Using zypper to install patches via CVE#

This document (7017287) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server 11 SP3
 

Situation

Customer wants to install patch to address a specific CVE.

Resolution

Use the following commands:
List the patch for a specific CVE#:
# zypper lp --cve=CVE#
List the patch for a multiple CVE#s:
# zypper lp --cve=CVE#,CVE#,CVE#
Get information about the patch:
# zypper info -t patch PatchName
Install the patch using the CVE#:
# zypper patch --cve=CVE#

Example using CVE-2015-7547:
# rpm -qa | grep glibc
glibc-locale-32bit-2.11.3-17.54.1
glibc-2.11.3-17.54.1
glibc-32bit-2.11.3-17.54.1
glibc-locale-2.11.3-17.54.1
glibc-i18ndata-2.11.3-17.54.1

# zypper lp --cve=cve-2015-7547
Refreshing service...
Loading repository data...
Reading installed packages...

Issue | No.           | Patch                 | Category | Status
------+---------------+-----------------------+----------+-------
cve   | CVE-2015-7547 | slessp3-glibc-12406-1 | security | needed


# zypper info -t patch slessp3-glibc-12406
Refreshing service...
Loading repository data...
Reading installed packages...


Information for patch slessp3-glibc-12406:

Name: slessp3-glibc-12406
Version: 1
Arch: noarch
Vendor: maint-coord@suse.de
Status: Needed
Category: security
Created On: Tue 16 Feb 2016 08:39:37 AM MST
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for glibc
Description:

This update for glibc fixes the following issues:

- CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721)
- CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944)
- CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736)
- CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737)
- CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738)
- CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739)

The following non-security bugs were fixed:

- bsc#930721: Accept leading and trailing spaces in getdate input string
- bsc#942317: Recognize power8 platform
- bsc#950944: Always enable pointer guard
- bsc#956988: Fix deadlock in __dl_iterate_phdr

Provides:
patch:slessp3-glibc-12406 == 1

Conflicts:
srcpackage:glibc < 2.11.3-17.95.2
glibc.x86_64 < 2.11.3-17.95.2
glibc-32bit.x86_64 < 2.11.3-17.95.2
glibc-devel.x86_64 < 2.11.3-17.95.2
glibc-devel-32bit.x86_64 < 2.11.3-17.95.2
glibc-html.x86_64 < 2.11.3-17.95.2
glibc-i18ndata.x86_64 < 2.11.3-17.95.2
glibc-info.x86_64 < 2.11.3-17.95.2
glibc-locale.x86_64 < 2.11.3-17.95.2
glibc-locale-32bit.x86_64 < 2.11.3-17.95.2
glibc-profile.x86_64 < 2.11.3-17.95.2
glibc-profile-32bit.x86_64 < 2.11.3-17.95.2
nscd.x86_64 < 2.11.3-17.95.2
#

# zypper patch --cve=cve-2015-7547
Refreshing service...
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW patch is going to be installed:
  slessp3-glibc-12406

The following packages are going to be upgraded:
  glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit nscd

6 packages to upgrade.
Overall download size: 18.9 MiB. After the operation, additional 59.0 KiB will be used.
Continue? [y/n/?] (y): y
Retrieving package glibc-2.11.3-17.95.2.x86_64 (1/6), 1.9 MiB (5.3 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm, 366.0 KiB
Retrieving: glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-32bit-2.11.3-17.95.2.x86_64 (2/6), 1.1 MiB (2.9 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm, 272.0 KiB
Retrieving: glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-i18ndata-2.11.3-17.95.2.x86_64 (3/6), 3.1 MiB (10.5 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm, 86.0 KiB
Retrieving: glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package nscd-2.11.3-17.95.2.x86_64 (4/6), 98.0 KiB (138.0 KiB unpacked)
Retrieving: nscd-2.11.3-17.95.2.x86_64.rpm [done]
Retrieving package glibc-locale-2.11.3-17.95.2.x86_64 (5/6), 11.4 MiB (106.1 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm, 710.0 KiB
Retrieving: glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-locale-32bit-2.11.3-17.95.2.x86_64 (6/6), 1.4 MiB (5.9 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm, 108.0 KiB
Retrieving: glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Installing: glibc-2.11.3-17.95.2 [done]
Installing: glibc-32bit-2.11.3-17.95.2 [done]
Installing: glibc-i18ndata-2.11.3-17.95.2 [done]
Installing: nscd-2.11.3-17.95.2 [done]
Installing: glibc-locale-2.11.3-17.95.2 [done]
Installing: glibc-locale-32bit-2.11.3-17.95.2 [done]
There are some running programs that use files deleted by recent upgrade. You may wish to restart some of them. Run 'zypper ps' to list these programs.
#


# rpm -qa | grep glibc
glibc-2.11.3-17.95.2
glibc-32bit-2.11.3-17.95.2
glibc-locale-32bit-2.11.3-17.95.2
glibc-i18ndata-2.11.3-17.95.2
glibc-locale-2.11.3-17.95.2


 

Status

Top Issue

Additional Information

Example for listing multiple CVE#s:
ses1:~ # zypper lp --cve=CVE-2020-3702,CVE-2021-4028,CVE-2021-4034
--[cut here]--
The following matches in issue numbers have been found:

Issue | No.           | Patch                                         | Category | Severity  | Interactive | Status | Since | Summary
------+---------------+-----------------------------------------------+----------+-----------+-------------+--------+-------+-------------------------------------------------------------------
cve   | CVE-2020-3702 | SUSE-SLE-Module-Live-Patching-15-SP3-2022-294 | security | important | ---         | needed | -     | Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3)
cve   | CVE-2021-4028 | SUSE-SLE-Module-Live-Patching-15-SP3-2022-294 | security | important | ---         | needed | -     | Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3)

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017287
  • Creation Date: 23-Feb-2016
  • Modified Date:03-Feb-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center