASE/amd64/f/4a93b66d47c1d158bdf7bba7e90c64d71c25ff6c0f1a3e7972b85e677d54a418.gz 10.0-RELEASE/amd64/f/541a6941ba14879435ff188022142a34d89c599ce639251a5ca07a117307e54a.gz 10.0-RELEASE/amd64/f/9414a491b2bba6290f6dfe44b6c61e3dea6bc4a85804c1f16a995182a2750bcf.gz 10.0-RELEASE/amd64/f/9f9825d18de971a460b5e667f62c77236b59559da3a7a149b5c199fdc50f2dd3.gz 10.0-RELEASE/amd64/f/c6c647eb7f0938ae46db0aa4023d0472e65bbb93af32ab2b6a99d285be7a80ed.gz 10.0-RELEASE/amd64/f/ca3bfbce3d2ad2b3d08c83fabf483188cd0b606eca1eaccfc808792a8012df46.gz 10.0-RELEASE/amd64/f/d68389cdc58e5ea9dfa2b6c16407427c643ae1a2f560a7b2e312d1cf7ce9e9e8.gz 10.0-RELEASE/amd64/f/dbe1ced5f9c95ab2e724b685c3960cdb3e1510ea692aaac2571009885e40723b.gz 10.0-RELEASE/amd64/f/e39d6815843a74535eed2cc61399fe0672cab0c844b9293d4413c136674ffbe4.gz
http://update5.freebsd.org/10.0-RELEASE/amd64/f/4a93b66d47c1d158bdf7bba7e90c64d71c25ff6c0f1a3e7972b85e677d54a418.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/541a6941ba14879435ff188022142a34d89c599ce639251a5ca07a117307e54a.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/9414a491b2bba6290f6dfe44b6c61e3dea6bc4a85804c1f16a995182a2750bcf.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/9f9825d18de971a460b5e667f62c77236b59559da3a7a149b5c199fdc50f2dd3.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/c6c647eb7f0938ae46db0aa4023d0472e65bbb93af32ab2b6a99d285be7a80ed.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/ca3bfbce3d2ad2b3d08c83fabf483188cd0b606eca1eaccfc808792a8012df46.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/d68389cdc58e5ea9dfa2b6c16407427c643ae1a2f560a7b2e312d1cf7ce9e9e8.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/dbe1ced5f9c95ab2e724b685c3960cdb3e1510ea692aaac2571009885e40723b.gz: 200 OK
http://update5.freebsd.org/10.0-RELEASE/amd64/f/e39d6815843a74535eed2cc61399fe0672cab0c844b9293d4413c136674ffbe4.gz: 200 OK
done.

The following files will be updated as part of updating to 10.0-RELEASE-p1:
...
/usr/include/openssl/bn.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.7
/usr/lib/libssl_p.a
/usr/lib32/libcrypto.a
/usr/lib32/libcrypto.so.7
/usr/lib32/libcrypto_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so.7
/usr/lib32/libssl_p.a
```


The command "openssl version" still reports:
*OpenSSL 1.0.1e-freebsd 11 Feb 2013*


Same thing when building the patch on our own Update Server. The fetch on a client reports:


