Results 1 to 8 of 8

Thread: URGENT!!! OpenSuse Security Patches

  1. #1

    Default URGENT!!! OpenSuse Security Patches

    Hi,

    I have a server that is in production and not allowed outside world internet. Now on that server I've put opensuse13.2 and the security team came back with 100+ patches needed to be installed on the server. Below are a few examples.
    CVE-2014-9447
    CVE-2014-1591
    CVE-2015-0204
    And many more...

    What is the best way to install all these patches at once? Does openSuse come up with a repository to install these at once? Or I have to manually install those one by one? If I need to install one by one, where can I find these patches? I googled quite a bit but not even a single patch I could find. If someone can please guide me, it'll be really appreciated. I have a deadline to meet and don't know where to start and have 100 of these patches to be installed.
    Please let me know if I can provide any further info regarding these patches.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,607
    Blog Entries
    3

    Default Re: URGENT!!! OpenSuse Security Patches

    Run Yast online update.

    That should apply all available security updates.

    However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,802
    Blog Entries
    15

    Default Re: URGENT!!! OpenSuse Security Patches

    Quote Originally Posted by nrickert View Post
    Run Yast online update.

    That should apply all available security updates.

    However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.
    Hi
    Correct, once upto date the OP needs to check the changelogs for the CVE numbers, for example (this is on Leap 42.1);
    Code:
    rpm -qa --changelog|grep 2015-0204
      * CVE-2015-0204 (bnc#912014)
      - added openssl-CVE-2015-0204.patch
      * CVE-2015-0204 (bnc#912014)
      - added openssl-CVE-2015-0204.patch
      * CVE-2015-0204 (bnc#912014)
      - added openssl-CVE-2015-0204.patch
    
    rpm -qa --changelog|grep 2014-1591
      * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
    
    rpm -qa --changelog|grep 2014-9447
    - CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
    - CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
    - CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
    - CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4

    Default Re: URGENT!!! OpenSuse Security Patches

    Quote Originally Posted by nrickert View Post
    Run Yast online update.

    That should apply all available security updates.

    However, your tests might still show a problem, if the tests are based on the version number rather than on testing for the security flaw. It is common practice in many distros, to back-patch the security fix to the installed version. So the fixed version may still have a version number that the tester does not like.

    Thanks for the info. But as I said, there is not internet connection to this server. Only intranet, so I cannot do yast online updates. Any other way to manually download these patches and sftp them to the server and then install them? Your help is appreciated.

  5. #5
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,742

    Default Re: URGENT!!! OpenSuse Security Patches

    Sure you can set up an internet based machine to rsync with the repo servers then use sneeker net to carry the updates to the isolated box and use the removable media as a repo to update.

  6. #6
    Join Date
    Jan 2012
    Location
    the 919
    Posts
    38

    Default Re: URGENT!!! OpenSuse Security Patches

    This is why I can't run openSUSE at work. Qualys dislikes it and starts asking for versions and patches that don't exist. :/
    --Ben

  7. #7
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,742

    Default Re: URGENT!!! OpenSuse Security Patches

    If you run mission critical operations then you need to use the SUSE versions. But there again the version number may not jive with some version checkers because the way different OS's number there updates.

    Fixes are often back ported rather then moved to newer major version numbers. Though you can certainly install newer versions if you need to but then you are on your own on support.

    It is better to know what fixes happen and why rather then to rely on some arbitrary blind criteria. But then Bureaucracies tend to like following some arbitrary rules made by high priced consultants that may or may not know what is what. No one ever got fired buying IBM

  8. #8
    Join Date
    Jan 2012
    Location
    the 919
    Posts
    38

    Default Re: URGENT!!! OpenSuse Security Patches

    Quote Originally Posted by gogalthorp View Post
    If you run mission critical operations then you need to use the SUSE versions. But there again the version number may not jive with some version checkers because the way different OS's number there updates.
    It was for my workstation, so not mission-critical. it is a shame I don't run the information security office here, though.
    --Ben

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •