About Patching: What is a Patch in SLE and OpenSUSE?
A while back I wrote a post on why you should patch your servers. I think it surprised some people. I got at least one comment from twitter saying, “I’m surprised you get so many tickets on this topic since security is so important in enterprise server environments.” And yet, we do. At any current time, we have multiple tickets asking for RCA (Root Cause Analysis) for a server crash or hang when the server has not been patched in month, years, or even ever. Sometimes they never register the server to receive patched and so never patch their server beyond what is in the base version that we ship in the beginning.
This post isn’t to complain. Its to help alleviate the problem. The first step is to discuss, what are patches and what do they do. Using a SUSE Customer Center (SCC) account, you can go to https://scc.suse.com/patches to view detailed information on all of our patches. I can get a list of them so far using this command:
jsevans@linux-rtf9:~> sudo zypper patches Refreshing service 'Containers_Module_12_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_12_SP2_x86_64'. Refreshing service 'SUSE_Package_Hub_12_SP2_x86_64'. Loading repository data... Reading installed packages... Repository | Name | Category | Severity | Interactive | Status | Summary --------------------------------+-----------------------------------------+-------------+-----------+-------------+------------+---------------------------------------------------------------------------------- SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-990 | security | important | --- | needed | Security update for glibc SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-994 | security | critical | reboot | needed | Security update for the Linux Kernel SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-998 | security | important | --- | not needed | Security update for openvp
As you can see, I need to apply three patches to this server. Since patch, “SUSE-SLE-SERVER-12-SP2-2017-994” is listed as a critical update, we’ll review what makes this so important:
jsevans@linux-rtf9:~> zypper patch-info SUSE-SLE-SERVER-12-SP2-2017-994 Loading repository data... Reading installed packages... Information for patch SUSE-SLE-SERVER-12-SP2-2017-994: ------------------------------------------------------ Repository : SLES12-SP2-Updates Name : SUSE-SLE-SERVER-12-SP2-2017-994 Version : 1 Arch : noarch Vendor : maint-coord@suse.de Status : applied Category : security Severity : critical Created On : Mon 19 Jun 2017 05:28:39 PM CEST Interactive : reboot Summary : Security update for the Linux Kernel Description : The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-1000364: The default stack guard page was too small and could be "jumped over" by userland programs using more than one page of stack in functions and so lead to memory corruption. This update extends the stack guard page to 1 MB (for 4k pages) and 16 MB (for 64k pages) to reduce this attack vector. This is not a kernel bugfix, but a hardening measure against this kind of userland attack.(bsc#1039348) The following non-security bugs were fixed: - There was a load failure in the sha-mb encryption implementation (bsc#1037384). Provides : patch:SUSE-SLE-SERVER-12-SP2-2017-994 = 1 Conflicts : [10] kernel-default.nosrc < 4.4.59-92.20.2 kernel-default.x86_64 < 4.4.59-92.20.2 kernel-default-base.x86_64 < 4.4.59-92.20.2 kernel-default-devel.x86_64 < 4.4.59-92.20.2 kernel-devel.noarch < 4.4.59-92.20.2 kernel-macros.noarch < 4.4.59-92.20.2 kernel-source.noarch < 4.4.59-92.20.2 kernel-source.src < 4.4.59-92.20.2 kernel-syms.src < 4.4.59-92.20.2 kernel-syms.x86_64 < 4.4.59-92.20.2
In other words, this patch was written to avoid a possible security issue from a rogue application.
A quick and easy way to review what patches are needed for your system, simply run:
zypper patches | grep needed | grep -v "not "
This will allow you view the complete summary of all of your needed patches, you can run:
for i in `zypper lp | grep -i needed | awk '{ print $3 }'`; do zypper patch-info $i; done
If you haven’t patched in a while, this can be a lot of information. However, if you need to justify why you should patch, this is a great way to summarize the information. Another option is to visit https://www.suse.com/support/update/ which is a web-based repository for specific packages with much of the same information.
In my next post, I’ll discuss ways to intelligently apply patches to minimize downtime. In the meantime, here are some more resources.
Related Articles
Sep 05th, 2023
Comments
Good Article but the following command returns no results:
zypper patches | grep needed | grep -v “not ”
“needed” and “not” do not appear on the same row:
– Some patches are “Needed”
– some patches are “Not Applicable”
Further to my original comment…
An easier way to find just “needed” patches is to ask zypper to List Patches”
zypper lp
Both “zypper lp” and “zypper patches” will show needed patches but there is a significant difference that prevents your “for” loop from working:
– “zypper lp” shows the patch is “needed”
– “zypper patches” shows the patch is “Needed” (note the capital N)
Your “grep” command is doing a case sensitive search for “needed” but it will never be found:
for i in `zypper patches |grep needed|grep -v “not “|awk ‘{ print $3 }’`; do zypper patch-info $i; done
If you wish to use “zypper patches” you would have to use “| grep Needed” or “| grep -i needed”. The same would apply when searching for “not” but the “grep not” is redundant.
Here is a simplified version that provides the desired output. It works in SLES 11 SP4.
for i in `zypper lp | grep -i needed | awk ‘{ print $3 }’`; do zypper patch-info $i; done