kernel security update

There is info about kernel security update:
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html

But

zypper patch

does nothing:

# LANG=C zypper ref && LANG=C zypper patch && LANG=C  zypper lu
Repository 'Kernel:openSUSE-15.1' is up to date.                                                                                               
Repository 'openSUSE:Leap:15.1:Update' is up to date.                                                                                          
Repository 'libdvdcss repository' is up to date.                                                                                               
Repository 'Packman Repository' is up to date.                                                                                                 
Repository 'openSUSE-leap/15.1-Non-Oss' is up to date.                                                                                         
Repository 'openSUSE-leap/15.1-Oss' is up to date.                                                                                             
Repository 'openSUSE-15.1-Update' is up to date.                                                                                               
All repositories have been refreshed.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Nothing to do.
Loading repository data...
Reading installed packages...
S | Repository           | Name                 | Current Version              | Available Version            | Arch  
--+----------------------+----------------------+------------------------------+------------------------------+-------
v | Kernel:openSUSE-15.1 | kernel-default       | 4.12.14-lp151.98.1.ge97ba75  | 4.12.14-lp151.108.1.gf0f1262 | x86_64
v | Kernel:openSUSE-15.1 | kernel-default-devel | 4.12.14-lp151.98.1.ge97ba75  | 4.12.14-lp151.108.1.gf0f1262 | x86_64
v | Kernel:openSUSE-15.1 | kernel-devel         | 4.12.14-lp151.98.1.ge97ba75  | 4.12.14-lp151.108.1.gf0f1262 | noarch
v | Kernel:openSUSE-15.1 | kernel-macros        | 4.12.14-lp151.102.1.g35fcd79 | 4.12.14-lp151.108.1.gf0f1262 | noarch
v | Kernel:openSUSE-15.1 | kernel-syms          | 4.12.14-lp151.98.1.ge97ba75  | 4.12.14-lp151.108.1.gf0f1262 | x86_64

Is zypper’s “Nothing to do.” message correct ?

I just did YaST > Software > Online update (which does the same as zypper patch) and openSUSE-2020-336 is in the list.

Yes. Your installed kernel does not come from Leap so Leap update does not apply here.

Try

zypper up

instead of

zypper patch

Your kernel belongs to:
https://download.opensuse.org/repositories/Kernel:/openSUSE-15.1/standard/x86_64/

So the question:
Why using this Repository?

@MakeTopSite:

From where have obtained and installed the default Kernel package?

On this (default) Leap 15.1 machine, with yesterday’s security patch installed:


 > zypper search --details --match-exact kernel-default
S  | Name           | Typ        | Version               | Arch   | Repository                     
---+----------------+------------+-----------------------+--------+--------------------------------
i+ | kernel-default | Paket      | 4.12.14-lp151.28.40.1 | x86_64 | Hauptaktualisierungs-Repository
i+ | kernel-default | Paket      | 4.12.14-lp151.28.36.1 | x86_64 | Hauptaktualisierungs-Repository
i+ | kernel-default | Paket      | 4.12.14-lp151.28.32.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.25.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.20.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.16.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.13.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.10.1 | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.7.1  | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.28.4.1  | x86_64 | Hauptaktualisierungs-Repository
v  | kernel-default | Paket      | 4.12.14-lp151.27.3    | x86_64 | Haupt-Repository
 > 

Your Kernel version is “4.12.14-lp151.98.1” – which is a bit weird …

It is probably from the repo listed in the post just above yours (in this thread).

[NOPARSE]Ahh, yes, and, as “Sauerland” asks – “Why use that (Kernel:) repository?” …[/NOPARSE] [HR][/HR]I suspect that, one needs to be aware of this URL: <http://kernel.opensuse.org/packages/openSUSE-15.1&gt;

[NOPARSE]
Daily builds are done in the Kernel:openSUSE-15.1 buildservice project. Here is the download repository. If you want to try latest packages from this branch, use the following commands:

zypper ar -f http://download.opensuse.org/repositories/Kernel:/openSUSE-15.1/standard
Kernel:openSUSE-15.1
zypper in --from Kernel:openSUSE-15.1 kernel-desktop

[/NOPARSE]

IOW, the “normal” “zypper patch/update” ain’t gonna to work with this repository …

IMHO zypper patch won’t, but when subscribed to the repo and a newer version is published there, zypper up will.

Bottom line is,
Patching will only install available patches for the installed kernel (and everything else on that system). It’s conceivable some kernels won’t be patched for certain vulnerabilities.
Updating will install the latest available and recommended version of everything no matter what repo the package might come from including the kernel. If you’re using the standard “default” kernel from the OSS, it’s highly likely that it’s been patched regardless what version it is because openSUSE “backports” patches even to earlier kernels when they’re in use.

The above should apply to every available package in every configured repository on your system equally except when you configure otherwise, typically with a “–from” or possibly if a repository priority is modified (this latter I’m not sure the exact effect, only that it won’t likely be default behavior). This is why for example we add the Packman repo with “–from” so that the system will always install a package from Packman if it’s available and not from the OSS or non-OSS.

Whether a package is more recent or not depends on the numerical part of the package’s name, higher numbers are considered more recent.

AFAIK,
TSU

Thank for all replies.

Yes,

zypper up

is working.

I’m sorry I don’t rember exactly why this repo. Probably newer version of kernel was needed by some application.

Thank you.

So

zypper up

is needed when someone wants all security updates/patches ?

zypper up is needed when you want new versions of packages on repos you are subscribed to.
There is no categorization if these for security or what else.

zypper patch installs newer versions from the Update repos (bad name, should better have been Patch repos).
There are only Update repos that belong to the two repos that contain the official openSUSE distro: OSS and non-OSS. And yes, these are categorized in Security, Recommeneded, etc.

So to get newer versions from extra repos, you either use a general zypper up (which btw will involve also a zypper patch) or a zypper up from a specific repo.

BTW, when you decide to add extra repos to your installation, you better make a note of the why and the what. You, as system manager, should not be surprised by the fact you have them.

I’m sorry I don’t rember exactly why this repo. Probably newer version of kernel was needed by some application.

I would not use this Repo, I would use the OSS- and Update-OSS Repo.

But:
If you have a Intel 3168 Wifi Card you can use it temporarily because:

  • iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168
    devices (bsc#1166632).
  • commit 12b634d

@MakeTopSite:

Another thought on this issue:

  1. [NOPARSE]The Kernel:openSUSE-15.1 buildservice project has openQA but, only for the Kernel itself.[/NOPARSE]
  2. The majority of the Leap 15.1 applications have openQA but, they’re being tested against the default Leap 15.1 Kernel.

[NOPARSE]Therefore, you need to be aware that, although the Kernel versions available from the Kernel:0penSUSE-15.1 buildservice project have been or, are undergoing, openQA testing, the applications in the default Leap 15.1 repositories have only been tested against the default Leap 15.1 Kernel.[/NOPARSE]

Thank to all. I’ve installed default Leap 15.1 Kernel, disabled Kernel:OpenSUSE-15.1 repository and removed it’s kernel.