Understanding the Importance of Updates

Keeping system software up-to-date is an important principle of an overall security strategy as described in Overview of Security Principles. Updating Oracle Linux is important to avoid and protect against software vulnerabilities and known attack vectors that malicious hackers can exploit to gain unauthorized access to systems.

Oracle releases important updates to the Oracle Linux and Oracle VM software as individual package updates, known as errata.

How often Oracle Linux systems are updated depends on many factors that each system administrator must assess. One good security practice option to keep systems secure is accepting the latest available updates, because the more out-of-date a system is, the more potential vulnerabilities and attack vectors that could be exposed. The older the vulnerabilities are, the longer that malicious hackers can gather experience and expertise, and the more likely that systems with those vulnerabilities might be hacked or exploited.

Before you configure the frequency and type of updates that are installed, you must decide the level of exposure and risk that you consider to be acceptable and still meet security requirements.

Here are some examples of useful best practices to consider:

Monitor errata as they're published by Oracle, reviewing errata as they appear and paying careful attention to security errata. Security errata are listed by severity level from critical to low.
Schedule time to test and deploy security, bug, and enhancement errata. Testing and deploying security and bug errata as soon as possible is considered good security practice.
Pay attention to minor releases as they often contain a combination of security patches, bug fixes, and feature enhancements. As stated before, you must decide the frequency and timing for testing and deploying the larger set of updates. If you can't update immediately, Oracle Linux Premier support offers the Premier Backport program for optional interim backports. For more information, see About Premier Backports.
Reduce the number of updates Oracle Linux requires by installing only the minimum software required to suit business needs. Minimizing the package footprint on systems can reduce the amount of time needed to perform updates for software while also reducing exposure to security attack vectors. For more information, see Minimize and Secure the Software Footprint.
For systems with mission critical applications where system reboots are disruptive, consider using tools such as Ksplice to help you prevent zero day attacks by applying security errata patches with zero downtime in memory without needing a reboot. For more information about Ksplice, see Oracle Linux: Ksplice User's Guide.
Also consider using software and automation management tools to apply software updates and deployments such as Oracle Linux Manager, Oracle Cloud Infrastructure OS Management, Oracle OS Management Hub, Oracle Linux Automation Manager, Chef, and Puppet.

Such tools can also run incremental updates to select groups of Oracle Linux systems, which can be useful when testing the impact of an update on real users in a staging environment before rolling out to production. Similarly, you can also use these tools to add RPM packages to base images so that you can tailor Oracle Linux systems and images to user roles rather than deploying the same configuration for everything.

For more recommendations that could suit highly complex production environments, see Oracle Linux: Managing Software on Oracle Linux.

Installing and Updating Errata RPM Packages

You can obtain errata information directly from Oracle Linux systems by using Yum or DNF from any Oracle Linux terminal or from ULN. After assessing the errata information, you can track, install, and update errata using these tools.

Oracle Linux 8 provides tools to help you update the system often and with minimum interference. Consider using the dnf-automatic package to download updates on a schedule, alert you to software upgrade options and even to apply them automatically.

Always use DNF to install, update, or remove RPM packages (don't use the rpm command). You can use the dnf update --security command to update in the following ways:

Update by CVE number,
Update by security errata advisory number,
Update all kernel packages to the latest kernel version that contains security errata,
Update all security errata by severity level: critical, important, moderate, and low,
Update all security errata to the latest release available. This option, from a security perspective, is often the best choice.

See Oracle Linux: Managing Software on Oracle Linux for more information on how to use these DNF commands.

Understanding RPM Errata Packages and Cumulative Updates

Oracle Linux is an RPM-based distribution. RPM packages are built cumulatively as Oracle releases updates consisting of security, bug, or enhancements errata. For example, release 2 for an RPM builds on release 1, and if release 1 is installed but you want to update to release 4, then the contents of releases 2 and 3 are also included in release 4.

