System_Patches Package & Recommended Patch
-
I recently installed the System_Patches package from the Package Manager on pfSense 22.05. When I went to System > Patches, I could see that there was a recommended system patch:
Fix for CRL expiration lifetime default and maximum values (Redmine #13424)
I applied this patch and restarted pfSense. When I went back to System > Patches, the following was noted -
I clicked on the Debug button and this was displayed:
I then clicked on "Patch does not apply cleanly (detail)" and this was diplayed:
I then clicked on "Patch can revert cleanly (detail)" and this was diplayed:
What should I do? Revert or not to Revert?
Thanks for any suggestions.
-
Since the patch is already applied, it will NOT apply cleanly if patched again.
The patch system expects (and compares) against an "unpatched source", and the "now already patched" source will not match the "unpatched source".
So the patch will not apply cleanly (to an already patched source) ....It will revert cleanly, as the "now patched source" can be reversed to the unpatched source, by doing the patch "backwards".
Note the Debug info : The patch is normal, and has already been applied.
Hope this helps understanding the patch/diff function.
/Bingo
-
@bingo600 Thank you for the reply as it makes sense. However, this leaves me with 2 questions -
- Should I Revert? If I Revert, will this cause any issues?
- Why would there be a recommended system patch, or even display of a patch, if the issue has already been patched or not an issue at all? It would seem that if the system was already patched, or not an issue, there would be no entry for this patch or it wouldn't allow you to try and patch it. [I hope that makes sense.]
-
@newuser2pfsense said in System_Patches Package & Recommended Patch:
I applied this patch and restarted pfSense.
1:
You wrote that you applied that patch, in the first post.
That's why it's already patched now ...2:
It is always good to "seriously consider" to apply any Recommended Patch suggested in the System_Patches. Usually they contain important fixes.Ie. this one fixes a Certificate Expiration date rollover, and can if "Unpatched" make pfSense reject "Self generated" certificates with the default lifetime.
There have been several reports of newly generated OpenVPN certificates, that was rejected when used ... Ie. a VPN user tried to connect to the OpenVPN Server on the pfSense.After reading the above, do you still consider to revert the patch ??
/Bingo
-
@bingo600 So I must have this wrong then.
- In your initial post you state that, "Since the patch is already applied, it will NOT apply cleanly if patched again." So I applied a patch to my system that was already patched, unknowingly, doh! So should I "Revert", and if I "Revert", I'm wondering if there will be any issues with what was an already patched system? I'm just looking for an answer to if I should "Revert" or not.
- Why would the system allow you to patch itself when it's already patched? This should never happen.
-
Re 1:
It depends if you want to be affected by the Certificate rollover bug or not.
I would not revert.But it's your choice ....
2:
I can't even see how you could apply the patch twice.
On my system the apply disappears, when applied./Bingo
-
@bingo600 I've owned both, didn't like them, sold them. Love pfSense as it's much more friendly right out of the box. I'm staying with pfSense.
Here's what my System > Patches looks like now:
Originally when I installed the package from the Package Manager and then selected System > Patches, there was a button under the Apply column that I selected and it installed the patch; I don't remember the name of the button under the Apply column. After installing the patch, I selected the Debug button which displayed what I originally posted above.
Did I apply the patch to an already patched system?
-
1:
No .... Well Debug might try to apply again.2:
If i press Debug i get the same messages as your "image"
Seems like Debug would try to apply the patch, with some extra output.
And since it is already patched, it will fail. wo. doing any harm/changes. -
@bingo600 My biggest apprehension was applying a patch to an already patched system and what that could mean or for that matter do to my system.
