Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-13921

yum proxy xml re-encoded and truncated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.0
    • Fix Version/s: 3.6.0
    • Component/s: Yum
    • Labels:
      None
    • Environment:
      docker sonatype/nexus 3.5.0-02
    • Story Points:
      1

      Description

      .xml and .xml.gz files proxied and cached by the nexus Yum Proxy are being re-encoded. Additionally .xml.gz files are being truncated.

       

      $ curl -o -  http://nexus.docker:8081/repository/frYum6/repodata/ed2b2d4ac98d774d4cd3e91467e1532f7e8b0275cfc91a0d214b532dcaf1e979-primary.xml.gz | gzip -dc | tail 
      <arch>x86_64</arch>
      <version ver="2.0.22" rel="1.el6" epoch="0"></version>
      <checksum pkgid="YES" type="sha256">1d954bbccf77d20ca055665822f4665c2ab3e67764d0c83a52b12c414f330ba4</checksum>
      <summary>SELinux policy compiler</summary>
      <description>Security-enhanced Linux is a feature of the Linux? kernel and a number
      of utilities with enhanced security functionality designed to add
      mandatory access controls to Linux. The Security-enhanced Linux
      kernel contains new architectural components originally developed to
      improve the security of the Flask operating system. These
      architectural 
      (EOF)
      
      

       

      whereas downloading from the remote repository source directly:

       curl -o - http://centos.mirror.iweb.ca/6/os/x86_64/repodata/ed2b2d4ac98d774d4cd3e91467e1532f7e8b0275cfc91a0d214b532dcaf1e979-primary.xml.gz | gzip -dc | tail
      <rpm:provides>
      <rpm:entry name="emacs-git" flags="EQ" epoch="0" ver="1.7.1" rel="8.el6"/>
      </rpm:provides>
      <rpm:requires>
      <rpm:entry name="emacs(bin)" flags="GE" epoch="0" ver="23.1"/>
      <rpm:entry name="git" flags="EQ" epoch="0" ver="1.7.1" rel="8.el6"/>
      </rpm:requires>
      </format>
      </package>

       

      Using sha256sum on the two downloaded urls give me different checksums as well. Interestingly, the sha256sum of the file I download from the nexus3.5.0 container matches the asset checksum sha245 attribute of the file (via the browser). This leads me to believe that as the yum proxy attempts to fetch the file, it is saving it with an incorrect length.

       

      You can see more evidence of the munging if you expand and diff the two xml files:

      $ diff mirror.primary.xml nexus.primary.xml
      
      1,2c1
      < <?xml version="1.0" encoding="UTF-8"?>
      < <metadata xmlns="http://linux.duke.edu/metadata/common" xmlns:rpm="http://linux.duke.edu/metadata/rpm" packages="6706">
      ---
      > <?xml version="1.0"?><metadata xmlns="http://linux.duke.edu/metadata/common" xmlns:rpm="http://linux.duke.edu/metadata/rpm" packages="6706">
      6,7c5,6
      < <version epoch="0" ver="1.08" rel="26.el6"/>
      < <checksum type="sha256" pkgid="YES">575122051cdbe6a8d47211b84ce7f970160f80e71ad6868bfc060c490584a43f</checksum>
      ---
      > <version ver="1.08" rel="26.el6" epoch="0"></version>
      > <checksum pkgid="YES" type="sha256">575122051cdbe6a8d47211b84ce7f970160f80e71ad6868bfc060c490584a43f</checksum>
      

       

      to reproduce, setup a yum proxy repository with a name of frYum6 and a source of http://centos.mirror.iweb.ca/6.9/os/x86_64/

       

      Then compare the checksum of the downloaded file:

      $ curl -o nexus.primary.xml.gz http://your.nexus3.test.server/repository/frYum6/repodata/ed2b2d4ac98d774d4cd3e91467e1532f7e8b0275cfc91a0d214b532dcaf1e979-primary.xml.gz

       

      with the source:

      $ curl -o mirror.primary.xml.gz  http://centos.mirror.iweb.ca/6/os/x86_64/repodata/ed2b2d4ac98d774d4cd3e91467e1532f7e8b0275cfc91a0d214b532dcaf1e979-primary.xml.gz

      $ sha256sum *gz
      ed2b2d4ac98d774d4cd3e91467e1532f7e8b0275cfc91a0d214b532dcaf1e979 mirror.primary.xml.gz
      c24f8d887a2a374469ad5276d9c14f72b93abc7c3b6bd1437482aa832dd1d330 nexus.primary.xml.gz

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              lamont Lamont Lucas
              Last Updated By:
              Peter Lynch
              Team:
              Nexus - Formats
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title