Thursday Nov 27, 2014

New Solaris 11 CPU package to install and track CVE security fixes

I'm delighted to report that my hard working colleagues, Darren Moffat and Pete Dennis, have released the Solaris 11 Critical Patch Update package to make it easier for you to install and track fixes for Criticial Vulnerabilities and Exposures (CVE).

Once you've installed the package (pkg install solaris-11-cpu), applying all available Solaris fixes for CVE is now as simple as:

# pkg update solaris-11-cpu

See Darren's blog and MOS doc 1948847.1 for details.

Now that's a nice Thanksgiving present!

Since this is security related, this post will self-destruct in 5 seconds.

Best Wishes,

Gerry.

Friday Sep 26, 2014

Solaris SRUs, patches, and IDRs available on MOS for bash vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

SRUs, Patches, and IDRs (Interim Diagnostics & Relief) are available from My Oracle Support, support.oracle.com for all supported Solaris releases to address the recent critical bash vulnerabilities, CVE-2014-6271, CVE-2014-7169.

Newer IDR revisions are available on MOS which additionally address the less critical "mop up" vulnerabilities, CVE-2014-7186, CVE-2014-7187.  Patches and SRUs will follow for these too.

See MOS Doc ID 1930090.1 for details.

Many thanks to the folks around the globe who have been working tirelessly over the last 48 hours to code, test, and release these SRUs, patches, and IDRs - from Australia to India to the Czech Republic to Ireland and the US.

I sincerely apologise for the delay in proactively communicating these fixes to you.   That was outside of my control.

Best Wishes,

Gerry.

Friday Aug 01, 2014

Solaris 11.2 released with security and other enhancements

Solaris 11.2 is released!

There's a huge amount of new and improved features in Solaris 11.2 as well as thousands of bug fixes.  In short, it's our best Solaris ever!

For security conscious customers, Solaris 11.2 delivers significant compliance enhancements (see the docs) and provides the new "solaris-minimal-server" Install group, which is an excellent basis for installing secure, minimized (hardened) systems.

Hardening (minimizing) a system in Solaris 10 and earlier was as much an art form as a science.  It was hard to be sure that the system was as minimized as possible.

In Solaris 11.2, the "solaris-minimal-server" Install group dramatically simplifies the process.  It's a new install option in addition to the existing "solaris-small-server", "solaris-large-server", and "solaris-desktop" install groups.

"solaris-minimal-server" does exactly what it says.  It provides the minimal set of packages to provision a minimal supported command-line Oracle Solaris environment.  You will typically need to add packages to this minimal set which are required to support your applications.

For example, install a test domain with "solaris-minimal-server", your application, and any additional packages which you know your application requires - for example JRE7 and the application installer.  Test it, and add in any additional packages which you discover your application requires - for example, for it's user GUI/BUI.  That's the minimum install footprint for your application.  Repeat as desired for other applications.

By reducing the install footprint, you reduce the "attack surface", ensuring you system is exposed to the minimum number of vulnerabilities.  This in turn reduces the need to patch for security compliance, further reducing your TCO.

Since installing an Oracle Database would be a common scenario, Solaris 11.2 also
provides an additional group package for the database:

    group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall

So, if you want to install the Oracle Database (single instance), you can simply add the above package to your solaris-minimal-server and you will have the required packages to install the database.

It's just one of many new features in Solaris 11.2 which I think you'll like.  Please take a few minutes to browse the "What's New" and other documentation released with 11.2.

As with any Solaris Update release, expect a number of important bug fixes in the first few Solaris 11.2 SRUs which didn't make the Solaris 11.2 release.

More details on "solaris-minimal-server":

$ pkg contents -mr -g ./s11u2 group/system/solaris-minimal-server                                          
set name=pkg.fmri value=pkg://solaris/group/system/solaris-minimal-server@0.5.11,5.11-0.175.2.0.0.42.0:20140623T214938Z
set name=pkg.summary value="Oracle Solaris Minimal Server"
set name=pkg.description value="Provides the minimal, supported command-line Oracle Solaris environment"
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
set name=variant.opensolaris.zone value=global value=nonglobal
depend fmri=network/ping type=group
depend fmri=service/network/ssh type=group
depend fmri=shell/tcsh type=group
depend fmri=shell/zsh type=group
depend fmri=system/network type=group
depend fmri=developer/debug/mdb type=require
depend fmri=editor/vim/vim-core type=require
depend fmri=group/system/solaris-core-platform type=require
depend fmri=package/pkg type=require
depend fmri=release/name type=require
depend fmri=release/notices type=require
depend fmri=shell/bash type=require
depend fmri=shell/ksh93 type=require
depend fmri=system/core-os type=require
depend fmri=system/library/platform type=require

The packages with group dependencies in the list above can be removed to further minimize the system.  For example, if you don't want 'ssh', you don't have to install it.

More details on group package with Oracle Database 12.1 install pre-requisites:

$ pkg contents -mr -g ./s11u2 group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall                
set name=pkg.fmri value=pkg://solaris/group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall@0.5.11,5.11-0.175.2.0.0.42.0:20140623T214934Z
set name=pkg.summary value="Prerequisite package for Oracle Database 12.1"
set name=pkg.description value="Provides the set of Oracle Solaris packages required for installation and operation of Oracle Database 12."
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
depend fmri=x11/diagnostic/x11-info-clients type=group
depend fmri=x11/library/libxi type=group
depend fmri=x11/library/libxtst type=group
depend fmri=x11/session/xauth type=group
depend fmri=compress/unzip type=require
depend fmri=developer/assembler type=require
depend fmri=developer/build/make type=require

The benefits of SuperCluster to other Solaris 11.x users

As you may know, my team and I have been heavily focused on SuperCluster Engineered Systems for the last few years.

The intense work we've done for SuperCluster - especially on expediting fixes for scalability and availability issues - has a significant trickle down benefit for all Solaris customers.  All of these critical fixes are in Solaris 11.2 SRU1.

Did you know that 97% of all customer SuperCluster domains / zones run Solaris 11.x ?  Only 3% run Solaris 10.  The reason for this massive adoption of Solaris 11.x is due to it's compelling features, excellent quality, and superb stability.  It really is time to move to Solaris 11.x.  It's like going from horses to motor cars.  It is that big a difference.

Even if you are not in a position to adopt Solaris 11.2 immediately, please do consider using a recent Solaris 11.1 SRU, such as Solaris 11.1 SRU19.6 or later.  This includes fixes for 110 critical issues encountered on SuperCluster and which are also relevant for other T4/T5/M5/M6/M10 users.  This is our current recommended version for SuperCluster and our experience with it to date has been excellent. 

We'll be moving up to Solaris 11.2 shortly to leverage more of the exciting features it provides.

Best Wishes,

Gerry.

About

This blog is to inform customers about Solaris 11 maintenance best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. Gerry Haskins, Director, Software Lifecycle Engineering

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today