UTM Version 9.352-6 and 9.318-5 released (Do not install!!)

I am so glad that I waited a few days and then checked the forum before I expected to upgrade. I too hope the problem is isolated and the fix sent out soon. If it isn't the actual patches then it could be in the application of the patches, I understand that. Sascha sure it taking a lot of crap over this, I'm sure it sucks at times being the face of Sophos when things take a crap like these updates.

What I don't quite understand is, after reading this thread it sounds like there is a fix but you must get the fix from whoever sold you a device. I'm not sure I get the idea behind this unless Sophos is just trying to collect some more income, but maybe I misunderstand it. Ether way I didn't upgrade and am waiting for the next patch to come out and hope it fixes the issues. I hope this new set of patches come soon.

-Joe

Home Sophos System: Intel Core 2 Duo E8500 CPU | Gigabyte GA-P45T-ES3G | 8GB RAM | 500GB 2.5" Laptop drive

Soo- at work and debugging the Update screwup on our HA pair of formerly 9.351->9.352 that went bad.

At shell-level I can see that there were following updates installed:
<M> fw1:/etc # rpm -qa --queryformat '%{installtime} (%{installtime:date}) %{name}\n'|grep Dec
1450166813 (Tue 15 Dec 2015 09:06:53 AM CET) u2d-ohelp9
1450374005 (Thu 17 Dec 2015 06:40:05 PM CET) libopenssl1_0_0
1450374006 (Thu 17 Dec 2015 06:40:06 PM CET) ep-up2date-downloader
1450374008 (Thu 17 Dec 2015 06:40:08 PM CET) ep-chroot-httpd
1450625258 (Sun 20 Dec 2015 04:27:38 PM CET) u2d-savi
1449901313 (Sat 12 Dec 2015 07:21:53 AM CET) u2d-geoip
1450374005 (Thu 17 Dec 2015 06:40:05 PM CET) libopenssl1_0_0_httpproxy
1450374006 (Thu 17 Dec 2015 06:40:06 PM CET) ep-up2date
1450374006 (Thu 17 Dec 2015 06:40:06 PM CET) ep-up2date-pattern-install
1450374008 (Thu 17 Dec 2015 06:40:08 PM CET) ep-webadmin
1450374008 (Thu 17 Dec 2015 06:40:08 PM CET) ep-release
1450374006 (Thu 17 Dec 2015 06:40:06 PM CET) openssl
1450374006 (Thu 17 Dec 2015 06:40:06 PM CET) ep-up2date-system-install

(Update was Thursday, 17.Dec at 18:40 local time)

Irritating stuff, as OpenSSL should have been updated to 1.0.1j:

<M> fw1:/etc # rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1k Vendor: Astaro GmbH & Co. KG
Release : 315.gd74c95a Build Date: Fri 04 Dec 2015 04:29:45 PM CET
Install Date: Thu 17 Dec 2015 06:40:06 PM CET Build Host: axgbuild
Group : Productivity/Networking/Security Source RPM: openssl-1.0.1k-315.gd74c95a.src.rpm
Size : 561362 License: OpenSSL
Signature : (none)
Packager : Astaro GmbH & Co. KG
URL : http://www.openssl.org/
Summary : Secure Sockets and Transport Layer Security
Description :
The OpenSSL Project is a collaborative effort to develop a robust,


=>Why ist there a 1.0.1k Version installed? Announcement in Sophos Blog suggested a 1.0.1j?


So there were really only two major components updated, the rest is IMHO only normal stuff that gets updated with normal background pattern updates etc.

Update: The issue I described above seems to have occured coincidentally following the reboot of the 2 HA nodes after update- seems to be a nasty Problem with HA and automatic updates where the UTM tries to automagically Switch between the two nodes and update them both.
I can see on the remaining active node (other node has been disabled (a.k.a. power plug pulled) to maintain a definitive state) that some of the NICs Show als own MAC the virtual one, not the manufacturers MAC.

=>Not the fault of up2date 9.352 ;-)

By the way: My Graphs are working fine...

OlafHoyer said:

Question: Where can I have a look which components have changed in the 9.352-6 patch? I assumed that only some issues in the webinterface have been fixed, so I did not expect this drastic behaviour- which will cost me part of the weekend to fix...

List of rmps
gatekeeper:/home/login # tar zxvf install-sys-9.352006.tgz
u2d-ohelp9-9-118.i686.rpm
ep-ha-aws-9.35-28.ge0bdd81.rb1.i686.rpm
libopenssl1_0_0-1.0.1k-315.gd74c95a.i686.rpm
libopenssl1_0_0_httpproxy-1.0.1k-315.gd74c95a.i686.rpm
openssl-1.0.1k-315.gd74c95a.i686.rpm
ep-up2date-9.35-10.g474a285.i686.rpm
ep-up2date-downloader-9.35-10.g474a285.i686.rpm
ep-up2date-pattern-install-9.35-10.g474a285.i686.rpm
ep-up2date-system-install-9.35-10.g474a285.i686.rpm
ep-webadmin-9.35-178.ge610088.i686.rpm
ep-chroot-httpd-9.35-7.g983ba17.rb1.noarch.rpm
ep-release-9.352-6.noarch.rpm

OlafHoyer said:

Irritating stuff, as OpenSSL should have been updated to 1.0.1j:

They have been on 1.0.1k for a while www.astaro.org/.../58343-9-314013-ga-released.html . I guess as long as the current version is patched we are ok. Even in the release notes it says OpenSSL security update 1.0.1q. Don't know why don't they call it 1.0.1q

> The corresponding images in the Executive Report are directly integrated in the Email (by cid) and are
> therefore fully unrelated to the patches we released in this update.

9.351-3 HTML-Source in the Executive Report looks/looked like:
img src="cid:cpuusage_daily_01234567890abcdefgh...."
img src="cid:memswap_daily_01234567890abcdefg...."

9.352-6 HTML-Source in the Executive Report looks like:
img src="/var/rrd-nodataimages/cpuusage_nodata.png
img src="/var/rrd-nodataimages/memswap_nodata.png

Hi all:

we just identified the root cause of the issue and a fix is currently in development.

To those who do not have a support contract and want to fix their machines on their own, the following shell command will give you the images back:

cd /var/chroot-httpd/var/webadmin/var
sudo -u wwwrun ln -s ../../log/reporting/images rrd-images

Cheers,
Sascha

This is very good news that the root cause was identified. Hopefully a new update will come out very shortly.

eremit said:

To those who do not have a support contract and want to fix their machines on their own, the following shell command will give you the images back:

cd /var/chroot-httpd/var/webadmin/var
sudo -u wwwrun ln -s ../../log/reporting/images .

That did not help.  I did reboot after applying.

The Exec Reports are still bad; Flow Monitor results in the "Backend connection failed" error.

This does not fix the flow monitor.

Sorry, it's of course
sudo -u wwwrun ln -s ../../log/reporting/images rrd-images