System Patches package version 2.2.5

jimp · Aug 16, 2023, 3:38 PM

A new version of the System Patches package is up, version 2.2.5.

This version adds several recommended patches for pfSense Plus software version 23.05.1 and pfSense CE software version 2.7.0.

If you added a patch entry manually that is the same as a recommended patch, you can remove the manual entry after updating the package.

mcury · Aug 16, 2023, 3:45 PM

@jimp Thanks Jimp and Netgate team.
Applied successfully in a SG-4100 and already rebooted the firewall. Everything is working fine.

emikaadeo · Aug 16, 2023, 4:20 PM

For me this patch doesn't apply cleanly:
login-to-view
pfSense+ 23.05.1 (amd64)
No custom/manual patches.
Debug:
login-to-view

/usr/bin/patch --directory='/' -t  --strip '2' -i '/usr/local/pkg/patches/892de1ecdaa23b164f6b2a2251d7538eee2199ea.patch' --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|commit 892de1ecdaa23b164f6b2a2251d7538eee2199ea
|Author: jim-p <jimp@netgate.com>
|Date:   Wed Jun 28 08:50:07 2023 -0400
|
|    Fix invalid log rotation setup test. Fixes #14517
|
|diff --git a/src/etc/inc/syslog.inc b/src/etc/inc/syslog.inc
|index 013de691ac..64551bfed2 100644
|--- a/src/etc/inc/syslog.inc
|+++ b/src/etc/inc/syslog.inc
--------------------------
Patching file etc/inc/syslog.inc using Plan A...
Hunk #1 failed at 517.
1 out of 1 hunks failed while patching etc/inc/syslog.inc
done

jimp · Aug 16, 2023, 4:21 PM

It's already applied.

You can't revert it because the patch below it affected that code as well so you have to revert the other one, then it can be reverted.

emikaadeo · Aug 16, 2023, 4:24 PM

@jimp
Ok, got it.

SteveITS · Aug 16, 2023, 4:26 PM

@jimp "Fix per-log settings for file size and retenation count not being respected"

*retention

Love the patches package.

JonathanLee · Sep 8, 2023, 4:12 AM

I was able to do a pkg update and install a new patch update for certificates issues. I was wondering if anyone else has this yet as it did not show up as a full update form package manage as of 8/7/23

Bob.Dig · Sep 8, 2023, 6:31 AM

@JonathanLee Here it was.

Gertjan · Sep 8, 2023, 6:45 AM

@JonathanLee said in System Patches package version 2.2.5:

I was wondering if anyone else has this yet

Can't miss it.

If a package gets available, I'll get a Phone popup right away :

Notifications in this message: 1
================================
07:01:06 The following updates are available and can be installed using System > Package Manager:

System_Patches: 2.2.5 ==> 2.2.6

Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:

pfSense-pkg-System_Patches: 2.2.5 -> 2.2.6 [pfSense]

edit : Even non-pfSense-GUI packages, the classic FreeBSD packages for pfSense get notified this way.

Bob.Dig · Sep 8, 2023, 8:21 AM

@Gertjan said in System Patches package version 2.2.5:

If a package gets available, I'll get a Phone popup right away :

Interesting, this is not in the pfSense-GUI.

Gertjan · Sep 8, 2023, 9:20 AM

@Bob-Dig said in System Patches package version 2.2.5:

this is not in the pfSense-GUI.

Well ... it is.

This list :

login-to-view

is updates ones in while - several times a day.
But you have to visit the GUI to be aware of it.

There is a small shell (PHP) script somewhere in this part of the forum that executes 'when ever you want' (cron task) that mails you if there are candidates...

Bob.Dig · Sep 8, 2023, 9:22 AM

@Gertjan said in System Patches package version 2.2.5:

There is a small shell (PHP) script somewhere in this part of the forum that executes 'when ever you want' (cron task) that mails you if there are candidates...

That is the part I meant.

