on
CVE data in Solaris 11 packages
A while ago Oracle started to integrate the CVE-ID , that patches are fixing, into the Critical Patch Updates (CPU). With this data it’s easy to give an answer, if you have applied the patches to mitigate a certain CVE, or if there a patch available to fix such a CVE
For example to check, which CPUs fix the CVE-2015-0387 you can use this command:
pkg search -r :CVE-2015-0397: | tr -s " " | cut -d " " -f 4 | sort | uniqWith the next command you check, which CVE are fixed by the critical patch update:
pkg search -r info.cve: | grep "cpu@2017.4" | tr -s " " | cut -f 3 | sort | uniq -c | sortTo your local system this kind of information only gets in case you are installing the CPU on your system. To install the latest CPU you just have to enter pkg install solaris-11-cpu. Afterwards you can get to the next CPU by just entering pkg update solaris-11-cpu. Without installing this package, any command searching for CVE stuff will yield no results.
Afterward the installation, you can search for the information for the local state of your system. For example to find out if you have applied the patches to fix a certain CVE you can just use:
pkg search -l CVE-* | tr -s " " | cut -d " " -f 3 | sortTo check the locally installed CPU package just use this command:
root@nfsclient:~# pkg info -l solaris-11-cpu
Name: support/critical-patch-update/solaris-11-cpu
Summary: Oracle Solaris 11.3.19.5.0 Critical Patch Update 2017.4-1
Description: This package ensures a system remains up to date with the
Oracle Critical Patch Updates for Oracle Solaris
State: Installed
Publisher: solaris
Version: 2017.4
Build Release: 5.11
Branch: 1
Packaging Date: Sat Apr 08 03:04:05 2017
Last Install Time: Thu May 04 21:20:09 2017
Size: 5.46 kB
FMRI: pkg://solaris/support/critical-patch-update/solaris-11-cpu@2017.4,5.11-1:20170408T030405Z