Linux: Determining whether or not a package has been patched for a bug or CVE
This document (7002558) is provided subject to the disclaimer at the end of this document.
Environment
Situation
Resolution
To check whether or not a currently installed package has been patched for a bug or security vulnerabiltiy, zypper can be used to query packages using --bug and --cve flags (this is the preferred method).
The "rpm" command with flags "-q --changelog" will also show the patches including security patches.
For example, "rpm -q --changelog kernel-smp" will show output similiar to:
-- patches.fixes/hrtimers-avoid-overflow-for-large-relative-timeouts:
hrtimers: avoid overflow for large relative timeouts (347262,112296-
CVE-2007-5966).
The output shows the that change information, including the SUSE Bugzilla Number, the CVE number and the Linux Kernel bug number.
Using zypper:
Note: To use zypper, the system needs to be connected to a valid update server such as Subscription Management Tool or SUSE Manager.
SLE11SP1 based systems: Here two steps are required to resolve the request:
- zypper lp -a --cve=CVE#
- zypper patch-info <patch-name>
e.g.
- zypper lp -a --cve=CVE-2010-2074
which will return:
sles11sp1:~ # zypper lp -a --cve=CVE-2010-2074
Loading repository data...
Reading installed packages...
Issue | No. | Patch | Category
------+---------------+------------------+---------
cve | CVE-2010-2074 | slessp1-w3m-2563 | security
- In a second step check the output of zypper patch-info slessp1-w3m-2563 whether the patch was already applied.
sles11sp2:~ # zypper lp -a --cve=CVE-2010-2074
Refreshing service 'spacewalk'.
Loading repository data...
Reading installed packages...
Issue | No. | Patch | Category | Status
------+---------------+-----------------------+----------+-----------
cve | CVE-2010-2074 | slessp1-w3m-2563-2563 | security | not needed
Additional Information
You can also view all current SUSE Linux Security Advisories.
Many of the bugs have a three letter header in front of the numbers. The following details what the numbers mean. For example, if a bug had (347262,112296-CVE-2007-5966)
- CVE-: Common Vulnerability and Exposure Number at mitre.org
- BNC# or number with no letters: SUSE Bugzillia Number at SUSE Bugzilla (requires username/password)
- LTC#: IBM Linux Technology Center Bug Number
SUSE Manager
One feature of SUSE Manager is the ability to run a CVE Audit across registered systems to identify those, who are lacking security updates. See the SUSE Manager CVE Audit chapter for further details.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7002558
- Creation Date: 05-Feb-2009
- Modified Date:25-Mar-2021
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Point of Service
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Real Time Extension
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
SAP-Lösungen ausführen
SUSE for Public Cloud
Security
