Over the last 3 months my organization has upgraded to a more recent version of a government WAN. Now, systems are required (for example) to have a government issued root cert in order for a Cisco WSA cluster to do stuff like URL content filtering, threat prevention via reputation etc.
On my production SME 10 box things went well regarding the cert. But some days ago I've run into the following problem, one of the update files is impossible to download:
# yum update
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
* base: repo.boun.edu.tr
* smeaddons: ftp.nluug.nl
* smeextras: ftp.nluug.nl
* smeos: ftp.nluug.nl
* smeupdates: ftp.nluug.nl
* updates: mirror.radoreservers.com
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-1160.108.1.el7 will be installed
---> Package kernel-headers.x86_64 0:3.10.0-1160.105.1.el7 will be updated
---> Package kernel-headers.x86_64 0:3.10.0-1160.108.1.el7 will be an update
---> Package net-snmp.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package net-snmp-agent-libs.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp-agent-libs.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package net-snmp-libs.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp-libs.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package smeserver-dovecot.noarch 0:1.6.0-19.el7.sme will be updated
---> Package smeserver-dovecot.noarch 0:1.6.0-21.el7.sme will be an update
---> Package smeserver-mysql.noarch 0:2.7.0-17.el7.sme will be updated
---> Package smeserver-mysql.noarch 0:2.7.0-18.el7.sme will be an update
---> Package smeserver-php.x86_64 0:3.0.0-46.el7.sme will be updated
---> Package smeserver-php.x86_64 0:3.0.0-47.el7.sme will be an update
--> Processing Dependency: php83-php-xmlrpc for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-xml for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-tidy for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-soap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-snmp for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-process for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pecl-zip for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pear for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pdo for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-opcache for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-mysqlnd for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-mbstring for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-ldap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-json for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-intl for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-imap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-gd for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-fpm for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-enchant for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-cli for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-bcmath for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Running transaction check
---> Package php83-php.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: php83-php-sodium(x86-64) = 8.3.2-1.el7.remi for package: php83-php-8.3.2-1.el7.remi.x86_64
---> Package php83-php-bcmath.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-cli.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-common.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: php83-runtime for package: php83-php-common-8.3.2-1.el7.remi.x86_64
---> Package php83-php-enchant.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-fpm.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-gd.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-imap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-intl.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-ldap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-mbstring.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-mysqlnd.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-opcache.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: libcapstone.so.4()(64bit) for package: php83-php-opcache-8.3.2-1.el7.remi.x86_64
---> Package php83-php-pdo.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-pear.noarch 1:1.10.14-1.el7.remi will be installed
---> Package php83-php-pecl-xmlrpc.x86_64 0:1.0.0~rc3-3.el7.remi will be installed
---> Package php83-php-pecl-zip.x86_64 0:1.22.3-1.el7.remi will be installed
---> Package php83-php-process.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-snmp.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-soap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-tidy.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-xml.x86_64 0:8.3.2-1.el7.remi will be installed
--> Running transaction check
---> Package capstone.x86_64 0:4.0.2-5.el7 will be installed
