Installing Patches
Installing Patches
Patches are binary code modifications that affect the way Sun-supplied software operates. They can be released by Sun because of previously identified bugs which have been fixed, or because a security exploit has been discovered in a piece of software, and a simple workaround is inadequate to prevent intrusion or disruption of normal system activity. For example, many of the older Solaris daemons suffered from buffer overflow vulnerabilities until recently, where the fixed boundaries on an array are deliberately over-written by a rogue client to crash the system. Many of the system daemons, such as web servers, may be crashed because memory is overwritten with arbitrary values outside the declared size of an array. Without appropriate bounds checking, passing a GET request to a web server of 1025 bytes when the array size is 1024 would clearly result in unpredictable behavior, as the C language does not prevent a program from doing this. Since Solaris daemons are typically written in C, a number have been fixed in recent years to prevent this problem occurring (but you may be surprised at just how often new weaknesses are exposed). Sendmail, IMAP, and POP daemons for Solaris have all experienced buffer overflow vulnerabilities in the past which have required an urgent installation of security patches.
For early Solaris 9 installations out-of-the-box, two critical problems were typically identified, both associated with gaining root access via buffer overflow:
-
The CDE-based Calendar Manager service may be vulnerable to a buffer overflow attack, as identified in CVE 1999-0320 and 1999-0696. The Calendar Manager is used to manage appointments and other date/time based functions.
-
The remote administration daemon (sadmind) may be vulnerable to a buffer overflow attack, as described in CVE 1999-0977. The remote administration daemon is used to manage system administration activities across a number of different hosts.
The CVE number matches descriptions of each security issue from the Common Vulnerabilities and Exposures database (http://cve.mitre.org/). Each identified vulnerability will contain a hyperlink back to the CVE database, so that information displayed about every issue is updated directly from the source. New patches and bug fixes are also listed.
To find out information about current patches, sysadmins are directed to the http://www.sunsolve.com/ site. Here, details about current patches for each operating system release can be found. There are two basic types of patches available from SunSolve: single patches and jumbo patches. Single patches have a single patch number associated with them; are generally aimed at resolving a single outstanding issue; and usually insert, delete, or update data in a small number of files. Single patches are also targeted at resolving specific security issues. Each patch is associated with an internal bug number from Sun’s bug database. For example, patch number 108435-01 aims to fix BugId 4318566, involving a shared library issue with the 64-bit C++ compiler.
In contrast, a jumbo patch consists of many single patches that have been bundled together, on the basis of operating system release levels, to ensure that the most common issues for a particular platform are resolved by the installation of the jumbo patch. It’s standard practice to install the current jumbo patch for Solaris 9 once it’s been installed from scratch, or if the system has been upgraded from Solaris 7.
Some of the latest patches released for Solaris 9 include the following:
-
110322-01: Patch for /usr/lib/netsvc/yp/ypbind
-
110853-01: Patch for Sun-Fire-880
-
110856-01: Patch for /etc/inet/services
-
110888-01 : Patch for figgs
-
110894-01: Patch for country name
-
110927-01: Patch for SUNW_PKGLIST
-
111078-01: Patch Solaris Resource Manager
-
111295-01: Patch for /usr/bin/sparcv7/pstack and /usr/bin/sparcv9/pstack
-
111297-01: Patch for /usr/lib/libsendfile.so.1
-
111337-01: Patch for /usr/sbin/ocfserv
-
111400-01: Patch for KCMS configure tool
-
111402-01: Patch for crontab
-
111431-01: Patch for /usr/lib/libldap.so.4
-
111439-01: Patch for /kernel/fs/tmpfs
-
111473-01: Patch for PCI Host Adapter
-
111562-01: Patch for /usr/lib/librt.so.1
-
111564-01 Patch for SunPCi 2.2.1
-
111570-01: Patch for uucp
-
111588-01: Patch for /kernel/drv/wc
-
111606-01: Patch for /usr/sbin/in.ftpd
-
111624-01: Patch for /usr/sbin/inetd
-
111648-01 Patch for env3test, cpupmtest, ifbtest, and rsctest
-
111656-01: Patch for socal and sf drivers
-
111762-01 Patch for Expert3D and SunVTS
One of the most useful guides to the currently available patches for Solaris 9 is the SunSolve Patch Report (ftp://sunsolve.sun.com/pub/patches/Solaris8.PatchReport). This report provides a quick reference to all newly released patches for the platform, as well as updates on previous patches that have now been modified. A list of suggested patches for the platform is also contained in the Report, while recommended security patches are listed separately. Finally, a list of obsolete patches is provided. Some of the currently listed security patches available include the following:
-
108528-09: Patch for kernel update
-
108869-06: Patch for snmpdx/mibiisa/libssasnmp/snmplib
-
108875-09: Patch for c2audit
-
108968-05: Patch for vol/vold/rmmount
-
108975-04: Patch for /usr/bin/rmformat and /usr/sbin/format
-
108985-03: Patch for /usr/sbin/in.rshd
-
108991-13: Patch for /usr/lib/libc.so.1
-
109091-04: Patch for /usr/lib/fs/ufs/ufsrestore
-
109134-19: Patch for WBEM
-
109234-04: Patch for Apache and NCA
-
109279-13: Patch for /kernel/drv/ip
-
109320-03: Patch for LP
-
109322-07: Patch for libnsl
-
109326-05: Patch for libresolv.so.2 and in.named
-
109354-09: Patch for dtsession
-
109783-01: Patch for /usr/lib/nfs/nfsd
-
109805-03: Patch for pam_krb5.so.1
-
109887-08: Patch for smartcard
-
109888-05: Patch for platform drivers
-
109892-03: Patch for /kernel/drv/ecpp driver
-
109894-01: Patch for /kernel/drv/sparcv9/bpp driver
-
109896-04: Patch for USB driver
-
109951-01: Patch for jserver buffer overflow
Figure 15-1 shows the main screen on SunSolve that lists all of the available jumbo patches and recommended clusters for Solaris 9.
