The Oracle Solaris support repository is kept updated with important fixes including security updates. See Accessing Support Updates for information about the Oracle Solaris support repository.
Oracle Solaris provides Support Repository Updates (SRUs) to deliver these fixes. Every third SRU is a Critical Patch Update (CPU SRU). The timing of CPU SRU releases matches the release of critical patch updates for other Oracle products.
The following figure shows two system upgrade strategies. In the figure, GA = a release such as Oracle Solaris 11.2 or Oracle Solaris 11.3, S = SRU, and C = CPU SRU.
Updating every time a new SRU is available is the best way to keep your system up-to-date with important security fixes.
If you do not believe you can reboot every month, update at least every quarter to the Oracle critical patch update.
When you update to a CPU SRU or any other SRU, you get all the fixes and enhancements that were delivered in all preceding SRUs.
Figure 1 Monthly SRU or Quarterly CPU System Updates
The following table describes differences between SRUs and CPU SRUs.
To apply support updates, update your systems from one of the following sources:
The Oracle Solaris support repository, which is available at https://pkg.oracle.com/solaris/support/. To access the support repository, use your Oracle support credentials to create SSL certificates at the https://pkg-register.oracle.com/ Oracle Solaris package repository certificate request site.
Your local repository that you update from one of the following sources:
The Oracle Solaris support repository.
SRU repository files downloaded from My Oracle Support.
To download repository files, see Oracle Solaris 11.3 Support Repository Updates (SRU) Index (Doc ID 2045311.1) on the Oracle support site. The Readme file for each SRU includes lists of bugs fixed, packages updated, and Interim Diagnostic or Relief (IDR) updates superseded in this SRU. See Installing an IDR Custom Software Update for a description of IDR updates. The Installation Guide for the SRU contains a copy of the SRU Readme file, a separate readme file that explains how to install the SRU package repository files, a checksum file, and the script that installs the SRU repository files into your local package repository. The Repository download contains the SRU repository files.
See Copying and Creating Package Repositories in Oracle Solaris 11.3 for information about how to create and maintain a local IPS package repository and the minimum required content for a repository.
Perform the update as described in Image Update Overview. To update to an SRU that is older than the latest released SRU, use one of the methods described in Updating to a Version Older Than the Newest Version Allowed.
While each SRU includes all fixes and enhancements that were delivered by previously released SRUs as described in Figure 4, Table 4, Comparison of SRUs and CPUs, an SRU does not contain any other SRUs: An SRU contains only one version of pkg:/entire. To update systems to a particular SRU, you must have access to that SRU by using the Oracle Solaris support repository or by adding the content of the repository file for that SRU to your local repository.
For example, if you did not add SRU 28 repository content to your local repository, but you did add SRU 29 repository content, you would have all fixes that were initially delivered in any SRU for this release through SRU 29, but you would not be able to update systems to the SRU 28 level. A query would show that your local repository does not contain email@example.com, even though it does contain firstname.lastname@example.org. See Check Available Versions.
The following critical patch update package is available with each monthly SRU. Most of the content of this package is information about CVE fixes delivered through that SRU.
The solaris-11-cpu package is not installed by default. If you want this package, you must explicitly install it. This package is not required in order to update to a newer SRU. Advantages to installing this package include:
Easily list which CVEs are fixed on this system.
Easily show which SRU is running on this system.
Easily upgrade to a specific SRU by updating this package to that specific version. All components are moved to the specified SRU level, including any components that are unlocked from their constraint packages.
Ensure that all packages that are needed to fix these CVEs are installed at the right version.
The following command lists all CVE fixes that are installed on this system if this system has the solaris-11-cpu package installed:
$ pkg search -Hlo value info.cve:
If this system does not have the solaris-11-cpu package installed, identify the solaris-11-cpu package for the SRU that is installed, and query that package remotely. For example, if this system is running Oracle Solaris 11.3 SRU 28, which was released in January 2018, the corresponding solaris-11-cpu package is email@example.com.
$ pkg contents -ro value -t set -a name=info.cve firstname.lastname@example.org
To check whether additional fixes are available, use the following command to show whether a version of the solaris-11-cpu package is available that is newer than the version you have installed:
$ pkg list -n solaris-11-cpu
If a newer package is available, use the following command to list the CVE fixes that are available from the newer package, and compare that list with the list of installed CVE fixes.
$ pkg contents -ro value -t set -a name=info.cve solaris-11-cpu@YYYY.MM
Use the pkg update command to update to the newest available SRU or to a specified SRU and install the new fixes and enhancements for that SRU.
$ pkg update --be-name Solaris-11.3-SRU30 email@example.com '*'
The following command shows all the versions of the solaris-11-cpu package that deliver the fix for the specified CVE:
$ pkg search -Hpo pkg.shortfmri CVE-YYYY-NNNN:
This output shows which version of the solaris-11-cpu package first delivered the fix for this CVE and which version most recently delivered this fix. Note that these packages are not necessarily listed in date order because, for example, month 10 sorts older than month 9.
For a specific CVE identifier, the following command lists all packages that were modified to fix that CVE:
$ pkg search -Ho value CVE-YYYY-NNNN:
See Oracle Solaris 11.3 Security Compliance Guide for more information about CVEs.