1. Oracle Solaris 11.4 Compliance Guide
  2. Administering Compliance to Critical Security Updates
  3. Administering CVE Updates in Oracle Solaris
  4. Locating the Packages That Have CVE Updates in Oracle Solaris

Locating the Packages That Have CVE Updates in Oracle Solaris

The Oracle Solaris Support package repository contains metadata for tracking security vulnerability fixes by the assigned CVE ID. Oracle Solaris creates a package of this metadata from the Oracle bug database. After installing the package, you can easily determine whether your system has all the known and required security vulnerability fixes. You do not need to derive this information from other sources. Using the Oracle bug database as your source is critically important because sometimes Oracle Solaris fixes a bug in an upstream Free and Open Source (FOSS) component by patching the code rather than by generating a new version of the component.

The metadata package from the Oracle bug database, pkg:/support/critical-patch-update/solaris-11-cpu, covers the entire dependency hierarchy. All packages that were changed for a particular CVE fix are dependencies of the solaris-11-cpu package. They are optional dependencies, therefore they are updated if they are already installed, but not installed if the software that is being fixed is not already installed.

The metadata package enables retrospective updates to the critical patch update (CPU) metadata where a shipped version already contains the fix for a given CVE ID. When Oracle Solaris publishes a new CPU, it also publishes a new version of the package to the Oracle Solaris support repository plus the new package versions that contain the fixes.

The version format for the CPU package is @ YYYY . MM-VV where VV is usually a low number, as in the CPU package solaris-11-cpu@2014.10-1. This format enables Oracle Solaris to republish critical patch updates within the same month. Note that the day of the month (DD) is not part of the version format.

You can search the metadata by using either the Oracle Solaris Support package repository web site or the command-line interface. You can search for cases where a given CVE ID applies to multiple packages and also where a given package version contains fixes for multiple CVE IDs.