By Avi Miller on Apr 29, 2013
The Unbreakable Linux Network (ULN) team have been hard at work updating the errata metadata that is delivered on ULN and public-yum.oracle.com. The changes provide more information about all errata, including security patches, bug fixes and feature enhancements. In addition, security fixes are listed by priority (important, moderate, low). This will allow Oracle Linux customers more flexibility when working with 3rd party Linux management tools like Spacewalk or SUSE Manager.
You can see some of the changes we've implemented using the yum-security plugin that's available as part of Oracle Linux:
First, install the yum-security plugin:
# yum install yum-plugin-security
You can read all about the options available once you have the yum-security plugin installed by reading the man page:
# man yum-security
Let's take it for a spin. First, let's list all the errata that are available for your system:
# yum updateinfo list Loaded plugins: rhnplugin, security ELBA-2012-1399 bug device-mapper-libs-1.02.74-10.el6_3.2.x86_64 ELEA-2012-1574 enhancement device-mapper-libs-1.02.74-10.el6_3.3.x86_64 ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2013-0504 Low/Sec. dhclient-12:4.1.1-34.P1.0.1.el6.x86_64 ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2013-0504 Low/Sec. dhcp-common-12:4.1.1-34.P1.0.1.el6.x86_64 ...
This command lists all the errata that are available for your system by errata ID. It also specifies whether it's a security patch (Moderate/Sec.), bugfix (bug) or feature enhancement (enhancement).
You could also narrow your search to just the CVEs, i.e. security patches:
# yum updateinfo list cves CVE-2012-3954 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 CVE-2012-3571 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 CVE-2012-3955 Low/Sec. dhclient-12:4.1.1-34.P1.0.1.el6.x86_64
This provides the CVE ID instead of the errata ID so that you can correlate a published CVE with a particular errata:
# yum updateinfo list --cve CVE-2012-3954 Loaded plugins: rhnplugin, security ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
Or see additional information about that particular errata or CVE:
# yum updateinfo info --cve CVE-2012-3954 Loaded plugins: rhnplugin, security =============================================================================== dhcp security update =============================================================================== Update ID : ELSA-2012-1141 Release : Oracle Linux 6 Type : security Status : final Issued : 2012-08-02 CVEs : CVE-2012-3954 : CVE-2012-3571 Description : [12:4.1.1-31.P1.0.1.el6_3.1] : - Added oracle-errwarn-message.patch : : [12:4.1.1-31.P1.1] : - An error in the handling of malformed client : identifiers can cause a denial-of-service : condition in affected servers. (CVE-2012-3571, : #843120) : - Memory Leaks Found In ISC DHCP (CVE-2012-3954, : #843120) Severity : Moderate updateinfo info done
For more information on using the yum tool, see the Oracle Linux 6 Administration Guide.
Updating Oracle Linux by Errata or CVE
The yum-security plugin also allows you to narrow the yum tool to only update security fixes. Instead of running a generic update command, you can leverage the additional errata metadata and tell yum to only apply security patches:
# yum --security update
Alternatively, you can target a specific errata or CVE:
# yum update --cve CVE-2012-3954
# yum update --advisory ELSA-2012-1141
3rd-Party Linux management tools
Oracle Enterprise Manager 12c Cloud Control has always been able to extract and display errata information for Oracle Linux.
Now, tools like Red Hat Satellite, Spacewalk, Katello/Pulp and SUSE Manager are all able to ingest the errata information and provide that information via their UI tools.
For example, here's a snippet from Spacewalk showing the Oracle Linux 6 (i386) Latest channel from public-yum.oracle.com:
If you click on a particular advisory, you can see information for that advisory:
You can also see the packages affected by an advisory:
Stay tuned for a future blog post that goes through how to setup Spacewalk to mirror the public-yum.oracle.com repositories.