Applying Support Updates

Language:

The Oracle Solaris support repository is kept updated with important fixes including security updates. See Accessing Support Updates for information about the Oracle Solaris support repository.

Oracle Solaris provides Support Repository Updates (SRUs) to deliver these fixes. Every third SRU is a Critical Patch Update (CPU SRU). The timing of CPU SRU releases matches the release of critical patch updates for other Oracle products.

The following figure shows two system upgrade strategies. In the figure, GA = a release such as Oracle Solaris 11.2 or Oracle Solaris 11.3, S = SRU, and C = CPU SRU.

Updating every time a new SRU is available is the best way to keep your system up-to-date with important security fixes.
If you do not believe you can reboot every month, update at least every quarter to the Oracle critical patch update.

When you update to a CPU SRU or any other SRU, you get all the fixes and enhancements that were delivered in all preceding SRUs.

Figure 1 Monthly SRU or Quarterly CPU System Updates

image:Figure shows monthly SRU and quarterly CPU update paths. Every third SRU is a CPU SRU. Switch paths at any time.

The following table describes differences between SRUs and CPU SRUs.

Table 4 Comparison of SRUs and CPUs

Characteristic	SRUs	CPU SRUs
Update release frequency	Monthly	Quarterly See Critical Patch Updates on the Oracle Technology Network for the CPU release schedule.
Update content	Any kind of fix or enhancement In addition to new fixes, each SRU provides all fixes and enhancements from preceding Oracle Solaris releases and from all preceding SRUs for the current release. For example, updating from Oracle Solaris 11.2 SRU 14 to Oracle Solaris 11.3 SRU 2 installs all fixes from Oracle Solaris 11.2 SRU 15 and Oracle Solaris 11.3 GA, SRU 1, and SRU 2.	New fixes are only critical fixes, including fixes for Common Vulnerabilities and Exposures (CVEs). Provides all fixes and enhancements from preceding Oracle Solaris releases and from all preceding SRUs for the current release, but new change introduced in this SRU is only critical fixes.
Reboot required	Yes	Yes
New series begins	Each Oracle Solaris release: for example, Oracle Solaris 11.1, Oracle Solaris 11.2, Oracle Solaris 11.3	CPU SRUs are part of the SRU series. Every third SRU is a CPU SRU.
Length of series	Same as the associated Oracle Solaris release as stated in “Solaris Operating System End Of Life Matrix” (Doc ID 1001343.1). SRUs might no longer be produced for a release once a subsequent release is available. You can update directly from an SRU for one Oracle Solaris release to an SRU for a different Oracle Solaris release. The “Oracle Solaris Binary and Source Guarantee Program” (Doc ID 1391762.1) ensures that updating across release boundaries is low risk.	CPU SRUs are part of the SRU series. Every third SRU is a CPU SRU.

Accessing Support Updates

To apply support updates, update your systems from one of the following sources:

The Oracle Solaris support repository, which is available at https://pkg.oracle.com/solaris/support/. To access the support repository, use your Oracle support credentials to create SSL certificates at the https://pkg-register.oracle.com/ Oracle Solaris package repository certificate request site.
Your local repository that you update from one of the following sources:
- The Oracle Solaris support repository.
- SRU repository files downloaded from My Oracle Support.
  
  To download repository files, see Oracle Solaris 11.3 Support Repository Updates (SRU) Index (Doc ID 2045311.1) on the Oracle support site. The Readme file for each SRU includes lists of bugs fixed, packages updated, and Interim Diagnostic or Relief (IDR) updates superseded in this SRU. See Installing an IDR Custom Software Update for a description of IDR updates. The Installation Guide for the SRU contains a copy of the SRU Readme file, a separate readme file that explains how to install the SRU package repository files, a checksum file, and the script that installs the SRU repository files into your local package repository. The Repository download contains the SRU repository files.
  
  See Copying and Creating Package Repositories in Oracle Solaris 11.3 for information about how to create and maintain a local IPS package repository and the minimum required content for a repository.

Perform the update as described in Image Update Overview. To update to an SRU that is older than the latest released SRU, use one of the methods described in Updating to a Version Older Than the Newest Version Allowed.

While each SRU includes all fixes and enhancements that were delivered by previously released SRUs as described in Figure 4, Table 4, Comparison of SRUs and CPUs, an SRU does not contain any other SRUs: An SRU contains only one version of pkg:/entire. To update systems to a particular SRU, you must have access to that SRU by using the Oracle Solaris support repository or by adding the content of the repository file for that SRU to your local repository.

For example, if you did not add SRU 28 repository content to your local repository, but you did add SRU 29 repository content, you would have all fixes that were initially delivered in any SRU for this release through SRU 29, but you would not be able to update systems to the SRU 28 level. A query would show that your local repository does not contain entire@0.5.11-0.175.3.28, even though it does contain entire@0.5.11-0.175.3.29. See Check Available Versions.

Critical Patch Update Packages

The following critical patch update package is available with each monthly SRU. Most of the content of this package is information about CVE fixes delivered through that SRU.

pkg:/support/critical-patch-update/solaris-11-cpu@YYYY.MM,5.11-version

Table 5 solaris-11-cpu Package Version String Components

Component	Description
`YYYY`	The year in which the SRU associated with this CPU package was released.
`MM`	The month in which the SRU associated with this CPU package was released. This value is one or two digits; leading zeros are not used.
`version`	An integer that is incremented when the CPU package is re-released in the same month.

The solaris-11-cpu package is not installed by default. If you want this package, you must explicitly install it. This package is not required in order to update to a newer SRU. Advantages to installing this package include:

Easily list which CVEs are fixed on this system.
Easily show which SRU is running on this system.
Easily upgrade to a specific SRU by updating this package to that specific version. All components are moved to the specified SRU level, including any components that are unlocked from their constraint packages.
Ensure that all packages that are needed to fix these CVEs are installed at the right version.

The following command lists all CVE fixes that are installed on this system if this system has the solaris-11-cpu package installed:

$ pkg search -Hlo value info.cve:

If this system does not have the solaris-11-cpu package installed, identify the solaris-11-cpu package for the SRU that is installed, and query that package remotely. For example, if this system is running Oracle Solaris 11.3 SRU 28, which was released in January 2018, the corresponding solaris-11-cpu package is solaris-11-cpu@2018.1.

$ pkg contents -ro value -t set -a name=info.cve solaris-11-cpu@2018.1

To check whether additional fixes are available, use the following command to show whether a version of the solaris-11-cpu package is available that is newer than the version you have installed:

$ pkg list -n solaris-11-cpu

If a newer package is available, use the following command to list the CVE fixes that are available from the newer package, and compare that list with the list of installed CVE fixes.

$ pkg contents -ro value -t set -a name=info.cve solaris-11-cpu@YYYY.MM

Use the pkg update command to update to the newest available SRU or to a specified SRU and install the new fixes and enhancements for that SRU.

$ pkg update --be-name Solaris-11.3-SRU30 solaris-11-cpu@2018.3 '*'

The following command shows all the versions of the solaris-11-cpu package that deliver the fix for the specified CVE:

$ pkg search -Hpo pkg.shortfmri CVE-YYYY-NNNN:

This output shows which version of the solaris-11-cpu package first delivered the fix for this CVE and which version most recently delivered this fix. Note that these packages are not necessarily listed in date order because, for example, month 10 sorts older than month 9.

For a specific CVE identifier, the following command lists all packages that were modified to fix that CVE:

$ pkg search -Ho value CVE-YYYY-NNNN:

See Oracle Solaris 11.3 Security Compliance Guide for more information about CVEs.