News, tips, partners, and perspectives for the Oracle Linux operating system and upstream Linux kernel work
-
Technologies
April 29, 2013
Updates to errata on ULN and Oracle Linux Yum Server
The Unbreakable Linux Network (ULN) team have been hard at work updating the errata metadata that is delivered on ULN and Oracle Linux yum server The changes provide more information about all errata, including security patches, bug fixes and feature enhancements. In addition, security fixes are listed by priority (important, moderate, low). This will allow Oracle Linux customers more flexibility when working with 3rd party Linux management tools like Spacewalk or SUSE Manager.
You can see some of the changes we've implemented using the yum-security plugin that's available as part of Oracle Linux:
First, install the yum-security plugin:
# yum install yum-plugin-security
You can read all about the options available once you have the yum-security plugin installed by reading the man page:
# man yum-security
Let's take it for a spin. First, let's list all the errata that are available for your system:
# yum updateinfo list Loaded plugins: rhnplugin, security ELBA-2012-1399 bug device-mapper-libs-1.02.74-10.el6_3.2.x86_64 ELEA-2012-1574 enhancement device-mapper-libs-1.02.74-10.el6_3.3.x86_64 ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2013-0504 Low/Sec. dhclient-12:4.1.1-34.P1.0.1.el6.x86_64 ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2013-0504 Low/Sec. dhcp-common-12:4.1.1-34.P1.0.1.el6.x86_64 ...
This command lists all the errata that are available for your system by errata ID. It also specifies whether it's a security patch (Moderate/Sec.), bugfix (bug) or feature enhancement (enhancement).
You could also narrow your search to just the CVEs, i.e. security patches:
# yum updateinfo list cves CVE-2012-3954 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 CVE-2012-3571 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 CVE-2012-3955 Low/Sec. dhclient-12:4.1.1-34.P1.0.1.el6.x86_64
This provides the CVE ID instead of the errata ID so that you can correlate a published CVE with a particular errata:
# yum updateinfo list --cve CVE-2012-3954 Loaded plugins: rhnplugin, security ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64 ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
Or see additional information about that particular errata or CVE:
# yum updateinfo info --cve CVE-2012-3954 Loaded plugins: rhnplugin, security =============================================================================== dhcp security update =============================================================================== Update ID : ELSA-2012-1141 Release : Oracle Linux 6 Type : security Status : final Issued : 2012-08-02 CVEs : CVE-2012-3954
: CVE-2012-3571
Description : [12:4.1.1-31.P1.0.1.el6_3.1]
: - Added oracle-errwarn-message.patch
:
: [12:4.1.1-31.P1.1]
: - An error in the handling of malformed client
: identifiers can cause a denial-of-service
: condition in affected servers. (CVE-2012-3571,
: #843120)
: - Memory Leaks Found In ISC DHCP (CVE-2012-3954,
: #843120)
Severity : Moderate
updateinfo info done
For more information on using the yum tool, see the Oracle Linux 6 Administration Guide.
Updating Oracle Linux by Errata or CVE
The yum-security plugin also allows you to narrow the yum tool to only update security fixes. Instead of running a generic update command, you can leverage the additional errata metadata and tell yum to only apply security patches:
# yum --security update
Alternatively, you can target a specific errata or CVE:
# yum update --cve CVE-2012-3954
Or
# yum update --advisory ELSA-2012-1141
3rd-Party Linux management tools
Oracle Enterprise Manager 12c Cloud Control has always been able to extract and display errata information for Oracle Linux.
Now, tools like Red Hat Satellite, Spacewalk, Katello/Pulp and SUSE Manager are all able to ingest the errata information and provide that information via their UI tools.
For example, here's a snippet from Spacewalk showing the Oracle Linux 6 (i386) Latest channel from yum.oracle.com:
If you click on a particular advisory, you can see information for that advisory:
You can also see the packages affected by an advisory:
Stay tuned for a future blog post that goes through how to setup Spacewalk to mirror the Oracle Linux yum server repositories.
Great work everyone! I was really loking forward for it.
Anyway why are bug fixes listed under product enhacement and not under bug fix? ;)
Which bug fixes are listed as an enhancement? Can you raise an SR or og it on http://bugzilla.oracle.com if you don't have Oracle Linux support? The errata are created automatically, so we need to work out why something is being mis-flagged.
Hi Avi.
Just have a look at your screenshots. The errata is flagged as bug fix (ELBA) but it is listed under "Prodct Enhacement" category :)
Is it correct that not all ULN channels carry the new updateinfo meta data? I'm currently mirroring several OEL5/6 channels via the official uln-yum-proxy script and I see that that for example OEL 6U2 and prior OEL5U6/7 channels don't have updateinfo information. is it due to lifecycle/support commodities that these older channels don't have these information???
Correct -- the errata information is only published in the latest channel for each release (OL5 and OL6). We won't be backporting errata to old patch channels, but we may add it to the current patch channel of each release sometime in the future.
Avi,
I've created an enhancement-request on bugzilla.oracle.com (https://bugzilla.oracle.com/bugzilla/show_bug.cgi?id=13979) for inclusion of the <reboot_suggested>-tag in the Errata. But i don't think anyone is looking at that system. Is there another way to somehow get the enhancement included?
Thanks!
Hey Andreas -- we do look at bugzilla.oracle.com, but that was labelled as a yum-utils issue so it wasn't sent to the ULN/public-yum.oracle.com team. I've emailed them to let them know about it and to add it to the TODO list for future updates to updateinfo.xml.
I've also started the process of seeing if I can get a specific public-yum.oracle.com product on bugzilla.oracle.com so that future bug reports don't have to be assigned to Oracle Linux 6. :)
What repos will have this update information on public-yum.oracle.com?
OL6 x86_64 seems up to date, but OL5 i386 doesn't have information more recent than January, and x86_64 around April.
Is this going to be offered for only OEL 6?
Hey Ryan -- both the OL5 and OL6 latest repos have errata information for both x86_64 and i386. I've just checked my local OL5 x86_64 test machine and it's reporting an errata from 2013-06-11:
# yum info-security ELBA-2013-2526
Loaded plugins: security
===============================================================================
pciutils bug fix update
===============================================================================
Update ID : ELBA-2013-2526
Release : Oracle Linux 5
Type : bugfix
Status : final
Issued : 2013-06-11
Description : [3.1.7-5.0.1]
: - Add Gen3 PCIe speed (8GT/s) to lspci (Mike
: Miller) [orabug 16857013]
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2013 Oracle, Inc.
info-security done
Note that the yum-security plugin for OL5 is slightly different to the updated one in OL6 in that it'll only report on errata that are applicable to the system upon which it's running. I had to find an errata that was released for an RPM that I had installed, but not updated yet.
Hey Ryan, just finished the test on OL5 i386 and that same errata from 2013-06-11 is visible there as well:
# yum info-security ELBA-2013-2526
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
el5_latest | 1.4 kB 00:00
el5_latest/primary | 13 MB 01:13
el5_latest 9742/9742
ol5_UEK_latest | 1.2 kB 00:00
ol5_UEK_latest/primary | 7.9 MB 00:36
ol5_UEK_latest 182/182
el5_latest/updateinfo | 467 kB 00:02
ol5_UEK_latest/updateinfo | 60 kB 00:00
===============================================================================
pciutils bug fix update
===============================================================================
Update ID : ELBA-2013-2526
Release : Oracle Linux 5
Type : bugfix
Status : final
Issued : 2013-06-11
Description : [3.1.7-5.0.1]
: - Add Gen3 PCIe speed (8GT/s) to lspci (Mike
: Miller) [orabug 16857013]
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2013 Oracle, Inc.
info-security done