Updates to errata on ULN and public-yum.oracle.com

The Unbreakable Linux Network (ULN) team have been hard at work updating the errata metadata that is delivered on ULN and public-yum.oracle.com. The changes provide more information about all errata, including security patches, bug fixes and feature enhancements. In addition, security fixes are listed by priority (important, moderate, low). This will allow Oracle Linux customers more flexibility when working with 3rd party Linux management tools like Spacewalk or SUSE Manager.

You can see some of the changes we've implemented using the yum-security plugin that's available as part of Oracle Linux:

 First, install the yum-security plugin: 

 # yum install yum-plugin-security

You can read all about the options available once you have the yum-security plugin installed by reading the man page:

# man yum-security 

Let's take it for a spin. First, let's list all the errata that are available for your system:

# yum updateinfo list
Loaded plugins: rhnplugin, security
ELBA-2012-1399 bug            device-mapper-libs-1.02.74-10.el6_3.2.x86_64
ELEA-2012-1574 enhancement    device-mapper-libs-1.02.74-10.el6_3.3.x86_64
ELSA-2012-1141 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2013-0504 Low/Sec.       dhclient-12:4.1.1-34.P1.0.1.el6.x86_64
ELSA-2012-1141 Moderate/Sec.  dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2013-0504 Low/Sec.       dhcp-common-12:4.1.1-34.P1.0.1.el6.x86_64
...

This command lists all the errata that are available for your system by errata ID. It also specifies whether it's a security patch (Moderate/Sec.), bugfix (bug) or feature enhancement (enhancement).  

You could also narrow your search to just the CVEs, i.e. security patches:

# yum updateinfo list cves
CVE-2012-3954 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3571 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3955 Low/Sec.       dhclient-12:4.1.1-34.P1.0.1.el6.x86_64 

This provides the CVE ID instead of the errata ID so that you can correlate a published CVE with a particular errata:

# yum updateinfo list --cve CVE-2012-3954
Loaded plugins: rhnplugin, security
ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64

Or see additional information about that particular errata or CVE:

# yum updateinfo info --cve CVE-2012-3954
Loaded plugins: rhnplugin, security
===============================================================================
   dhcp security update
===============================================================================
  Update ID : ELSA-2012-1141
    Release : Oracle Linux 6
       Type : security
     Status : final
     Issued : 2012-08-02
       CVEs : CVE-2012-3954
	    : CVE-2012-3571
Description : [12:4.1.1-31.P1.0.1.el6_3.1]
            : - Added oracle-errwarn-message.patch
            :
            : [12:4.1.1-31.P1.1]
            : - An error in the handling of malformed client
            :   identifiers can cause a denial-of-service
            :   condition in affected servers. (CVE-2012-3571,
            :   #843120)
            : - Memory Leaks Found In ISC DHCP (CVE-2012-3954,
            :   #843120)
   Severity : Moderate
updateinfo info done

For more information on using the yum tool, see the Oracle Linux 6 Administration Guide

Updating Oracle Linux by Errata or CVE

The yum-security plugin also allows you to narrow the yum tool to only update security fixes. Instead of running a generic update command, you can leverage the additional errata metadata and tell yum to only apply security patches:

# yum --security update

Alternatively, you can target a specific errata or CVE:

# yum update --cve CVE-2012-3954 

Or

# yum update --advisory ELSA-2012-1141

3rd-Party Linux management tools

Oracle Enterprise Manager 12c Cloud Control has always been able to extract and display errata information for Oracle Linux.  

Now, tools like Red Hat Satellite, Spacewalk, Katello/Pulp and SUSE Manager are all able to ingest the errata information and provide that information via their UI tools. 

For example, here's a snippet from  Spacewalk showing the Oracle Linux 6 (i386) Latest channel from public-yum.oracle.com:

Spacewalk errata list

If you click on a particular advisory, you can see information for that advisory:

You can also see the packages affected by an advisory:

Stay tuned for a future blog post that goes through how to setup Spacewalk to mirror the public-yum.oracle.com  repositories. 

Comments:

Great work everyone! I was really loking forward for it.

Anyway why are bug fixes listed under product enhacement and not under bug fix? ;)

Posted by guest on May 02, 2013 at 02:09 AM PDT #

Which bug fixes are listed as an enhancement? Can you raise an SR or og it on http://bugzilla.oracle.com if you don't have Oracle Linux support? The errata are created automatically, so we need to work out why something is being mis-flagged.

Posted by Avi Miller on May 02, 2013 at 02:13 AM PDT #

Hi Avi.

Just have a look at your screenshots. The errata is flagged as bug fix (ELBA) but it is listed under "Prodct Enhacement" category :)

Posted by Daniel Schindler on May 02, 2013 at 02:20 AM PDT #

Is it correct that not all ULN channels carry the new updateinfo meta data? I'm currently mirroring several OEL5/6 channels via the official uln-yum-proxy script and I see that that for example OEL 6U2 and prior OEL5U6/7 channels don't have updateinfo information. is it due to lifecycle/support commodities that these older channels don't have these information???

Posted by Daniel Schindler on May 20, 2013 at 11:19 PM PDT #

Correct -- the errata information is only published in the latest channel for each release (OL5 and OL6). We won't be backporting errata to old patch channels, but we may add it to the current patch channel of each release sometime in the future.

Posted by Avi Miller on May 21, 2013 at 02:36 PM PDT #

Avi,

I've created an enhancement-request on bugzilla.oracle.com (https://bugzilla.oracle.com/bugzilla/show_bug.cgi?id=13979) for inclusion of the <reboot_suggested>-tag in the Errata. But i don't think anyone is looking at that system. Is there another way to somehow get the enhancement included?

Thanks!

Posted by Andreas Dijkman on June 05, 2013 at 06:39 AM PDT #

Hey Andreas -- we do look at bugzilla.oracle.com, but that was labelled as a yum-utils issue so it wasn't sent to the ULN/public-yum.oracle.com team. I've emailed them to let them know about it and to add it to the TODO list for future updates to updateinfo.xml.

I've also started the process of seeing if I can get a specific public-yum.oracle.com product on bugzilla.oracle.com so that future bug reports don't have to be assigned to Oracle Linux 6. :)

Posted by Avi Miller on June 05, 2013 at 03:31 PM PDT #

What repos will have this update information on public-yum.oracle.com?
OL6 x86_64 seems up to date, but OL5 i386 doesn't have information more recent than January, and x86_64 around April.

Is this going to be offered for only OEL 6?

Posted by Ryan Brosz on June 26, 2013 at 10:44 AM PDT #

Hey Ryan -- both the OL5 and OL6 latest repos have errata information for both x86_64 and i386. I've just checked my local OL5 x86_64 test machine and it's reporting an errata from 2013-06-11:

# yum info-security ELBA-2013-2526
Loaded plugins: security

===============================================================================
pciutils bug fix update
===============================================================================
Update ID : ELBA-2013-2526
Release : Oracle Linux 5
Type : bugfix
Status : final
Issued : 2013-06-11
Description : [3.1.7-5.0.1]
: - Add Gen3 PCIe speed (8GT/s) to lspci (Mike
: Miller) [orabug 16857013]
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2013 Oracle, Inc.
info-security done

Note that the yum-security plugin for OL5 is slightly different to the updated one in OL6 in that it'll only report on errata that are applicable to the system upon which it's running. I had to find an errata that was released for an RPM that I had installed, but not updated yet.

Posted by Avi Miller on June 26, 2013 at 03:07 PM PDT #

Hey Ryan, just finished the test on OL5 i386 and that same errata from 2013-06-11 is visible there as well:

# yum info-security ELBA-2013-2526
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
el5_latest | 1.4 kB 00:00
el5_latest/primary | 13 MB 01:13
el5_latest 9742/9742
ol5_UEK_latest | 1.2 kB 00:00
ol5_UEK_latest/primary | 7.9 MB 00:36
ol5_UEK_latest 182/182
el5_latest/updateinfo | 467 kB 00:02
ol5_UEK_latest/updateinfo | 60 kB 00:00

===============================================================================
pciutils bug fix update
===============================================================================
Update ID : ELBA-2013-2526
Release : Oracle Linux 5
Type : bugfix
Status : final
Issued : 2013-06-11
Description : [3.1.7-5.0.1]
: - Add Gen3 PCIe speed (8GT/s) to lspci (Mike
: Miller) [orabug 16857013]
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2013 Oracle, Inc.
info-security done

Posted by Avi Miller on June 26, 2013 at 03:50 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected

Twitter


Facebook

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
5
6
7
8
9
12
13
15
16
17
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today