Determining whether or not a package has been patched for a bug or CVE

This document (7002558) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise (all variants)

Situation

How to check whether or not a certain package has been patched for a bug or security vulnerability.

Resolution

Manual check:

To check whether or not a currently installed package has been patched for a bug or security vulnerabiltiy, zypper can be used to query packages using --bug and --cve flags (this is the preferred method).

The "rpm" command with flags "-q --changelog" will also show the patches including security patches.

For example, "rpm -q --changelog kernel-smp" will show output similiar to:

* Mon Jan 07 2008 - example@suse.de
-- patches.fixes/hrtimers-avoid-overflow-for-large-relative-timeouts:
hrtimers: avoid overflow for large relative timeouts (347262,112296-
CVE-2007-5966).

The output shows the that change information, including the SUSE Bugzilla Number, the CVE number and the Linux Kernel bug number.

Using zypper:

Note: To use zypper, the system needs to be connected to a valid update server such as Subscription Management Tool or SUSE Manager.

SLE11SP1 based systems: Here two steps are required to resolve the request:

zypper lp -a --cve=CVE#
zypper patch-info <patch-name>

e.g.

zypper lp -a --cve=CVE-2010-2074

which will return:

sles11sp1:~ # zypper lp -a --cve=CVE-2010-2074
Loading repository data...
Reading installed packages...

Issue | No. | Patch | Category
------+---------------+------------------+---------
cve | CVE-2010-2074 | slessp1-w3m-2563 | security
In a second step check the output of zypper patch-info slessp1-w3m-2563 whether the patch was already applied.

As of SLES11SP2: Just run zypper lp -a --cve=CVE-2010-2074:

sles11sp2:~ # zypper lp -a --cve=CVE-2010-2074
Refreshing service 'spacewalk'.
Loading repository data...
Reading installed packages...

Issue | No. | Patch | Category | Status
------+---------------+-----------------------+----------+-----------
cve | CVE-2010-2074 | slessp1-w3m-2563-2563 | security | not needed

To see a list of all missing CVEs, run: zypper lp --cve

Additional Information

If you are looking for a particular CVE, please check out the Published SUSE Linux security updates by CVE number database. The database contains links to the patch and versions that apply.

You can also view all current SUSE Linux Security Advisories.

Many of the bugs have a three letter header in front of the numbers. The following details what the numbers mean. For example, if a bug had (347262,112296-CVE-2007-5966)

CVE-: Common Vulnerability and Exposure Number at mitre.org
BNC# or number with no letters: SUSE Bugzillia Number at SUSE Bugzilla (requires username/password)
LTC#: IBM Linux Technology Center Bug Number

SUSE Manager

One feature of SUSE Manager is the ability to run a CVE Audit across registered systems to identify those, who are lacking security updates. See the SUSE Manager CVE Audit chapter for further details (SUSE Manager 4.3 for example).

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:7002558
Creation Date: 05-Feb-2009
Modified Date:29-Jun-2023
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Point of Service
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Real Time Extension