Managing CVE Updates From the Command Line
The examples in this section show how to use the command line to find CVE information.
Example 3-1 Several Ways of Listing the Packages That Contain Fixes to a CVE ID
When you know the CVE ID, you can use it to find the packages that contain the fix for it. The following searches find the fix for the bash
Shellshock software bug.
-
The
pkg search
command searches all configured repositories and the local system for the CVE ID. The output lists which packages and versions contain the fix and which CPU delivers it. Note the use of the trailing colon (:
) in the search to indicate a missing field.$ pkg search CVE-2014-7187: INDEX ACTION VALUE PACKAGE CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-3 ... CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1 CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
-
Without the trailing colon, the
pkg search
command lists allsolaris-ll-cpu
package versions, but does not list thebash
package that contains`the fix.$ pkg search CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1 ... info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
-
The following command displays the CVE ID, the package that contains the fix, and
solaris-11-cpu
package version:$ pkg search -Ho name,value,pkg.shortfmri CVE-2014-7187: CVE-2014-7187 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 ... CVE-2014-7187 pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-1 ... CVE-2014-7187 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
-
The
pkg contents -r
command searches the repository, not the local system, for the packages that fix thebash
Shellshock software bug.$ pkg contents -Hro value -t set -a name=CVE-2014-7187 solaris-11-cpu pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0
Because SRUs and CPUs are cumulative, the fix is available after being installed once.
Example 3-2 Showing When a CVE Fix Was First Available
This example shows that the fix for the bash
Shellshock software bug was first available for this system in the solaris-11-cpu@2014.4-1
package and in every following SRU.
$ pkg search -po pkg.shortfmri CVE-2014-7187
PKG.SHORTFMRI
pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-2
...
Example 3-3 Listing the CVE IDs in a Critical Patch Update
This example shows how to display every fixed CVE in the latest CPU.
$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest
CVE-1999-0103
CVE-2002-2443
CVE-2003-0001
CVE-2004-0230
...
CVE-2015-5477
...
Example 3-4 Verifying That the Latest CPU Is Installed
To determine the status of the latest solaris-11-cpu
package, use the pkg list
command.
$ pkg list -af solaris-11-cpu@latest
NAME (PUBLISHER) VERSION IFO
support/critical-patch-update/solaris-11-cpu 2015.8-1 ---
Because the i
flag is not in the I
column, the latest CPU is not installed.
Example 3-5 Verifying That a Fix for a CVE ID Is Installed
To verify that you installed a fix for a specific CVE ID, search your installed packages for the CVE ID. If it is not installed, no output displays. The pkg search -l
command searches the local disk only.
# pkg search -l CVE-2014-7187
INDEX ACTION VALUE PACKAGE
info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
For more information about options to the pkg
command, see the pkg
(1) man page.