Tuesday Jun 23, 2015

The Solaris 10 Recommended patchset really does contain ALL available OS security fixes!

Hi Folks,

Apologies for the rather exasperated tone of this post, but if I had a $1 for every time a 3rd party security scanning tool falsely reported that we're missing a security fix in the Solaris 10 Recommended patchset...

Let me assure you, the Solaris 10 Recommended patchset really does contain all available security fixes for the Solaris OS*.

* In deference to Murphy's Law, I'd better insert a disclaimer that I'm sure there'll be a security fix at some future point in time which is toxic and we may hold off including it until we mitigate its toxicity, but I can't think of a single case where that's occurred in the last 16 years, so let's call that a very rare corner case.

As explained in a previous post, we include the minimum patch revision required to address a security vulnerability. 

If there are later patch revisions which contain unrelated bug fixes, we don't bloat the recommended patchset with them.  They don't make the system any more secure.

Unfortunately, most 3rd party security scanning tools seem to work on the premise that latest is greatest, looking for just the latest available patch revision, and repeatedly alerting customers that we're missing security fixes from the Recommended patchset when we are not.

As they are our patches, and since the 3rd party tools have no other patch metadata source than the metadata we supply, then unless our patch metadata gets out of sync with our patches - which is highly unlikely since they come from the same system - then customers can be assured that we're best placed to get our own patch recommendations correct.

Another issue which some 3rd party security scanning tools seem to fail to handle are optionally installed packages - for example, JavaSE 5 or JavaSE 6.

If the packages are not installed, you are not vulnerable to security issues in them.  Period.  Please check before filing Service Requests.

Remember, the Recommended patchset covers the Solaris OS only, so there may be some value in such scanners for ancillary software such as Solaris Cluster, etc. 

Alternatively, just read the latest available Oracle security CPU (Critical Patch Update) PAD (Product Advisory Doc).  See also Doc 1272947.1 on MOS.

BTW: The latest Solaris 11 SRU also contains all available OS security fixes.

Best Wishes,

Gerry.

Monday Aug 29, 2011

Using smpatch to apply Solaris Cluster patches and other enhancements

It is now possible again to use the in-built Solaris 10 patch automation utility, 'smpatch' / Update Manager, to download patches for products such as Oracle Solaris Cluster and Oracle Solaris Studio, as well as Oracle Solaris Operating System patches. 

It is now also possible again to use 'smpatch' / Update Manager on 3rd party hardware. 

To utilize these capabilities, the system must be registered or re-registered as outlined in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1347266.1

These steps effectively switch 'smpatch' / Update Manager from using hardware serial number based access entitlement to User based access entitlement, similar to the access entitlement mechanism used when downloading patches via 'wget' or manually via My Oracle Support (MOS).

The following patches are required to provide this functionality:

SPARC
121118-19  SunOS 5.10: Update Connection System Client 1.0.19
123893-25  SunOS 5.10: Cacao Patch
123005-09  SunOS 5.10: Basic Registration Update
124171-08  SunOS 5.10: SCN Base cacao module patch
123630-04  SunOS 5.10: HTTP proxy settings patch
x86
121119-19  SunOS 5.10_x86: Update Connection System Client 1.0.19
123896-25  SunOS 5.10_x86: Cacao Patch
123006-09  SunOS 5.10_x86: Basic Registration Update
124187-08  SunOS 5.10_x86: SCN Base cacao module patch
123631-04  SunOS 5.10_x86: HTTP proxy settings patch

'smpatch' / Update Manager patch 12111[89]-19 introduces other significant changes due to the migration to Oracle back-end infrastructure.  The download server and security certs have changed.  As My Oracle Support supports ".zip" file download only, this patch mandatorily migrates 'smpatch' / Update Manager from using ".jar" downloads to using ".zip" downloads.

Caveat: There is currently an issue affecting LPS (Local Proxy Server) functionality following the migration to the Oracle back-end infrastructure.  This issue is currently being worked on.

About

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer

Search

Categories
Archives
« September 2015
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today