Friday Oct 19, 2012

October 2012 Security "Critical Patch Update" (CPU) information and downloads released

The October 2012 security "Critical Patch Update" information and downloads are now available from My Oracle Support (MOS).

See http://www.oracle.com/technetwork/topics/security/alerts-086861.html and in particular Document 1475188.1 on My Oracle Support (MOS), http://support.oracle.com, which includes security CVE mappings for Oracle Sun products.

For Solaris 11, Doc 1475188.1 points to the relevant SRUs containing the fixes for each issue.  SRU12.4 was released on the CPU date and contains the current cumulative security fixes for the Solaris 11 OS.

For Solaris 10, we take a copy of the Recommended Solaris OS patchset containing the relevant security fixes and rename it as the October CPU patchset on MOS.  See link provided from Doc 1475188.1

Doc 1475188.1 also contains references for Firmware, etc., and links to other useful security documentation, including information on Userland/FOSS vulnerabilities and fixes in https://blogs.oracle.com/sunsecurity/

Friday Jan 29, 2010

Important new features in latest PatchFinder release

Firstly, please allow me to get something off my chest:

HALLELUJAH!!!

It's been a long wait and we're finally there!

I, for one, am tickled pink.

There's likely be a lot of changes for all of us in the coming months, some good, some maybe controversial to some folk, but I passionately believe that Oracle will bring much needed commercial sense which will ensure that Solaris and Sun-Oracle hardware continues to innovate like hell to provide the solutions you, our customers, need.  So strap yourselves in, the fun is about to begin!

But much more than the red Oracle logo has changed on PatchFinder today.

I want to let you know about two key new features which I believe significantly improve our customers' patch searching experience:

Search for Patches which deliver New Security Fixes 

The PatchFinder "Security Filter" now differentiates between patches which introduce a new security fix (shown by the "NS" symbol in search returns) and patches which simply deliver any security fix, either new or pre-existing (shown by the "S" symbol in search returns). 

Up until now only the latter was available, which made it difficult for customers to differentiate between patch revisions which deliver new security fixes and patch revisions which simply re-deliver old security fixes.

The "New Security Fix" search option under "Security Filter" should typically be used in combination with the "Show Obsolete" option so that you can see all patch revisions delivering new security fixes.  Otherwise you'll just see the subset of patches which are contain both new security fixes and are not obsoleted.

Solaris OS Patches which deliver (or redeliver) security fixes will continue to be added to the "Recommended" Patch Clusters as before, along with OS patches which deliver (or redeliver) Data Corruption or System Availability fixes, the latest patch utility patches, and any other patches required by the above.

Solaris OS Patches which deliver new security fixes will continue to be be added to the Sun Alert Patch Clusters as before, along with OS patches which deliver new Data Corruption or System Availability fixes, the latest patch utility patches, and any other patches required by the above.

But with this New Security Fix option in PatchFinder, you can now find all (6-2 digit PatchID) patches for all products which deliver new security fixes, not just Solaris OS patches.

BTW: This "New Security Fix" feature has actually been in PatchFinder since the last release in December, but this is the first opportunity I've had to blog about it.

Search for patches by the objects they deliver

You can now search for patches by the objects they deliver. 

For example, type "/usr/bin/vi" into the "File Included" search box, filter the search using the other search options if desired ( e.g. select "Solaris 10" under "OS Release" ), and PatchFinder will return the patches which deliver "/usr/bin/vi".  

This is useful if you are having problems with a particular utility or object and want to find if any patches are available for it.  Then reading the CR synopses listed in the README for the appropriate patches returned may help you figure out if the patch is likely to address the problem you are experiencing.

Try searching for "zoneadmd", or "genunix", for example.

Remember, if you enter something like "vi" or "ls" in the "File Included" search box, you'll get all objects which contain those strings in their pathnames, so a well qualified search such as "/usr/bin/vi" or "/usr/bin/ls" may be more useful.

Watch out for symlinks, e.g. on Solaris 10:

$ whence patchadd/usr/sbin/patchadd
/usr/sbin/patchadd
$ ls -l /usr/sbin/patchadd
lrwxrwxrwx   1 root     root          16 May 15  2009 /usr/sbin/patchadd -> ../lib/patch/pdo\*
So on Solaris 10, search for "/usr/lib/patch" rather than "/usr/sbin/patchadd" to find patch utility patches.  FYI, 'pdo' is the preprocessor to 'patchadd' on Solaris 10 and both are contained in /usr/lib/patch.  Alternatively, just search for "patchadd".

I hope you find these new PatchFinder features useful.   A lot of work went in behind the scenes, especially on ensuring the accuracy of the "New Security Fix" flag.  I'd like to thank my colleagues, Brian, Julien, Slim, Mark, Don, and the rest of the team for making these enhancements a reality.  Nice work guys!

Monday Sep 07, 2009

IBM's X-Force Report Praises Sun for Fast Fixes

Internetnews.com has an interesting article on IBM's X-Force Report which praises Sun for fast fixes and being best for patching the highest percentage of reported security vulnerabilities:  http://www.internetnews.com/security/article.php/3836436/IBMs+XForce+Report+Praises+Sun+for+Fast+Fixes.htm

Wednesday May 27, 2009

New PatchFinder tool now available

The new PatchFinder tool is now available on http://sunsolve.sun.com/patchfinder/

It's linked off the main SunSolve Patch page, http://sunsolve.sun.com/show.do?target=patchpage.  Look for the following link immediately under the old PatchFinder search box:

The PatchFinder

Why a new PatchFinder tool ?

The old PatchFinder tool was a pet peeve of mine.  You needed to know at least the 6 digit base PatchID of the patch you were trying to find in order to find it.   Rather self defeating IMHO.

The new PatchFinder tool directly leverages Sun's internal Patch Metadata Web Services to provide a much richer search experience.

Features of the new PatchFinder tool

You can still search by PatchID if you want.  This will override all other search options.

But you can also search for all Recommended or Security patches, and restrict that search, for example, to Solaris 10 SPARC.

By the way, "Recommended" means it's part of the Solaris Recommended Patch Cluster, which contains the latest revision of all Solaris OS patches which fix Security, Data Corruption, or System Availability issues.  See the cluster inclusion criteria definitions by clicking the appropriate heading on the Patch Clusters & Patch Bundles download page, http://sunsolve.sun.com/show.do?target=patch-access.

"Security" includes all patches which address Security issues, including Solaris OS patches and application and middleware patches for other products.

If you click the "OS Patches Only" box, the search results can be restricted to patches for the Solaris OS only, which will exclude application and middleware patches which are not bundled as part of the Solaris OS.  

Advanced Search Capabilities

Click on "Show Advanced Search" for more options.

This gives you options such as searching by CR (Change Request, a.k.a. BugID) number, so if you suspect you've hit a particular bug, you can check whether a patch for that CR is available yet.

Or you can search for patches with particular words in the patch synopsis or keywords fields - e.g. ldap, "patch util", "package util", "pkg util", etc.  These options have limited value as it's difficult to guess the values.

The "Released Before" option is handy if your company has a policy of waiting for patches to "age" a specified number of days after release before you consider applying them.

The "Released After" option is useful to restrict the search to patches released since the last time you checked for patches.

The "README Modified After" option is subtly different to the "Released After" field and is a superset of the "Released After" results in that is also shows patches whose README or patchinfo metadata files have been updated since the patch was initially released - for example, Special Install Instructions may have been added to the README to specify workarounds for issues found post-release which do not warrant the patch being withdrawn from SunSolve (i.e. the patch still does more good than harm for the majority of customers).

You can filter the search further to see only those patches whose README file was modified since you last downloaded patches by using the following search filter combination: For example, if you downloaded patches 30 days ago, you can see which patches which were release 30 or more days ago have had their READMEs modified since then by using the combination: "Released Before" == 30 && "README Modified After" == 30

In all of these time related fields, you can specify actual dates instead of a specified number of days.

The "Patch Property" field enables you to search for things like "Interactive" patches which require manual intervention during installation, "NonStandard" which means they aren't applied using the standard 'patchadd' utility (e.g. firmware patches), or patches which require downtime (Single User Mode, Reboot\*) if applied to the live boot environment.  (Remember, Live Upgrade can be used to minimize the downtime and risk associated with applying patches by applying the patches to an inactive boot environment, thereby avoiding such downtime requirements during or immediately after patch installation.  You can reboot to set the inactive boot environment live at a time that suits you.)

By default, only patches which are currently available for download (i.e. patches which haven't been withdrawn due to issues) are returned in the search results.    You can select "Withdrawn" patches instead to get a list of patches which have been withdrawn from SunSolve due to serious issues.   This is useful to ensure you don't have any withdrawn patches installed on your systems.  I recommend you also select "Show Obsoletes" along with "Withdrawn" so withdrawn patches which have been superseded by replacement good patches aren't masked.  (Note, a Sun Alert is issued whenever a patch is withdrawn, so if you keep abreast of Sun Alert notifications as is advisable, this step is simply a check and balance.)

Fields such as "OS Release", "State", etc., allow multiple options to be selected concurrently from the drop down menu.

Patch Metrics Gathering 

The new PatchFinder tool is also useful for helping you to calculate patch metrics - e.g. the number of Solaris 10 SPARC OS patches released in the last year.

Display and Bookmarking Options

You can also select the number of patches to display in each page of search results returned (default 20), hide the search form so that only the results are displayed (the option is in the top right hand corner of the tool), and order the results by PatchID, Released date, or Synopsis, in either ascending or descending order (by clicking on the appropriate column heading of the results returned).

You can click on a PatchID in the search results returned to display the Patch README.

You can also bookmark the search results returned for future reference.  This is handy if you wish to run the same query regularly. 

Help! 

There's a "Help" summary in the top right hand corner and each search field has it's own help summary marked "?".

What's next ? 

I hope you find this initial version of the new PatchFinder tool useful.

This is a start, not the finished article.   In future versions we plan to provide options to resolve patch dependencies and patch installation order, enable patch download, etc.  

Feedback - what else would you like to see ?

Feel free to provide feedback on features which you'd like to see to the software-update-finder-feedback@sun.com alias or directly to me, Gerry.Haskins@sun.com .  

Our goal is to improve your patching experience.

About

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today