Determining whether or not a package has been patched for a bug or CVE

This document (7002558) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise (all variants)

Situation

How to check whether or not a certain package has been patched for a bug or security vulnerability.

Resolution

Manual check:

To check whether or not a currently installed package has been patched for a bug or security vulnerabiltiy, zypper can be used to query packages using --bug and --cve flags (this is the preferred method).

The "rpm" command with flags "-q --changelog" will also show the patches including security patches.

For example, "rpm -q --changelog kernel-smp" will show output similiar to:
* Mon Jan 07 2008 - example@suse.de
-- patches.fixes/hrtimers-avoid-overflow-for-large-relative-timeouts:
   hrtimers: avoid overflow for large relative timeouts (347262,112296- 
   CVE-2007-5966).

The output shows the that change information, including the SUSE Bugzilla Number, the CVE number and the Linux Kernel bug number.

Using zypper:

Note: To use zypper, the system needs to be connected to a valid update server such as Subscription Management Tool or SUSE Manager.

SLE11SP1 based systems: Here two steps are required to resolve the request:
  1. zypper lp -a --cve=CVE#
  2. zypper patch-info <patch-name>

e.g.

  1. zypper lp -a --cve=CVE-2010-2074

    which will return:

    sles11sp1:~ # zypper lp -a --cve=CVE-2010-2074
    Loading repository data...
    Reading installed packages...

    Issue | No.           | Patch            | Category
    ------+---------------+------------------+---------
    cve   | CVE-2010-2074 | slessp1-w3m-2563 | security

     
  2. In a second step check the output of zypper patch-info slessp1-w3m-2563 whether the patch was already applied.
As of SLES11SP2: Just run zypper lp -a --cve=CVE-2010-2074:
sles11sp2:~ # zypper lp -a --cve=CVE-2010-2074
Refreshing service 'spacewalk'.
Loading repository data...
Reading installed packages...

Issue | No.           | Patch                 | Category | Status   
------+---------------+-----------------------+----------+-----------
cve   | CVE-2010-2074 | slessp1-w3m-2563-2563 | security | not needed

To see a list of all missing CVEs, run: zypper lp --cve

Additional Information

If you are looking for a particular CVE, please check out the Published SUSE Linux security updates by CVE number database. The database contains links to the patch and versions that apply.

You can also view all current SUSE Linux Security Advisories.

Many of the bugs have a three letter header in front of the numbers. The following details what the numbers mean. For example, if a bug had (347262,112296-CVE-2007-5966)
  • CVE-: Common Vulnerability and Exposure Number at mitre.org
  • BNC# or number with no letters: SUSE Bugzillia Number at SUSE Bugzilla (requires username/password)
  • LTC#: IBM Linux Technology Center Bug Number

SUSE Manager

One feature of SUSE Manager is the ability to run a CVE Audit across registered systems to identify those, who are lacking security updates. See the SUSE Manager CVE Audit chapter for further details (SUSE Manager 4.3 for example).

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7002558
  • Creation Date: 05-Feb-2009
  • Modified Date:29-Jun-2023
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Point of Service
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Real Time Extension

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center