'zypper patch --date <date>' installs some patches with release date after desired cut-off-date
This document (000020633) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 (All service pack versions)
SUSE Linux Enterprise Desktop 15 (All service pack versions)
SUSE Linux Enterprise Server 12 (All service pack versions)
SUSE Linux Enterprise Desktop 12 (All service pack versions)
SUSE Linux Enterprise Desktop 15 (All service pack versions)
SUSE Linux Enterprise Server 12 (All service pack versions)
SUSE Linux Enterprise Desktop 12 (All service pack versions)
Situation
After using 'zypper patch --date <date>' to patch an environment, patches with a release date later than the date supplied to the zypper command are reported as 'applied', for example...
# zypper -vv patch --date 2022-02-14In the output of the command, it is noted:
Patch 'SUSE-SLE-SAP-12-SP4-2022-733-1' was issued after the specified date.After the patch cycle has run:
# zypper patches | grep applied | grep 733 SUSE-SLE-SERVER-12-SP4-LTSS-2022-733 | security... | applied update for zsh
Resolution
zypper is working correctly and as intended.
As the definition of what "patch" actually means is not clear, this helps to confuse the understanding of what to expect when using switches like 'patch' and '--date'.
As the definition of what "patch" actually means is not clear, this helps to confuse the understanding of what to expect when using switches like 'patch' and '--date'.
Unlike that common perception that patch contains a fix for given problem, for zypper it does not fix anything directly. Zypper patch is a meta package that conflicts with all versions of package(s) affected by the issue.
For example application of the following patch means that zypper will update listed expat-related rpm packages (if installed) to version >= 2.1.0-21.15.1.
If the installed package versions are higher than what's required by patch then the patch is considered to be applied.
If the installed package versions are higher than what's required by patch then the patch is considered to be applied.
$ zypper patch-info SUSE-SLE-SERVER-12-SP4-LTSS-2022-495
...
Created On : Mon Mar 21 16:52:19 2022
...
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer
(bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function
(bsc#1195217).
Provides : patch:SUSE-SLE-SERVER-12-SP4-LTSS-2022-495 = 1
Conflicts : [4]
expat.src < 2.1.0-21.15.1
expat.x86_64 < 2.1.0-21.15.1
libexpat1.x86_64 < 2.1.0-21.15.1
libexpat1-32bit.x86_64 < 2.1.0-21.15.1
So command "zypper patch --date 2022-02-14" will resolve all issues published until 2022-02-14 (patch create date) by updating affected packages to the latest available version. If the newest packages are fixing also other issues, then corresponding patches will be listed as "applied" even if they were released after 2022-02-14.As man page for zypper patch --date states:
--date YYYY-MM-DD[,...] Select only patches patches issued up to, but not including, the specified date.The '--date' option limits the date until which were selected patches (i.e. meta packages) issued, it does not limit the release dates of the actual rpm packages used to resolve them. So even patches that are not explicitly selected may be resolved.
Cause
zypper man pages do not cover this topic in as much detail as they could, poor information available on what a patch actually is and misconceptions as to how some of the zypper switches actually work.
Additional Information
Customers can not use 'zypper --date' as a way of controlling the update process in a very granular and predictable way. Another method must be used.
Products like SUSE Manager and the older SMT patching software have this kind of controlled patching/repository update freezing capability (although SMT will soon reach end-of-life). The newer RMT software does not have this capability. It is possible to create bespoke repositories and use those to patch in a very controlled way but this requires a considerable amount of effort to identify and manage packages/patches and create and maintain your own repositories. SUSE Manager is the best option in terms of least amount of effort and ease of management.
Products like SUSE Manager and the older SMT patching software have this kind of controlled patching/repository update freezing capability (although SMT will soon reach end-of-life). The newer RMT software does not have this capability. It is possible to create bespoke repositories and use those to patch in a very controlled way but this requires a considerable amount of effort to identify and manage packages/patches and create and maintain your own repositories. SUSE Manager is the best option in terms of least amount of effort and ease of management.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020633
- Creation Date: 07-Apr-2022
- Modified Date:07-Apr-2022
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
