1. Updating Systems and Adding Software in Oracle Solaris 11.4
  2. Updating or Upgrading an Oracle Solaris Image
  3. Applying Support Updates
  4. Critical Patch Update Packages

Critical Patch Update Packages

The following critical patch update package is available with each monthly SRU. Most of the content of this package is information about CVE fixes delivered through that SRU.

pkg:/support/critical-patch-update/solaris-11-cpu@YYYY.MM-version

Table 4-2 solaris-11-cpu Package Version String Components

Component Description

YYYY

The year in which the SRU associated with this CPU package was released.

MM

The month in which the SRU associated with this CPU package was released. This value is one or two digits; leading zeros are not used.

version

An integer that is incremented when the CPU package is re-released in the same month.

The solaris-11-cpu package is not installed by default. If you want this package, you must explicitly install it. This package is not required in order to update to a newer SRU. Advantages to installing this package include:

  • Easily list which CVEs are fixed on this system.

  • Easily show which SRU is running on this system.

  • Easily upgrade to a specific SRU by updating this package to that specific version. All components are moved to the specified SRU level, including any components that are unlocked from their constraint packages.

  • Ensure that all packages that are needed to fix these CVEs are installed at the right version.

The following command lists all CVE fixes that are installed on this system if this system has the solaris-11-cpu package installed: 

$ pkg search -Hlo value info.cve:

If this system does not have the solaris-11-cpu package installed, identify the solaris-11-cpu package for the SRU that is installed, and query that package remotely. For example, if this system is running Oracle Solaris 11.3 SRU 28, which was released in January 2018, the corresponding solaris-11-cpu package is solaris-11-cpu@2018.1. 

$ pkg contents -ro value -t set -a name=info.cve solaris-11-cpu@2018.1

To check whether additional fixes are available, use the following command to show whether a version of the solaris-11-cpu package is available that is newer than the version you have installed: 

$ pkg list -n solaris-11-cpu

If a newer package is available, use the following command to list the CVE fixes that are available from the newer package, and compare that list with the list of installed CVE fixes.

$ pkg contents -ro value -t set -a name=info.cve solaris-11-cpu@YYYY.MM

Use the pkg update command to update to the newest available SRU or to a specified SRU and install the new fixes and enhancements for that SRU. 

$ pkg update --be-name Solaris-11.3-SRU30 solaris-11-cpu@2018.3 '*'

The following command shows all the versions of the solaris-11-cpu package that deliver the fix for the specified CVE: 

$ pkg search -Hpo pkg.shortfmri CVE-YYYY-NNNN:

This output shows which version of the solaris-11-cpu package first delivered the fix for this CVE and which version most recently delivered this fix. Note that these packages are not necessarily listed in date order because, for example, month 10 sorts older than month 9.

For a specific CVE identifier, the following command lists all packages that were modified to fix that CVE:

$ pkg search -Ho value CVE-YYYY-NNNN:

See Oracle Solaris 11.4 Compliance Guide for more information about CVEs.