We're running quite some machines with PKGNG in our server park (about 20 I think), and yesterday for the first time something went wrong.
The server was running perl-5.14.2_2, php53.5.3.19, apache2.2.23_2, and varnish-3.0.3_1. As a dependency, pcre-8.31_1 was installed.
When the Perl, PHP and the Apache packages became vulnerable (
[cmd=]# pkg update[/cmd] (we run our own repositories using poudriere)
[cmd=]# pkg install www/apache22 lang/php53 lang/perl5.14[/cmd]
Logs from pkg:
The gettext/libiconv needed some manual work after reading /usr/ports/UPDATING).
Then I ran some tests (
That night, probably due to log rotation of whatever, Varnish was restarted. And died. Because it was missing /usr/local/lib/libpcre.so.1 (after the upgrade that became /usr/local/lib/libpcre.so.3).
It was fixed easily by also upgrading Varnish, but I wonder how this could have been prevented.
Should I have done [cmd=]pkg install -Rf www/apache22 lang/php53 lang/perl5.14[/cmd] instead?
I'd guess that pkg would now about the libpcre dependencies for Varnish (and probably some other packages), and would suggest to update Varnish as well when PCRE was upgraded as a dependency of the new PHP version.
I found that by doing [cmd=]echo "SHLIBS: On" >> /usr/local/etc/pkg.conf[/cmd] and [cmd=]pkg check -B[/cmd] I can detect broken packages. Correct?
The server was running perl-5.14.2_2, php53.5.3.19, apache2.2.23_2, and varnish-3.0.3_1. As a dependency, pcre-8.31_1 was installed.
When the Perl, PHP and the Apache packages became vulnerable (
pkg audit), we had to upgrade those packages. I did:[cmd=]# pkg update[/cmd] (we run our own repositories using poudriere)
[cmd=]# pkg install www/apache22 lang/php53 lang/perl5.14[/cmd]
Logs from pkg:
Code:
Mar 21 10:34:50 srv02 pkg: pkg upgraded: 1.0.7 -> 1.0.9_2
Mar 21 10:36:03 srv02 pkg: gettext-0.18.1.1 deinstalled
Mar 21 10:36:11 srv02 pkg: libiconv upgraded: 1.14 -> 1.14_1
Mar 21 10:36:18 srv02 pkg: gettext-0.18.1.1_1 installed
Mar 21 10:36:39 srv02 pkg: perl upgraded: 5.14.2_2 -> 5.14.2_3
Mar 21 10:36:39 srv02 pkg: pcre upgraded: 8.31_1 -> 8.32
Mar 21 10:36:41 srv02 pkg: apache22 upgraded: 2.2.23_2 -> 2.2.24
Mar 21 10:37:04 srv02 pkg: pkgconf upgraded: 0.8.9 -> 0.9.1_1
Mar 21 10:37:04 srv02 pkg: php53 upgraded: 5.3.19 -> 5.3.23The gettext/libiconv needed some manual work after reading /usr/ports/UPDATING).
Then I ran some tests (
php -v, php -m, httpd -V, perl -v) .. all went well. I restarted Apache, and all sites were running fine. Maintenance done!That night, probably due to log rotation of whatever, Varnish was restarted. And died. Because it was missing /usr/local/lib/libpcre.so.1 (after the upgrade that became /usr/local/lib/libpcre.so.3).
It was fixed easily by also upgrading Varnish, but I wonder how this could have been prevented.
Should I have done [cmd=]pkg install -Rf www/apache22 lang/php53 lang/perl5.14[/cmd] instead?
I'd guess that pkg would now about the libpcre dependencies for Varnish (and probably some other packages), and would suggest to update Varnish as well when PCRE was upgraded as a dependency of the new PHP version.
I found that by doing [cmd=]echo "SHLIBS: On" >> /usr/local/etc/pkg.conf[/cmd] and [cmd=]pkg check -B[/cmd] I can detect broken packages. Correct?