Hi, We believe this is because phttpget (the pipelined HTTP client that freebsd-update and portsnap uses) was unable to get the right file(s) from the server, that sometimes the client would get wrong file from the server, and it's not reproducable when requesting again. We have then able to develop a test case to reliably provoke this on update2.FreeBSD.org.
Thanks for Peter's help, we have narrowed down the problem to a specific version (1.4.36) of lighttpd (*), which update2.FreeBSD.org is using, and the problem should have been resolved at this time after the web server is replaced with nginx. Please let us (security-officer@, clusteradm@) know if the problem still persists. Cheers, (*) We are not yet certain if it was a bug with lighttpd itself, or a bug with phttpget that made newer versions of lighttpd unhappy. It's worthy to find it out and maintainer is cc'ed.
signature.asc
Description: OpenPGP digital signature