Figure 15-1: Retrieving patches from SunSolve.
Patch Example
To determine which patches are currently installed on your system, you need to use the showrev command as follows:
# showrev -p Patch: 107430-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr Patch: 108029-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr Patch: 107437-03 Obsoletes: Requires: Incompatibles: Packages: SUNWtiu8 Patch: 107316-01 Obsoletes: Requires: Incompatibles: Packages: SUNWploc Patch: 107453-01 Obsoletes: Requires: Incompatibles: Packages: SUNWkvm, SUNWc ar Patch: 106541-06 Obsoletes: 106976-01, 107029-01, 107030-01, 107334-01 Requires: Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu , SUNWarc, SUNWatfsr, SUNWcpr, SUNWdpl, SUNWhea, SUNWtoo, SUNWpcmci, SUNWtnfc, S UNWvolr Patch: 106541-10 Obsoletes: 106832-03, 106976-01, 107029-01, 107030-01, 107334-0 1, 107031-01, 107117-05, 107899-01 Requires: 107544-02 Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu, SUNWarc, SUNWatfsr, SUNWs cpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWtoo, SUNWpcmci, SUNWpcmcu, SUNWtnfc , SUNWvolr Patch: 106541-15 Obsoletes: 106832-03, 106976-01, 107029-01, 107030-01, 107334-0 1, 107031-01, 107117-05, 107899-01, 108752-01, 107147-08, 109104-04 Requires: 10 7544-02 Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, S UNWesu, SUNWarc, SUNWatfsr, SUNWscpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWto o, SUNWnisu, SUNWpcmci, SUNWpcmcu, SUNWtnfc, SUNWvolu, SUNWvolr
From the example shown here, we can see that showrev reports several different properties of each patch installed:
-
The patch number.
-
Whether the patch obsoletes a previously released patch (or patches) and which version numbers.
-
Whether there are any prerequisite patches (and their version numbers) on which the current patch depends.
-
Whether the patch is incompatible with any other patches.
-
What standard Solaris packages are affected by installation of the patch.
From one of these examples (106541-15), we can see that it obsoletes a large number of other patches, including 106832-03, 106976-01, 107029-01, 107030-01, 107334-01, 107031-01, 107117-05, 107899-01, 108752-01, 107147-08, and 109104-04. In addition, it depends on patch 107544-02, and is compatible with all other known patches. Finally, it affects a large number of different packages, including SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu, SUNWarc, SUNWatfsr, SUNWscpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWtoo, SUNWnisu, SUNWpcmci, SUNWpcmcu, SUNWtnfc, SUNWvolu, and SUNWvolr.
patchadd
To install single patches, you simple need to use the patchadd command
# patchadd /patches/106541-15
where /patches is the directory where your patches are downloaded to, and 106541-15 is the name of the patch filename (it should be the same as the patch number).
To add a large number of patches from the same directory, the following command can be used
# patchadd /patches/106541-15 106541-10 107453-01
where 106541-15, 106541-10, and 107453-01 are the patches to be installed. Once the patches have been successfully installed, they can be verified by using the showrev command. For example, to check that patch 106541-15 has been successfully installed, the following command could be used:
# showrev -p | grep 106541-15
patchrm
Patches can be easily removed by using the patchrm command. For example, to remove the patch 106541-15, the following command would be used:
# patchrm 106541-15
If the patch was previously installed, it would now be removed. However, if the patch was not previously installed, the following errors message would be displayed:
Checking installed packages and patches... Patch 106541-15 has not been applied to this system. patchrm is terminating.
