Issue:
The latest Linux Security 64 update 2024-03-18 fails to install
Resolution:
The following error is visible in the update.log file:
Update /aquarius/1710768883 installed successfully.
>>> Installing /hydra/1710775746 (Tue Mar 19 15:15:24 EET 2024) >>>
Update /hydra/1710775746 installed successfully.
>>> Installing /linuxsecurity/1710768478 (Tue Mar 19 15:15:28 EET 2024) >>>
Installing pinned certificates
2024-03-19 15:15:34 fsguts2.c:1636[6] empty updates section
2024-03-19 15:15:34 fsguts2.c:1150[6] channel 'pinned-certificates-unix' not found
2024-03-19 15:15:34 src/guts2download.c:203[7] downloading the channel failed, error 207 (item not found)
2024-03-19 15:15:34 src/guts2download.c:88[7] downloading the channel content from http://pms.local:80/guts2 failed, error 207 (item not found)
2024-03-19 15:15:59 net/fsaddrinfo.c:423[7] getaddrinfo() returned error -2 (EAI_NONAME; name does not resolve)
2024-03-19 15:15:59 net/fssocket.c:2395[7] name resolution failed, error 210 (unable to resolve host)
2024-03-19 15:15:59 net/fssocket.c:370[7] fs_socket_tcp_connect_next() returned 210 (unable to resolve host)
2024-03-19 15:15:59 net/fshandle_tcp.c:282[7] failed to connect guts2.sp.f-secure.com tcp port 80, error 210 (unable to resolve host)
2024-03-19 15:15:59 fshttps.c:686[7] connection failed, error 210 (unable to resolve host)
2024-03-19 15:15:59 fsguts2.c:3047[7] unable to perform the HTTP operation, error 210 (unable to resolve host)
2024-03-19 15:15:59 fsguts2.c:1027[7] unable to fetch update information from the server, error 210 (unable to resolve host)
2024-03-19 15:15:59 src/guts2download.c:164[7] unable to fetch the list of updates, error 210 (unable to resolve host)
2024-03-19 15:15:59 src/guts2download.c:88[7] downloading the channel content from http://guts2.sp.f-secure.com failed, error 210 (unable to resolve host)
setup: failed to install pinned certificates (exit status 2)
/opt/f-secure/baseguard/bin/update: Failed to install /linuxsecurity/1710768478
Also, the following alert is visible in Policy Manager Console.
Could not install the following update: linuxsecurity 2024-03-18 (fsbg-pmd).
The alert reproduces with both Policy Manager 15.xx and 16.xx installations that are isolated that is, they do not have internet connectivity.
The latest version of Linux Security 64 introduces a new dependency on the pinned-certificates-unix channel. If you have a high security installation of Policy Manager, without connectivity to the internet and rely on archives to update the policy manager, a minor modification is needed.
The process for using archives to update the Policy Manager Server is described here:
- https://community.withsecure.com/en/kb/articles/5638-using-archives-to-update-malware-definitions
To fix this particular issue, add the missing 'pinned-certificates-unix' channel to the tool configuration by editing the channels.json file available in the conf-folder.
Once the change is in place, rerun the tool and import the new databases to the Policy Manager Server.
Ref: How to add new channel to "channels.json" in conf-folder.
[
<other channels>
"atlant-100-linux-x86_64",
"swup-win",
"swup-win-db",
"hydra-macos",
"pinned-certificates-win"
"pinned-certificates-unix"
]
The issue with the missing channel pinned-certificates-unix channel will be resolved in the upcoming Service Release of WithSecure Policy Manager (16.02).
To verify if pinned-certificates-unix has been installed on the Linux Security 64 host, you may refer to the update.log which contains:
Update /pinned-certificates/1667822601 installed successfully.
and
Update /linuxsecurity/1712740227 installed successfully.
Article no: 000044202