on
Reading time: 1 minute
CVE data in Solaris 11 packages
A while ago Oracle started to integrate the CVE-ID , that patches are fixing, into the Critical Patch Updates (CPU). With this data it’s easy to give an answer, if you have applied the patches to mitigate a certain CVE, or if there a patch available to fix such a CVE
For example to check, which CPUs fix the CVE-2015-0387 you can use this command:
With the next command you check, which CVE are fixed by the critical patch update:
To your local system this kind of information only gets in case you are installing the CPU on your system. To install the latest CPU you just have to enter pkg install solaris-11-cpu
. Afterwards you can get to the next CPU by just entering pkg update solaris-11-cpu
. Without installing this package, any command searching for CVE stuff will yield no results.
Afterward the installation, you can search for the information for the local state of your system. For example to find out if you have applied the patches to fix a certain CVE you can just use:
To check the locally installed CPU package just use this command: