From cd8a74290b6f1259d21e294282ac83dc9aeddaa5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 10:36:17 -0400 Subject: [PATCH 01/12] hold openssl version --- salt/common/init.sls | 1 - salt/common/packages.sls | 11 ++++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index f50f0c61b..37ea4239d 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -91,7 +91,6 @@ vimconfig: alwaysupdated: pkg.latest: - pkgs: - - openssl - openssh-server - bash - skip_suggestions: True diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 8b54bdbf5..f5707a377 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -46,6 +46,12 @@ python-rich: {% endif %} {% if GLOBALS.os_family == 'RedHat' %} + +holdversion_openssl: + pkg.held: + - name: - openssl + - version: 1:3.0.7-16.0.1.el9_2 + commonpkgs: pkg.installed: - skip_suggestions: True @@ -65,7 +71,7 @@ commonpkgs: - mariadb-devel - net-tools - nmap-ncat - - openssl + - openssl: 1:3.0.7-16.0.1.el9_2 - procps-ng - python3-dnf-plugin-versionlock - python3-docker @@ -79,4 +85,7 @@ commonpkgs: - unzip - wget - yum-utils + + + {% endif %} From 70a36bafa54b92e258f4e5a2942006c04dcd7b1e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 10:38:54 -0400 Subject: [PATCH 02/12] remove - --- salt/common/packages.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index f5707a377..ae723fd94 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -49,7 +49,7 @@ python-rich: holdversion_openssl: pkg.held: - - name: - openssl + - name: openssl - version: 1:3.0.7-16.0.1.el9_2 commonpkgs: From dfe399291f9398435fd0520955bf19826400bb04 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 10:54:41 -0400 Subject: [PATCH 03/12] hold openssl-libs --- salt/common/packages.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index ae723fd94..f7c8fd5dc 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -52,6 +52,11 @@ holdversion_openssl: - name: openssl - version: 1:3.0.7-16.0.1.el9_2 +holdversion_openssl-libs: + pkg.held: + - name: openssl-libs + - version: 1:3.0.7-16.0.1.el9_2 + commonpkgs: pkg.installed: - skip_suggestions: True From c1ab8952eb727c0cf0cea085c6b75aa468109b0e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 10:59:51 -0400 Subject: [PATCH 04/12] hold openssl-devel --- salt/common/packages.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index f7c8fd5dc..a4a32f15f 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -57,6 +57,11 @@ holdversion_openssl-libs: - name: openssl-libs - version: 1:3.0.7-16.0.1.el9_2 +holdversion_openssl-devel: + pkg.held: + - name: openssl-devel + - version: 1:3.0.7-16.0.1.el9_2 + commonpkgs: pkg.installed: - skip_suggestions: True From f85dd910a302bad9515390d99d7929fe8106fe3c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 11:13:08 -0400 Subject: [PATCH 05/12] hold openssl from update during setup --- salt/common/packages.sls | 2 ++ setup/so-functions | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index a4a32f15f..0bf8616be 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -47,6 +47,8 @@ python-rich: {% if GLOBALS.os_family == 'RedHat' %} +# holding these since openssl-devel-1:3.0.7-16.0.1.el9_2 seems to be a requirement for mariadb-devel-3:10.5.16-2.el9_0 +# https://github.com/Security-Onion-Solutions/securityonion/discussions/11443 holdversion_openssl: pkg.held: - name: openssl diff --git a/setup/so-functions b/setup/so-functions index 679142e2a..26e1b2dab 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2443,7 +2443,8 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_oracle ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" + # holding openssl https://github.com/Security-Onion-Solutions/securityonion/discussions/11443 + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,openssl*" RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo") info "Removing repo files added by oracle-repos package update" for FILE in ${RMREPOFILES[@]}; do From 0f08d5d640a2e0e0fa6767ded9a7ec9d934c15ae Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 11:43:03 -0400 Subject: [PATCH 06/12] install openssl version 1:3.0.7-16.0.1.el9_2 --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 26e1b2dab..243e89c99 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2444,6 +2444,7 @@ update_packages() { if [[ $is_oracle ]]; then logCmd "dnf repolist" # holding openssl https://github.com/Security-Onion-Solutions/securityonion/discussions/11443 + logCmd "dnf -y install openssl-1:3.0.7-16.0.1.el9_2 openssl-libs-1:3.0.7-16.0.1.el9_2 openssl-devel-1:3.0.7-16.0.1.el9_2" logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,openssl*" RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo") info "Removing repo files added by oracle-repos package update" From 3a5c6ee43aac37d2f385bd93091f89dd3dd84bc1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 12:09:13 -0400 Subject: [PATCH 07/12] install version lock before we try to hold pkgs --- salt/common/packages.