Thursday Apr 09, 2015

Getting fixes faster

Time is money.

I remember my first unplanned downtime as a Sys Admin on-site at a major Aluminum Mill in up-state New York.  The Operations Manager was literally poking me in the back of the neck asking me "Don't you know downtime costs us $250,000 per hour ?  How long will it take to get back up ?", to which I replied "It'll be faster if you stop poking me in the neck!".  I had the Systems back up in 20 minutes.

For Solaris and other Oracle Sun products, we try to release bug fixes as fast as possible, balancing the need for speed with the need for quality.

Since an Operating System performs many disparate functions for many disparate workloads, testing that a fix isn't toxic in any supported scenario is complex and takes time.

But we can and do provide faster relief to the customer(s) who raised the specific issue as it's easier to ensure the fix is correct for their specific environments. 

We do this by supplying Interim Diagnostics and Relief (an IDR).  As the name suggests, it provides relief for the issue until the final fix is available in a Support Repository Update (SRU) or Solaris Update release (for example, Solaris 11.3).  For hard to diagnose issues, an IDR may also provide additional diagnostic instrumentation to get to the root cause of an issue.

Like many things in Solaris 11, the IDR mechanism is far smoother thanks to the Image Packaging System (IPS) than it was in Solaris 10 and earlier releases.

SRUs for Solaris 11 and patches for Solaris 10 are released on a monthly cadence. These are tested as a unit to ensure quality.

In Solaris 11, IDRs are automatically superseded by later SRUs or Solaris Updates which include fixes for all the bugs the IDR addresses.  An IDR terminal package is included in the SRU Repo for superseded IDRs.  This tells IPS it's OK to overwrite the IDR on the target system.  Therefore, it is no longer necessary to manually remove such IDRs before updating to a later SRU or Solaris Update.

This automatic superseding typically saves customers the need for an additional reboot, since it's no longer necessary to remove an IDR, reboot, apply an SRU, reboot.  Instead, simply 'pkg update' to the desired SRU, reboot once to activate it, and you're done.

If the issues addressed by an IDR are not yet fixed in the later SRU or Solaris Update, IPS will warn the user and a Service Request (SR) should be filed requesting a new IDR at the later software version for the outstanding issues.

Normally, IDRs are provided to the specific customers who have filed Service Requests (SRs) for a specific bug. 

To accelerate the release of fixes for public security vulnerabilities, we intend to release Security IDRs to the SRU Repo and My Oracle Support (MOS) so that all customers can get relief from such vulnerabilities quicker.  Customers should continue to file Service Requests (SRs) for such bugs, so we know there's demand for a Security IDR.

These security fixes will be included into the next SRU to be released, which will automatically obsolete the Security IDRs, so customers need have no concern about installing such Security IDRs in advance of the SRU being available. The Security IDR simply provides a faster delivery mechanism.

As mentioned in a previous post, there's now a security Critical Patch Update (CPU) package which can be installed and updated on Solaris 11 systems to provide all available Criticial Vulnerabilities and Exposures (CVE) security fixes in the minimum amount of change to satisfy security compliance requirements.  This package automagically pulls in the security fixes via IPS dependencies.

There are also significant new security compliance features in Solaris 11.2.

Also in Solaris 11.2 is support for a new Package Group install option: solaris-minimal-server, which provides the minimum useful bootable environment.  Use this and install additional packages as required to support your applications.  This is useful for security compliance as if the vulnerable software isn't installed, you ain't vulnerable, and you don't need to expend unnecessary time and effort applying fixes. 

There's lots of other new stuff in Solaris 11.2 including Open Stack and the Oracle 12c Database Prerequisite Package.  Check it out!

Thursday Nov 27, 2014

New Solaris 11 CPU package to install and track CVE security fixes

I'm delighted to report that my hard working colleagues, Darren Moffat and Pete Dennis, have released the Solaris 11 Critical Patch Update package to make it easier for you to install and track fixes for Criticial Vulnerabilities and Exposures (CVE).

Once you've installed the package (pkg install solaris-11-cpu), applying all available Solaris fixes for CVE is now as simple as:

# pkg update solaris-11-cpu

See Darren's blog and MOS doc 1948847.1 for details.

Now that's a nice Thanksgiving present!

Since this is security related, this post will self-destruct in 5 seconds.

Best Wishes,


Friday Oct 19, 2012

October 2012 Security "Critical Patch Update" (CPU) information and downloads released

The October 2012 security "Critical Patch Update" information and downloads are now available from My Oracle Support (MOS).

See and in particular Document 1475188.1 on My Oracle Support (MOS),, which includes security CVE mappings for Oracle Sun products.

For Solaris 11, Doc 1475188.1 points to the relevant SRUs containing the fixes for each issue.  SRU12.4 was released on the CPU date and contains the current cumulative security fixes for the Solaris 11 OS.

For Solaris 10, we take a copy of the Recommended Solaris OS patchset containing the relevant security fixes and rename it as the October CPU patchset on MOS.  See link provided from Doc 1475188.1

Doc 1475188.1 also contains references for Firmware, etc., and links to other useful security documentation, including information on Userland/FOSS vulnerabilities and fixes in


This blog is to inform customers about Solaris 11 maintenance best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. Gerry Haskins, Director, Software Lifecycle Engineering


« November 2015