---> Package php83-php-sodium.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-runtime.x86_64 0:8.3-1.el7.remi will be installed
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-1160.99.1.el7 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================
Installing:
kernel x86_64 3.10.0-1160.108.1.el7 smeupdates 52 M
Updating:
kernel-headers x86_64 3.10.0-1160.108.1.el7 smeupdates 9.1 M
net-snmp x86_64 1:5.7.2-49.el7_9.4 smeupdates 325 k
net-snmp-agent-libs x86_64 1:5.7.2-49.el7_9.4 smeupdates 707 k
net-snmp-libs x86_64 1:5.7.2-49.el7_9.4 smeupdates 752 k
smeserver-dovecot noarch 1.6.0-21.el7.sme smeupdates 38 k
smeserver-mysql noarch 2.7.0-18.el7.sme smeupdates 58 k
smeserver-php x86_64 3.0.0-47.el7.sme smeupdates 223 k
Removing:
kernel x86_64 3.10.0-1160.99.1.el7 @updates 66 M
Installing for dependencies:
capstone x86_64 4.0.2-5.el7 smeupdates 1.1 M
php83-php x86_64 8.3.2-1.el7.remi remi-safe 2.1 M
php83-php-bcmath x86_64 8.3.2-1.el7.remi remi-safe 93 k
php83-php-cli x86_64 8.3.2-1.el7.remi remi-safe 4.2 M
php83-php-common x86_64 8.3.2-1.el7.remi remi-safe 732 k
php83-php-enchant x86_64 8.3.2-1.el7.remi remi-safe 77 k
php83-php-fpm x86_64 8.3.2-1.el7.remi remi-safe 2.2 M
php83-php-gd x86_64 8.3.2-1.el7.remi remi-safe 99 k
php83-php-imap x86_64 8.3.2-1.el7.remi remi-safe 103 k
php83-php-intl x86_64 8.3.2-1.el7.remi remi-safe 220 k
php83-php-ldap x86_64 8.3.2-1.el7.remi remi-safe 100 k
php83-php-mbstring x86_64 8.3.2-1.el7.remi remi-safe 538 k
php83-php-mysqlnd x86_64 8.3.2-1.el7.remi remi-safe 198 k
php83-php-opcache x86_64 8.3.2-1.el7.remi remi-safe 406 k
php83-php-pdo x86_64 8.3.2-1.el7.remi remi-safe 142 k
php83-php-pear noarch 1:1.10.14-1.el7.remi remi-safe 365 k
php83-php-pecl-xmlrpc x86_64 1.0.0~rc3-3.el7.remi remi-safe 48 k
php83-php-pecl-zip x86_64 1.22.3-1.el7.remi remi-safe 60 k
php83-php-process x86_64 8.3.2-1.el7.remi remi-safe 98 k
php83-php-snmp x86_64 8.3.2-1.el7.remi remi-safe 90 k
php83-php-soap x86_64 8.3.2-1.el7.remi remi-safe 198 k
php83-php-sodium x86_64 8.3.2-1.el7.remi remi-safe 96 k
php83-php-tidy x86_64 8.3.2-1.el7.remi remi-safe 88 k
php83-php-xml x86_64 8.3.2-1.el7.remi remi-safe 202 k
php83-runtime x86_64 8.3-1.el7.remi remi-safe 1.1 M
Transaction Summary
=============================================================================================================================================================================================================================================
Install 1 Package (+25 Dependent packages)
Upgrade 7 Packages
Remove 1 Package
Total size: 77 M
Total download size: 60 k
Is this ok [y/d/N]:
Downloading packages:
php83-php-pecl-zip-1.22.3-1.el FAILED
http://rpms.famillecollet.com/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm: [Errno 14] HTTP Error 403 - Forbidden ] 0.0 B/s | 0 B --:--:-- ETA
Trying other mirror.
To address this issue please refer to the below wiki article
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
Error downloading packages:
php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64: [Errno 256] No more mirrors to try.
If I try to get
http://rpms.famillecollet.com/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm via a browser, I'm blocked with the following notification:
This Page Cannot Be Displayed
Based on your organization's access policies, this web site ( http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm ) has been blocked because it has been determined to be a security threat to your computer or the organization's network. Malware in the category Unscannable has been found on this site.
If you have questions, please contact your organization's network administrator and provide the codes shown below.
Date: Tue, 30 Jan 2024 07:41:14 EET
Username:
Source IP: <my client IP>
URL: GET http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm
Category: Software Updates
Reason: BLOCK-MALWARE
Notification: MALWARE_SPECIFIC
Note that the link redirects to the rpms.remirepo.net site from where I can download other RPMs with no issues
After raising a ticket with the central gov IT I got the following response (translated from Greek):
Following the engineers' update we received information that the file being blocked by the proxy ( http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm ) has no reputation on Cisco and the file is identified as malware.
In order to allow this traffic you will either (a) have to use another repository, (b) change the reputation on Cisco itself (on your part) or (c) pass a proxy bypass for this site as it violates the current security policy.
Option (b) means to submit a reputation dispute at Cisco Talos (possibly at
https://support.talosintelligence.com/docs/submit-ticket/ ). Not certain here on what I should select.
In the meantime I'll go with option (c), meaning I'll have to submit an exception request for the URL. Can't really describe how painful that is, but that's one I know how to do...