Gertjan · Sep 8, 2023, 9:32 AM

@Bob-Dig

Here :

<?php

  require_once("pkg-utils.inc");
  require_once("notices.inc");
  require_once("util.inc");

  $msg = null;
  $pmsg = null;
  $p = 0;

  // log_error("Starting update check");
  //echo "test";
  // pfSense base system check
  $system_version = get_system_pkg_version(false, true);
  if ($system_version === false) {
    printf("%s\n", 'Unable to check for updates');
    log_error("Unable to check for updates, exiting");
    exit;
  }

  if (!is_array($system_version) ||
    !isset($system_version['version']) ||
    !isset($system_version['installed_version'])) {
    printf("%s\n", 'Error in version information');
    log_error("Error in version information, exiting");
    exit;
  }

  switch ($system_version['pkg_version_compare']) {
    case '<':
      printf("%s%s%s\n", "pfSense version ", $system_version['version'], " is available");
      $msg = "An update to pfSense version " . $system_version['version'] . " is available\n\n";
      break;
    case '=':
      printf("%s%s%s\n", "pfSense version ", $system_version['version'], " (installed) is current");
      break;
    case '>':
      printf("%s%s%s\n", "pfSense version ", $system_version['installed_version'], " is NEWER than the latest available version ", $system_version['version']);
      $msg = "pfSense version " . $system_version['version'] . " is available (downgrade)\n\n";
      break;
    default:
      printf("%s\n", 'Error comparing installed with latest version available');
      log_error("Error comparing installed with latest version available");
      break;
  }

  // package check
  $package_list = get_pkg_info('all', true, true);
  $installed_packages = array_filter($package_list, function($v) {
    return (isset($v['installed']) && isset($v['name']));
  });

  if (empty($installed_packages)) {
    printf("%s\n", 'No packages installed');
    log_error("No packages installed, exiting");
    exit;
  }

  foreach ($installed_packages as $pkg) {
    if (isset($pkg['installed_version']) && isset($pkg['version'])) {
      //printf("%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version']);
      $version_compare = pkg_version_compare($pkg['installed_version'], $pkg['version']);
      if ($version_compare != '=') {
        $p++;
        $pmsg .= "\n".$pkg['shortname'].': '.$pkg['installed_version'].' ==> '.$pkg['version'];
        if ($version_compare == '>') {
          $pmsg .= ' (downgrade)';
        }
        printf("%s%s%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version'], ' ==> ', $pkg['version']);
      }
    }
  }

  if ($p > 0) {
    $msg = $msg . "The following updates are available and can be installed using System > Package Manager:\n" . $pmsg;
  }

  // check for updates to builtin packages
  exec("/usr/sbin/pkg upgrade -n | /usr/bin/sed -ne '/UPGRADED/,/^$/p'", $output, $retval);
  if (($retval == 0) && (count($output))) {
    $msg .= "\n\n" . "Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:\n\n";
    array_shift($output);
    $msg .= implode("\n", array_map('ltrim', $output));
  }

  if (!empty($msg)) {
    log_error("Updates were found - sending email");
    echo $msg;
    notify_via_smtp($msg);
  }

//  log_error("Update check complete");

call it / chmod it :

-rwxr-xr-x  1 root  wheel  3325 Jan 20  2023 /root/pkg_check.php

Cron it :

login-to-view

About the last line in the scrip :

notify_via_smtp($msg);

That's because my notify system has been set up using smtp. Nothing else.

Type :

cat /etc/inc/notices.inc

and look at the end.
Pick whatever you prefer, or go "all out" with

notify_all_remote($msg)

DBMandrake · Sep 8, 2023, 10:49 AM

@jimp Does the patch for (Redmine #14545) also include the fix in the patch for (Redmine #14517) given that the two patches conflict and can't be applied at the same time ? Or do we have to choose one or the other ?

jimp · Sep 8, 2023, 12:59 PM

@JonathanLee said in System Patches package version 2.2.5:

I was able to do a pkg update and install a new patch update for certificates issues. I was wondering if anyone else has this yet as it did not show up as a full update form package manage as of 8/7/23

It shows up as a package update for me here. I checked Plus amd64 and arm instances of 23.05.1, and CE instance of 2.7.0, and they all show it:

login-to-view

EDIT: It's also worth noting that if you are running dev snapshots (Plus 23.09, CE 2.8.0) then the patches are unnecessary as they are a part of the dev builds, so they will come in when they get built overnight. No recommended patches entries will show for those versions either since they already have all the latest code.

jimp · Sep 8, 2023, 12:39 PM

@DBMandrake said in System Patches package version 2.2.5:

@jimp Does the patch for (Redmine #14545) also include the fix in the patch for (Redmine #14517) given that the two patches conflict and can't be applied at the same time ? Or do we have to choose one or the other ?

They do not conflict, one depends on the other.

Since they depend on each other, you have to apply them in the correct order (top down) or revert them in the correct order (bottom up) which is why they are placed how they are in the list.

jimp · Sep 8, 2023, 12:56 PM

Any further questions about the change in 2.2.6 should go over in the new thread:

https://forum.netgate.com/topic/182725/system-patches-package-version-2-2-6