The main challenge a lot of enterprises face is identifying which patches and updates are applicable and how they might affect applications running on the systems. For Oracle linux you will have an additional level of assurance that Oracle software will be working when applying updates from the official Oracle Linux repositories.
For software not developed by Oracle this assurance will not be that strict and you will face the same possible issues as you will have with other Linux distributions, like for example, RedHat.
A formal process of identifying what needs to be updated and after that ensuring the update will not break functionality should be in place. The first step in such a process is finding the candidates. A good way to find out which updates, security specific in our example, are available and could be applied is something that can be facilitated by yum itself
You can use the yum security plugin. Some of the options you can see mentioned below:
Plugin Options:
--security Include security relevant packages
--bugfixes Include bugfix relevant packages
--cve=CVE Include packages needed to fix the given CVE
--bz=BZ Include packages needed to fix the given BZ
--sec-severity=SEVERITY
Include security relevant packages, of this severity
--advisory=ADVISORY
Include packages needed to fix the given advisory
As an example you can use the below command which will show information on available updates.
[vagrant@localhost ~]$ yum updateinfo list Loaded plugins: security ELBA-2017-0891 bugfix binutils-2.20.51.0.2-5.47.el6_9.1.x86_64 ELEA-2017-1432 enhancement ca-certificates-2017.2.14-65.0.1.el6_9.noarch ELSA-2017-0847 Moderate/Sec. curl-7.19.7-53.el6_9.x86_64 ELBA-2017-2506 bugfix dhclient-12:4.1.1-53.P1.0.1.el6_9.1.x86_64 ELBA-2017-2506 bugfix dhcp-common-12:4.1.1-53.P1.0.1.el6_9.1.x86_64 ELBA-2017-1373 bugfix initscripts-9.03.58-1.0.1.el6_9.1.x86_64 ELBA-2017-2852 bugfix initscripts-9.03.58-1.0.1.el6_9.2.x86_64 ELSA-2017-0892 Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64 ELSA-2017-1372 Moderate/Sec. kernel-2.6.32-696.3.1.el6.x86_64 ELSA-2017-1486 Important/Sec. kernel-2.6.32-696.3.2.el6.x86_64 ELSA-2017-1723 Important/Sec. kernel-2.6.32-696.6.3.el6.x86_64 ELBA-2017-2504 bugfix kernel-2.6.32-696.10.1.el6.x86_64 ELSA-2017-2681 Important/Sec. kernel-2.6.32-696.10.2.el6.x86_64 ELSA-2017-2795 Important/Sec. kernel-2.6.32-696.10.3.el6.x86_64
In case you want to see only the security related updates with a severity Moderate you can use the below command to generate this list:
[vagrant@localhost ~]$ yum updateinfo list --sec-severity=Moderate Loaded plugins: security ELSA-2017-0847 Moderate/Sec. curl-7.19.7-53.el6_9.x86_64 ELSA-2017-1372 Moderate/Sec. kernel-2.6.32-696.3.1.el6.x86_64 ELSA-2017-2863 Moderate/Sec. kernel-2.6.32-696.13.2.el6.x86_64 ELSA-2017-2863 Moderate/Sec. kernel-headers-2.6.32-696.13.2.el6.x86_64 ELSA-2017-0847 Moderate/Sec. libcurl-7.19.7-53.el6_9.x86_64 ELSA-2017-2563 Moderate/Sec. openssh-5.3p1-123.el6_9.x86_64 ELSA-2017-2563 Moderate/Sec. openssh-clients-5.3p1-123.el6_9.x86_64 ELSA-2017-2563 Moderate/Sec. openssh-server-5.3p1-123.el6_9.x86_64 ELSA-2017-1574 Moderate/Sec. sudo-1.8.6p3-29.el6_9.x86_64 updateinfo list done [vagrant@localhost ~]$
To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument:
[vagrant@localhost ~]$ yum updateinfo list cves Loaded plugins: security CVE-2017-2628 Moderate/Sec. curl-7.19.7-53.el6_9.x86_64 CVE-2017-2636 Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64 CVE-2016-7910 Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64 CVE-2017-6214 Moderate/Sec. kernel-2.6.32-696.3.1.el6.x86_64 CVE-2017-1000364 Important/Sec. kernel-2.6.32-696.3.2.el6.x86_64 CVE-2017-7895 Important/Sec. kernel-2.6.32-696.6.3.el6.x86_64 CVE-2017-1000251 Important/Sec. kernel-2.6.32-696.10.2.el6.x86_64 CVE-2017-1000253 Important/Sec. kernel-2.6.32-696.10.3.el6.x86_64 CVE-2017-7541 Moderate/Sec. kernel-2.6.32-696.13.2.el6.x86_64
When checking (automated) what patches are applicable the question why is very reasonable. Meaning, you would like to have some more information on the background of patches. For this you can do a "yum updateinfo info" command or you can specifically query for a CVE ID. The CVE ID example is shown below in an example:
[vagrant@localhost ~]$ yum updateinfo info --cve CVE-2017-1000251
Loaded plugins: security
=====================================================
kernel security and bug fix update
=====================================================
Update ID : ELSA-2017-2681
Release : Oracle Linux 6
Type : security
Status : final
Issued : 2017-09-13
CVEs : CVE-2017-1000251
Description : [2.6.32-696.10.2.OL6]
: - Update genkey [bug 25599697]
:
: [2.6.32-696.10.2]
: - [net] l2cap: prevent stack overflow on incoming
: bluetooth packet (Neil Horman) [1490060 1490062]
: {CVE-2017-1000251}
Severity : Important
=====================================================
Unbreakable Enterprise kernel security update
=====================================================
Update ID : ELSA-2017-3620
Release : Oracle Linux 6
Type : security
Status : final
Issued : 2017-09-19
CVEs : CVE-2017-1000251
Description : kernel-uek
: [4.1.12-103.3.8.1]
: - Bluetooth: Properly check L2CAP config option
: output buffer length (Ben Seri) [Orabug:
: 26796363] {CVE-2017-1000251}
Severity : Important
updateinfo info done
[vagrant@localhost ~]$
By using the yum plugin in a correct way and automate against it you can leverage the power of this plugin and implement (an automated) process that will inform you about candidates for installation on your production systems.
No comments:
Post a Comment