From owner-freebsd-questions@freebsd.org Wed Sep 2 14:09:53 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE3BA9C8FC1 for ; Wed, 2 Sep 2015 14:09:53 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F467669 for ; Wed, 2 Sep 2015 14:09:53 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from host-4-75.office.adestra.com (vpn-1.adestra.com [46.236.37.122]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t82E9aoK037634 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 2 Sep 2015 15:09:42 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t82E9aoK037634 Authentication-Results: smtp.infracaninophile.co.uk/t82E9aoK037634; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host vpn-1.adestra.com [46.236.37.122] claimed to be host-4-75.office.adestra.com Subject: Re: fail to fetch vulnxml file each night, as seen in daily security, run output. To: freebsd-questions@freebsd.org References: <55E700C9.4080000@gmail.com> From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <55E70319.7060604@FreeBSD.org> Date: Wed, 2 Sep 2015 15:09:29 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55E700C9.4080000@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="FrV7k4qjWixt56sWLSvtVXg56C8TU2gfm" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, SUBJ_AS_SEEN autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2015 14:09:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FrV7k4qjWixt56sWLSvtVXg56C8TU2gfm Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/09/02 14:59, Ernie Luzar wrote: > I get the following message in the daily security run output on both my= > 10.1 and 10.2 systems. Both which were installed from scratch using a > cdisc1.iso file. >=20 > Checking for packages with security vulnerabilities: > pkg:=20 : No route to host > pkg: cannot fetch vulnxml file Well? Did you verify if you could fetch the audit file manually? Try: # pkg audit -F If that doesn't work, start investigating why your jails can't connect properly. vuxml.freebsd.org is on a GeoIP load balancer, so you should get directed to a nearby mirror. Try this -- you should see similar output, but probably to a different IP number: # curl -v -o /dev/null http://vuxml.freebsd.org/freebsd/vuln.xml.bz2 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2001:41c8:112:8300::50:5... * Connected to vuxml.freebsd.org (2001:41c8:112:8300::50:5) port 80 (#0) > GET /freebsd/vuln.xml.bz2 HTTP/1.1 > Host: vuxml.freebsd.org > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 02 Sep 2015 14:05:36 GMT < Content-Type: application/x-bzip < Content-Length: 538363 < Last-Modified: Wed, 02 Sep 2015 00:35:15 GMT < Connection: keep-alive < ETag: "55e64443-836fb" < Server: ToTheCloud/v0.01beta < Accept-Ranges: bytes < { [11164 bytes data] 100 525k 100 525k 0 0 4511k 0 --:--:-- --:--:-- --:--:-- 4571k * Connection #0 to host vuxml.freebsd.org left intact If it doesn't work, it should at least give you some clues as to what is going wrong. If it does work, then see if the daily cron job has mysteriously started working again, in which case you can put the problem down to something temporary; outside your network and beyond your control. > -- End of security output -- >=20 >=20 > Is this normal by design? Why would we publish a script that intentionally doesn't work? No, it isn't normal and neither is it by design. Cheers, Matthew --FrV7k4qjWixt56sWLSvtVXg56C8TU2gfm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJV5wMfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnLT0P/1Ux8IdSJBpA/K4dsdW2Q5LT G8w4IdNByAl5ct9RAjjDUCNtOVaCjmZQi78iiEytDBKPOFVM1HrwnqmAy4JB3Tu4 RxJl/ce1A/ZJINj0qKVptxiTZCq+wbrQeBx9OBiiCCiIubNxUmYb0m/5qVBDwucr No/kX3e6fz9CixJDudD2HCMnxxO7TV86MhwfD59UZg6KaQLcLXZfswKIps8g/w1L yB9y8ZP8fMlgvtoMbidqPor94HzHqN6U7dar3ddi32O+VQMopPJxFX+EYs3DNdvp 48NV/BGzQZFcBENT5IZdIyiTN2S62l4ZyQ2h8EvVbezhyrx1pgixM/D9kHc5+tON Pr9cce5htJx5HO6GFZxJtddI802QGC8AkD/mqGqFlsmiLHVtMi3uXI4+s1fXr3YI QUTFbGwJw3q2HMp9jtAr/NHxeMyOj81JBGNTcMpr7Mm7tV1OQqmtqiWH6eZvdpQw rijlfRMVyKlx1r1PoGlxGwEWtFk37Pr9eVBpGVcZKchkuB9XbST3Xj6JW2xAthol hu9D3LQ8u4GWwdGNV52oPnsa6Gwm8tIcUkvFOaJwk6wYmFavifsKKUkVhAP9kkhx 4nYf7/KB3fNp3zOlu+xrnZsiUAYO6nhUVZng3c7KtXOdtSUw97JC9kJ0FD/HsDCb vx/2vcbZhyitn8ntQft1 =fnZI -----END PGP SIGNATURE----- --FrV7k4qjWixt56sWLSvtVXg56C8TU2gfm--