URGENT!!! OpenSuse Security Patches

**kunalgala9** · 29-Oct-2015, 14:55

Hi,

I have a server that is in production and not allowed outside world internet. Now on that server I've put opensuse13.2 and the security team came back with 100+ patches needed to be installed on the server. Below are a few examples.
CVE-2014-9447
CVE-2014-1591
CVE-2015-0204
And many more...

What is the best way to install all these patches at once? Does openSuse come up with a repository to install these at once? Or I have to manually install those one by one? If I need to install one by one, where can I find these patches? I googled quite a bit but not even a single patch I could find. If someone can please guide me, it'll be really appreciated. I have a deadline to meet and don't know where to start

and have 100 of these patches to be installed.
Please let me know if I can provide any further info regarding these patches.

**nrickert** · 29-Oct-2015, 15:13

Run Yast online update.

That should apply all available security updates.

However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.

**malcolmlewis** · 29-Oct-2015, 15:20

Originally Posted by nrickert

Run Yast online update.

That should apply all available security updates.

However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.

Hi
Correct, once upto date the OP needs to check the changelogs for the CVE numbers, for example (this is on Leap 42.1);

Code:

rpm -qa --changelog|grep 2015-0204
  * CVE-2015-0204 (bnc#912014)
  - added openssl-CVE-2015-0204.patch
  * CVE-2015-0204 (bnc#912014)
  - added openssl-CVE-2015-0204.patch
  * CVE-2015-0204 (bnc#912014)
  - added openssl-CVE-2015-0204.patch

rpm -qa --changelog|grep 2014-1591
  * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)

rpm -qa --changelog|grep 2014-9447
- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)

**kunalgala9** · 04-Nov-2015, 09:18

Originally Posted by nrickert

Run Yast online update.

That should apply all available security updates.

However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.

Thanks for the info. But as I said, there is not internet connection to this server. Only intranet, so I cannot do yast online updates. Any other way to manually download these patches and sftp them to the server and then install them? Your help is appreciated.

**gogalthorp** · 04-Nov-2015, 09:21

Sure you can set up an internet based machine to rsync with the repo servers then use sneeker net to carry the updates to the isolated box and use the removable media as a repo to update.

**bigbenaugust** · 04-Nov-2015, 10:06

This is why I can't run openSUSE at work. Qualys dislikes it and starts asking for versions and patches that don't exist. :/

**gogalthorp** · 04-Nov-2015, 14:12

If you run mission critical operations then you need to use the SUSE versions. But there again the version number may not jive with some version checkers because the way different OS's number there updates.

Fixes are often back ported rather then moved to newer major version numbers. Though you can certainly install newer versions if you need to but then you are on your own on support.

It is better to know what fixes happen and why rather then to rely on some arbitrary blind criteria. But then Bureaucracies tend to like following some arbitrary rules made by high priced consultants that may or may not know what is what. No one ever got fired buying IBM

**bigbenaugust** · 04-Nov-2015, 14:55

Originally Posted by gogalthorp

If you run mission critical operations then you need to use the SUSE versions. But there again the version number may not jive with some version checkers because the way different OS's number there updates.

It was for my workstation, so not mission-critical. it is a shame I don't run the information security office here, though.