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 0bf8616be..827cc6bf0 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -47,6 +47,11 @@ python-rich: {% if GLOBALS.os_family == 'RedHat' %} +# install versionlock first so we can hold packages in the next states +install_versionlock: + pkg.installed: + - name: python3-dnf-plugin-versionlock + # holding these since openssl-devel-1:3.0.7-16.0.1.el9_2 seems to be a requirement for mariadb-devel-3:10.5.16-2.el9_0 # https://github.com/Security-Onion-Solutions/securityonion/discussions/11443 holdversion_openssl: @@ -85,7 +90,6 @@ commonpkgs: - nmap-ncat - openssl: 1:3.0.7-16.0.1.el9_2 - procps-ng - - python3-dnf-plugin-versionlock - python3-docker - python3-m2crypto - python3-packaging From 6547afe6c07cc064587a44c3ca13b723c92d7375 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 13:35:00 -0400 Subject: [PATCH 08/12] dont hold openssl-devel --- salt/common/packages.sls | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 827cc6bf0..185bf536e 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -64,11 +64,6 @@ holdversion_openssl-libs: - name: openssl-libs - version: 1:3.0.7-16.0.1.el9_2 -holdversion_openssl-devel: - pkg.held: - - name: openssl-devel - - version: 1:3.0.7-16.0.1.el9_2 - commonpkgs: pkg.installed: - skip_suggestions: True @@ -85,10 +80,10 @@ commonpkgs: - httpd-tools - jq - lvm2 + - openssl: 1:3.0.7-16.0.1.el9_2 - mariadb-devel - net-tools - nmap-ncat - - openssl: 1:3.0.7-16.0.1.el9_2 - procps-ng - python3-docker - python3-m2crypto @@ -102,6 +97,4 @@ commonpkgs: - wget - yum-utils - - {% endif %} From 6b90961e87221dcb3e16a5702ff618b237274a28 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 14:26:28 -0400 Subject: [PATCH 09/12] openssl-libs --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 185bf536e..adef3828b 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -81,6 +81,7 @@ commonpkgs: - jq - lvm2 - openssl: 1:3.0.7-16.0.1.el9_2 + - openssl-libs: 1:3.0.7-16.0.1.el9_2 - mariadb-devel - net-tools - nmap-ncat From d7a14d9e00ab8b098a32c4487a09b22332980da2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 15:08:22 -0400 Subject: [PATCH 10/12] update holds --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index adef3828b..b002c62e9 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -67,6 +67,7 @@ holdversion_openssl-libs: commonpkgs: pkg.installed: - skip_suggestions: True + - update_holds: True - pkgs: - curl - device-mapper-persistent-data From 57e76232eca7076451d7075ad400d8156daae718 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 15:48:53 -0400 Subject: [PATCH 11/12] openssl pkgs in own state --- salt/common/packages.sls | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index b002c62e9..ca0326839 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -64,10 +64,18 @@ holdversion_openssl-libs: - name: openssl-libs - version: 1:3.0.7-16.0.1.el9_2 -commonpkgs: +openssl_pkgs: pkg.installed: - skip_suggestions: True - update_holds: True + - pkgs: + - openssl: 1:3.0.7-16.0.1.el9_2 + - openssl-libs: 1:3.0.7-16.0.1.el9_2 + - openssl-devel: 1:3.0.7-16.0.1.el9_2 + +commonpkgs: + pkg.installed: + - skip_suggestions: True - pkgs: - curl - device-mapper-persistent-data @@ -81,8 +89,6 @@ commonpkgs: - httpd-tools - jq - lvm2 - - openssl: 1:3.0.7-16.0.1.el9_2 - - openssl-libs: 1:3.0.7-16.0.1.el9_2 - mariadb-devel - net-tools - nmap-ncat From 8995752c2722116e2cf328d067a24371e68bcd33 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 2 Oct 2023 16:17:26 -0400 Subject: [PATCH 12/12] let openssl-devel be installed with mariadb --- salt/common/packages.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index ca0326839..b4e97a81d 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -71,7 +71,6 @@ openssl_pkgs: - pkgs: - openssl: 1:3.0.7-16.0.1.el9_2 - openssl-libs: 1:3.0.7-16.0.1.el9_2 - - openssl-devel: 1:3.0.7-16.0.1.el9_2 commonpkgs: pkg.installed: