Solved Daily Security Run Output

Looking through my Daily Security Run Output, and trying to make sense of it all...

The parts that are troubling me are 2 fold.
First, when it checks for package vulnerabilities:
Code:
Checking for packages with security vulnerabilities:
libxml2-2.9.4
phpbb3-3.2.1
mysql56-server-5.6.38

Not really sure what to do about these, or if these are even worth fussing over?
I know what phpbb3 and mysql56 are, but I'm not sure what libxml2 is or even if it was installed as a dependency like mysql56 was when I installed nextcloud. I'm not keen on updating any of these seeing as how I'm new to dumping and importing databases and last time I hose my installs...

But these next ones are what really bothering me, as I am totally lost as to what caused them or what to do about it. A little insight would really help me.

Code:
Checking for packages with mismatched checksums:
nextcloud-12.0.2: /usr/local/www/nextcloud/.htaccess
nextcloud-12.0.2: /usr/local/www/nextcloud/.user.ini
opencart-2.3.0.2: /usr/local/www/opencart/admin/config.php
opencart-2.3.0.2: /usr/local/www/opencart/config.php
opencart-2.3.0.2: missing file /usr/local/www/opencart/install/cli_install.php
opencart-2.3.0.2: missing file /usr/local/www/opencart/install/controller/3rd_party/extension.php
opencart-2.3.0.2: missing file /usr/local/www/opencart/install/controller/3rd_party/maxmind.php
...
...

These go on for about 3000 or so lines comprising of all manner of files in packages nextcloud, opencart, but MOSTLY phpbb3.

I imagine that installing the 12 or so extensions in phpbb3 might have something to do with those, but I just don't know enough about what I'm being told to say with any confidence.
I understand (sorta) what an MD5 checksum is and how it's used. But, as far as I know they are used to ensure that a file you transferred remained intact during the transmission. So what does that have to do with anything once you've actually installed the package?! And further more, how do I stop receiving Tom Clancy novels in my emails every morning telling me about how the checksums don't match?
 
No... Just installed it to check it out... That's the thing, It is EXACTLY as it was the moment I installed the package... I changed nothing...
 
I was worried you were doing business and that pop'ed up...
New install I dunno what to tell you. Are you running /quarterly or /latest for packages?
 
To be honest, I was under the impression by issuing the command pkg install opencart I was getting the latest and greatest so to speak.
Am I completely wrong about that?
 
Code:
    pkg check -r or pkg check --recompute recalculates    and sets the checksums
    of    installed packages.  This command should only be used when the admin-
    istrator has made modifications that invalidate a package checksum.
    Spontaneous checksum problems can indicate    data or    security problems.

Could this be the answer to my problems, or is this just going to make things worse?
Seems like since everything is working just fine (and it is), that this could make the checksums pass?
Input?
 
OK. I have run pkg delete opencart to fix those problems... Not even worth it right now.
And I have figured out the problem with phpbb3.
Code:
Checking all packages.....
phpbb3-3.2.1: missing file /usr/local/www/phpBB3/.htaccess
phpbb3-3.2.1: missing file /usr/local/www/phpBB3/adm/images/alert_close.png
phpbb3-3.2.1: missing file /usr/local/www/phpBB3/adm/images/arrow_down.gif
phpbb3-3.2.1: missing file /usr/local/www/phpBB3/adm/images/arrow_left.gif

All of those file actually exist. However, they are in "/usr/local/www/phpbb3".
Notice the lack of capital B"s. So there is not really a problem there. All is well.
I would like to disable the check that is doing that or at least stop it from doing it
to that particular pkg, seeing as it is fine... Any clues on how to do that?
I am looking into how to edit a /etc/periodic/periodic.conf file to get it done, but nothing yet.

Also, I think I have narrowed the mismatched checksums to my user of py27-certbot.
as I am seeing this in the .htaccess file:
Code:
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

I know that to be the dir structure that certbot installs in order to remotely check that
I am who I say I am...

So, as far as I can tell I am structurally sound. But, I am still looking into pkg check --recompute
will fix the checksum issues for me... I'm really tentative about running that without a full understanding of
what EXACTLY it will do, seeing as my entire network uses that for backup purposes.

Any insight would be helpful!
 
Back
Top