```
# freebsd-update -v debug fetch
Looking up [b]UpdateServer.vm.dom[/b] mirrors... none found.
pub.ssl                                       100% of  800  B   47 kBps 00m00s
done.
Fetching metadata signature for 10.0-RELEASE from UpdateServer.vm.dom...
latest.ssl                                    100% of  512  B 1195 kBps 00m00s
done.
Fetching metadata index...
8758d960142b50eda10371a3b437786696320cc08e33f6100% of  225  B  528 kBps 00m00s
done.
Fetching 2 metadata patches...
/usr/libexec/phttpget UpdateServer.vm.dom 10.0-RELEASE/amd64/tp/5bba5f7bc5c4b169a272bacc8abc186adce346ba605a25c76d1ac0d09f202a8e-f742a9b591cf37a090683166b44df74ba139f4aee1dd2380034ff1c5dfad1148.gz 10.0-RELEASE/amd64/tp/0ba78d2ec09505d952755a878f6e802f9fbd7b8d2d2ae29112b5f3065ef82a26-76d061fc53bb78482ff197df6ebbf88a20d83433112ea1cdbfb86f2e08392b34.gz
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/tp/5bba5f7bc5c4b169a272bacc8abc186adce346ba605a25c76d1ac0d09f202a8e-f742a9b591cf37a090683166b44df74ba139f4aee1dd2380034ff1c5dfad1148.gz: 404 Error (ignored)
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/tp/0ba78d2ec09505d952755a878f6e802f9fbd7b8d2d2ae29112b5f3065ef82a26-76d061fc53bb78482ff197df6ebbf88a20d83433112ea1cdbfb86f2e08392b34.gz: 404 Error (ignored)
 done.
Applying metadata patches... done.
Fetching 2 metadata files...
/usr/libexec/phttpget UpdateServer.vm.dom 10.0-RELEASE/amd64/m/76d061fc53bb78482ff197df6ebbf88a20d83433112ea1cdbfb86f2e08392b34.gz 10.0-RELEASE/amd64/m/f742a9b591cf37a090683166b44df74ba139f4aee1dd2380034ff1c5dfad1148.gz
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/m/76d061fc53bb78482ff197df6ebbf88a20d83433112ea1cdbfb86f2e08392b34.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/m/f742a9b591cf37a090683166b44df74ba139f4aee1dd2380034ff1c5dfad1148.gz: 200 OK
done.
Inspecting system... done.
Preparing to download files... done.
Fetching 10 files...
/usr/libexec/phttpget UpdateServer.vm.dom 10.0-RELEASE/amd64/f/0935a6499722b75011e4b7b38c6a1fcbd67d90689bc1cb0bea5730368ae86ca6.gz 10.0-RELEASE/amd64/f/2dbfb52e74750dd08a214cf60c5e01af26e899868c770b1908c4e78e8e8432f5.gz 10.0-RELEASE/amd64/f/31727b7cf39cbedcbd6e12bc0d1933cf0c99bc4a089fbfc9e7afc330e37723ac.gz 10.0-RELEASE/amd64/f/3437402ee85ef63440bae1c20c82f07d3aa22f6ff838c86fb762e4a881d8560a.gz 10.0-RELEASE/amd64/f/4755de082d9eaff460e7d0151a899f58f33d8a3dda27f74be92cec481877cfc2.gz 10.0-RELEASE/amd64/f/a08dc30c37bbebb0f8d007665bd5069addf2e4be164122dd7d14cc65ab92a806.gz 10.0-RELEASE/amd64/f/ac62d0868934f4d679f4cd856269b1e52a79bd07f8b0c21dff3236896a500b5c.gz 10.0-RELEASE/amd64/f/c16a60a6ec72f4b2132615ad765f53b8857d94495acfd595840911ba234adfde.gz 10.0-RELEASE/amd64/f/ea8aa4720f6cf60d3c158e5d43921e903a901ba4a2eaf7b86fea56946df9cf8e.gz 10.0-RELEASE/amd64/f/ead38b5f32849ea7e9bbb495f2fa6ee3c0b07a025667d4b215499fea365a8409.gz
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/0935a6499722b75011e4b7b38c6a1fcbd67d90689bc1cb0bea5730368ae86ca6.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/2dbfb52e74750dd08a214cf60c5e01af26e899868c770b1908c4e78e8e8432f5.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/31727b7cf39cbedcbd6e12bc0d1933cf0c99bc4a089fbfc9e7afc330e37723ac.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/3437402ee85ef63440bae1c20c82f07d3aa22f6ff838c86fb762e4a881d8560a.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/4755de082d9eaff460e7d0151a899f58f33d8a3dda27f74be92cec481877cfc2.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/a08dc30c37bbebb0f8d007665bd5069addf2e4be164122dd7d14cc65ab92a806.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/ac62d0868934f4d679f4cd856269b1e52a79bd07f8b0c21dff3236896a500b5c.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/c16a60a6ec72f4b2132615ad765f53b8857d94495acfd595840911ba234adfde.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/ea8aa4720f6cf60d3c158e5d43921e903a901ba4a2eaf7b86fea56946df9cf8e.gz: 200 OK
http://UpdateServer.vm.dom/10.0-RELEASE/amd64/f/ead38b5f32849ea7e9bbb495f2fa6ee3c0b07a025667d4b215499fea365a8409.gz: 200 OK
done.

The following files will be updated as part of updating to 10.0-RELEASE-p10:
/bin/freebsd-version
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libssl.a
/usr/lib/libssl_p.a
/usr/lib32/libcrypto.a
/usr/lib32/libcrypto_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl_p.a
/usr/src/sys/conf/newvers.sh
```


----------



## ljboiler (Apr 15, 2014)

The Heartbleed patch fixes the issue in the OpenSSL code, but did not update/change the "version" of OpenSSL.


----------



## kpa (Apr 15, 2014)

What you have is still OpenSSL version 1.0.1e that includes all the critical security fixes from the newer versions backported to the FreeBSD version. This question crops up now and then on the mailing list and the apparently there is no good solution to display the "patchlevel" in the OpenSSL version string. Other pieces of contributed sofware have the same problem, for example Sendmail. The obvious solution of using the SVN revision number of the source tree is not possible because it's not available during the build runs for the freebsd-update(8) files (according to des@), that would be a very good indicator of the version if it was but alas no.


----------



## awenger (Apr 15, 2014)

Thank you very much for your reply ljboiler and kapa.

I was getting crazy with this version issue!


----------

