Tracking Security Updates and Errata Releases

Oracle releases important changes to the Oracle Linux software as individual package updates, known as errata. These package updates are made available for download on ULN before they're gathered into a release or distributed through the _patch channel.

Errata packages can contain the following:

  • Security advisories, which have names prefixed by ELSA-* (for Oracle Linux) and OVMSA-* (for Oracle VM).

  • Bug fix advisories, which have names prefixed by ELBA-* and OVMBA-*.

  • Feature enhancement advisories, which have names prefixed by ELEA-* and OVMEA-*.

Oracle publishes a complete list of errata made available on ULN at https://linux.oracle.com/errata. You can also see a published listing of Common Vulnerabilities and Exposures (CVEs) and explore their details and status at https://linux.oracle.com/cve.

To be notified when new errata packages are released, you can subscribe to the relevant mailing lists by following the Subscribe to Enterprise Linux Errata mailing list and Subscribe to Oracle VM Errata mailing list links that are provided on the Errata tab.

Note:

Oracle doesn't comment on existing security vulnerabilities except through Errata announcements at https://linux.oracle.com/errata. To provide the best security posture to all Oracle customers, Oracle fixes significant security vulnerabilities in severity order. So, the most critical issues are always fixed first. Fixes for security vulnerabilities are produced in the following order:
  • Latest code line refers to the code being developed for the next major Oracle release of the product.
  • Next patch set for all non terminal releases

Using ULN to Browse Available Errata

Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.

You can only monitor errata for systems that are registered with ULN.

With this task, you can browse all available errata directly in ULN and then select to download the errata RPMs that registered systems require.

  1. Sign in to https://linux.oracle.com with the appropriate SSO credentials.
  2. Select the Errata tab.
    The Errata page displays a table of the available errata for all releases that are available on ULN.
  3. On the Errata page, you can perform the following actions on the displayed errata:

    • To sort the table of available errata, select the title of the Type, Severity, Advisory, Systems Affected, or Release Date column. Select the title again to reverse the order of sorting.

      Note:

      The Systems Affected column shows how many systems might be affected by an advisory.

    • To display or hide advisories of different types, select or clear the Bug, Enhancement, and Security check boxes and select Go.

    • To display only advisories for a certain release of Oracle Linux or Oracle VM, select that release from the Release list and select Go.

    • To search within the table, enter a string in the Search field and select Go.

  4. To see more detail about an advisory and to download the RPMs:
    1. Select the link for the advisory.
    2. On the Errata Detail page for an advisory, you can download the RPMs for the supported releases and system architectures. The Superseded By Advisory column displays a link to the most recent advisory (if any) that replaces the advisory you're browsing.

Using ULN to Manage System-Specific Errata

Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.

You can only manage errata for systems that are registered with ULN.

With this task, you can download a CVS report about errata that affect a specific system. Through the report, you can identify the necessary RPMs to download to update that system.

  1. Sign in to https://linux.oracle.com with valid SSO credentials.
  2. On the Systems tab, select the link named for the system in the list of registered machines.
    The System Details page lists the available errata for the system in the Available Errata table, which might be split over several pages.
  3. Select Download All Available Errata for this System.

    Or, use the sudo dnf upgrade command directly on the affected system to download the RPMs and update the system with all available errata updates.

  4. To see more detail about an advisory and to download the RPMs:
    1. Select the link for the advisory.
    2. On the System Errata Detail page for an advisory, you can download the RPMs for the affected releases and system architectures.

Planning for Controlled Updates in a Production Environment

Software and OS updates can pose a problem for complex production environments that have mission critical applications that require minimal downtime. One solution might be to lock an environment to a single tested Oracle Linux release and update level to avoid updating the OS often. However, this approach increases the risk from security vulnerabilities and can make integration testing more difficult.

We recommend that you implement a software update strategy to ensure that the OS and underlying software packages on production systems are often updated in a way that you can manage the risk of application breakages because of software updates.

The following guidelines can help you to implement a software update strategy that's in line with best practice but protects the production systems from unexpected changes.

  • Create a local ULN mirror.

    One of the challenges associated with rolling out updates on systems is that even if you have tested the updates in an integration and testing environment, if you don't manage the source of the updated packages, changes to packages can occur between the period of integration testing and the moment when you roll the package updates out to the production environment.

    By creating a local ULN mirror, you can control when and how often channels are synchronized to the mirror server. The selection of packages is static between synchronization periods, which gives you an opportunity to test a set of packages and then update the production environment to a known working set.

    By using ULN for the mirror service, you can mirror channels that contain Ksplice updates so that you can take advantage of an offline Ksplice service. With the offline Ksplice, you can use in-memory kernel updates to avoid reboots. At the same time, you can test these updates in an integration environment first, before applying the updates to the production environment.

  • Consider a staged update strategy based on risk and threat mitigation.

    Not all updates are equal. You can time synchronization of ULN Mirror channels depending on requirements. Based on those requirements, you can configure systems to perform different update types on differing schedules. For example, you can work with a strategy similar to the following:
    • Schedule Oracle Ksplice updates for the kernel and user space to run at least weekly. Optionally, you can vet these updates within an integration test environment first.
    • For security related package updates, follow a monthly maintenance schedule and in line with alerts from security tools or errata notifications. Use the dnf update --security command for these types of update.
    • Apply at least a quarterly maintenance schedule to run full package updates that use a ULN mirror snapshot. Vet the updates on an integration test environment first before implementing these on production servers.

By performing regular atomic updates it's easier to resolve integration issues as they arise and you better protect an environment from potential security issues. Using an integration test environment and a Yum or ULN mirror is critical to maintaining stability of a platform and protecting it from compromise.