Patches for Ubuntu 2204 - Issues

JoeG 2023-10-23 17:41:45 UTC #1

Has anyone experienced issues with Site - Patching for Ubuntu 2204? Or another question would be, is anyone successfully using patches from that site in a baseline? There are over 100 packages applicable to our VM’s from that site, but we can’t seem to get them patched using BigFix. I can successfully patch our VM’s manually.

While compiling the patches in a baseline and pushing them to a VM, they’ll never complete. The baseline action status will be stuck on pending downloads for days. Or even while deploying some single Fixlet actions we experience issues with them showing error or failed. Some patches will complete while others show completed in the action info. but their status shows failed. There’s no consistency with these patches.

I believe our VM templates for Ubuntu are in order, but maybe not. We’ve never had this type of issue with Windows or CentOS. Our BigFix server has the sites below added to the whitelist.txt. What are we missing for these patches to go through?

http://archive.ubuntu.com/ubuntu/.*
http://security.ubuntu.com/ubuntu/.*

I’ve had a case open with support for over 6 weeks, but we haven’t been able to get to the bottom of it.

Thanks in advance!

orbiton 2023-10-23 19:07:02 UTC #2

Just to make sure - https://help.hcltechsw.com/bigfix/10.0/patch/Patch/Patch_Ubuntu/c_site_subscription_ubuntu.html

Before you can deploy Ubuntu Fixlets, the BigFix server must be subscribed to the Patching Support site. After gathering the site, select the below task based on your deployment and run the task.

Task ID: 65 Setup Download Whitelist for Ubuntu (Windows Server)
This task is applicable to Windows servers.
Task ID: 66 Setup Download Whitelist for Ubuntu (Linux Server)
This task is applicable to Linux servers.

You must run the task, otherwise, you might encounter the following error: “The requested URL does not pass this deployment’s download whitelist.”

Ubuntu uses dynamic download while fetching the packages. As a security measure, the server blocks every dynamic download request except the ones with URLs that match the patterns in the white list file. Aside from the endpoints, ensure that the BigFix relay server is subscribed.

Please remember that the Patches will be downloaded from the BigFix Server itself.

If you want to retain the Log files - go through this document - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0084943

And if you can please share Logs from -

BigFix Client Log (Blacklist all of private information)
EDRDeployment Logs

JoeG 2023-10-23 21:13:43 UTC #3

Hi Orbiton, thanks for responding.

We are subscribed to the Patches for Ubuntu 2204 site. See attached screenshot.
PatchesforUbuntu2204Site

Also, we do have both URL’s in our whitelist.txt file. See attached screenshot of the completed action to "Setup Download Whitelist for Ubuntu (Windows Server). I’ve verified both URL’s are in our whitelist.
WhitelistforUbuntu

Our BigFix server and Relays are Windows so I’m not sure subscribing our relays to the site would work since the site is looking for Linux Ubuntu 22.04.

I’m going to revert these test VM’s to their original state to start from scratch. I’ll push a small baseline of only 13 updates\components in it. It’ll take a while, so I’ll gather the logs once there’s some status changes and post them here.

Thanks again,

orbiton 2023-10-23 21:26:21 UTC #4

The relays should be subscribed to the Patching Support external site not the Ubuntu Patching external site.

Start with One patch because the retain log procedure is only a change in the ActionScript of a specific Fixlet.

JoeG 2023-10-23 21:51:13 UTC #5

Yes, “All Computers” are subscribed to the “Patching support” External site which includes all of our relays. We’re not having issues across the board, only with patches from site “Patches for Ubuntu 2204”.

JoeG 2023-11-08 17:25:15 UTC #6

So there were a few things going on with those patches. I’ll just post some notes here.

Patch	Issue	Resolution
Unspecified - Libwbclient0 - Ubuntu 22.04 (amd64)	Crashed our VM sending them into an SSSD boot loop.	The October 11th release of this patch must have fixed any issues as it’s working fine now.
Unspecified - Linux-Generic - Ubuntu 22.04 (amd64)	Failed status - The package (linux-generic_5.15.0.87.84) it’s looking for is not availabe from http://archive.ubuntu.com/ubuntu/pool/main/l/linux-meta/	Exclude it and wait for the new package (linux-generic_5.15.0.88.85) to be available in BigFix
Unspecified - Linux-Headers-Generic - Ubuntu 22.04 (amd64)	Failed status - The package (linux-libc-dev_5.15.0-87.97) it’s looking for is not availabe from http://archive.ubuntu.com/ubuntu/pool/main/l/linux-meta/	Exclude it and wait for the new package (linux-generic_5.15.0.88.85) to be available in BigFix
Unspecified - Linux-Libc-Dev - Ubuntu 22.04 (amd64)	Failed status - The package (open-vm-tools=2:12.1.5-3~ubuntu0.22.04.3) it’s looking for is not availabe from http://archive.ubuntu.com/ubuntu/pool/main/l/linux-meta/	Exclude it and wait for the new package (linux-libc-dev_5.15.0-88.98) to be available in BigFix
USN-6365-1 - Open Vm Tools Vulnerability - Ubuntu 22.04 (amd64)	Failed status - The package (linux-generic_5.15.0.87.84) it’s looking for is not availabe from http://archive.ubuntu.com/ubuntu/pool/main/l/linux-meta/	Exclude it and wait for the updated package to be available in BigFix.
Unspecified - Libpam-Cap - Ubuntu 22.04 (amd64)	This package was hanging our systems causing them to go into a bad state. There’s an interactive question (screenshot below) when installing manually which I believe was causing this. The common command plus -Y or -N in it would not work for this. After attempting this patch via BigFix, the VM’s would not be patchable, not even manually using the “apt-get install” commands.	First you have to get rid of the “cache lock” ( Waiting for cache lock: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 38695 (apt-get)) either by killing the process removing the files or rebooting. Then you’d have to reinstall the Libpam-Cap package and run “sudo dpkg --configure -a’” in order to get the VM back to a healthy state and patchable. We’re going to leave the Libpam-Cap package out of the baselines for now. But I did find a “DEBIAN_FRONTEND” command that I believe will work in a Custom Action to install this update. I’ll do some further testing to ensure our “/etc/pam.d/common-auth” files aren’t overwritten.
USN-6365-1 - Open Vm Tools Vulnerability - Ubuntu 22.04 (amd64)	Failed status - This package (vm-tools_2:12.1.5-3~ubuntu0.22.04.3) it’s looking for is not availabe from http://archive.ubuntu.com/ubuntu/pool/main/l/linux-meta/	Exclude it and wait for the updated package to be available in BigFix.