Errata package RPM binaries include content that you can find by using the dnf info package command. For example:

dnf info bash

Last metadata expiration check: 0:00:34 ago on Thu 20 Jul 2023 06:42:40 PM GMT.
Installed Packages
Name         : bash
Version      : 4.4.20
Release      : 4.el8_6
Architecture : x86_64
Size         : 6.5 M
Source       : bash-4.4.20-4.el8_6.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : The GNU Bourne Again shell
URL          : https://www.gnu.org/software/bash
License      : GPLv3+
Description  : The GNU Bourne Again shell (Bash) is a shell or command language
             : interpreter that is compatible with the Bourne shell (sh). Bash
             : incorporates useful features from the Korn shell (ksh) and the C shell
             : (csh). Most sh scripts can be run by bash without modification.

Available Packages
Name         : bash
Version      : 4.4.20
Release      : 4.el8_6
Architecture : src
Size         : 9.0 M
Source       : None
Repository   : ol8_baseos_latest
Summary      : The GNU Bourne Again shell
URL          : https://www.gnu.org/software/bash
License      : GPLv3+
Description  : The GNU Bourne Again shell (Bash) is a shell or command language
             : interpreter that is compatible with the Bourne shell (sh). Bash
             : incorporates useful features from the Korn shell (ksh) and the C shell
             : (csh). Most sh scripts can be run by bash without modification.

Name, version, and release information: When you update a package, the release number of the RPM changes and the version number can change if the RPM is rebased (this happens infrequently).

You can use the dnf updateinfo --list --installed package command to see a list of installed RPMs for a specific package with their version, release, and associated errata introduced. For example, this command lists all the errata applied to the bash package that also lists the name, version, release, and architecture of the package:
```
dnf updateinfo --list --installed bash
```
```
Last metadata expiration check: 0:05:41 ago on Thu 20 Jul 2023 06:42:40 PM GMT.
ELBA-2019-3594 bugfix   bash-4.4.19-10.el8.x86_64
ELBA-2020-4586 bugfix   bash-4.4.19-12.el8.x86_64
ELSA-2021-1679 Low/Sec. bash-4.4.19-14.el8.x86_64
ELBA-2021-2030 bugfix   bash-4.4.19-14.el8_3.x86_64
ELBA-2019-2707 bugfix   bash-4.4.19-8.el8_0.x86_64
ELBA-2021-1988 bugfix   bash-4.4.20-1.el8_4.x86_64
ELBA-2021-4495 bugfix   bash-4.4.20-2.el8.x86_64
ELBA-2022-1993 bugfix   bash-4.4.20-3.el8.x86_64
ELBA-2022-5815 bugfix   bash-4.4.20-4.el8_6.x86_64
```
Note that the bash package was rebased from version 4.4.19 to version 4.4.20 when bugfix ELBA-2021-1988 was applied.
Informational metadata: This metadata includes information such as a summary, description, license, and so on.
Cryptographic signature: All Oracle Linux RPM packages are signed and customers can use this signature to verify the provenance and authenticity of an RPM as it's being downloaded. The person and company who builds the binary provides this signature. Enabling gpgcheck=1 as a global default in the /etc/dnf/dnf.conf file ensures that all RPMs are authentic and have a valid GPG signature before the dnf command downloads or installs them. This is an important way to ensure that RPMs come from a trusted source and haven't been changed. All Oracle Linux images have the Oracle GPG keys installed and the gpgcheck option enabled by default.

Note:

If you're migrating an existing system from a compatible Linux distribution to Oracle Linux, you can replace their GPG keys with Oracle keys. For example, the following script migrates a system from CentOS 8 or Rocky Linux 8 to Oracle Linux 8 and provides the option to replace their GPG keys with Oracle Linux GPG keys: https://github.com/oracle/centos2ol.

Ensuring RPM package security is one aspect of an overall data encryption strategy. For more information, see About Data Encryption.
Dependency information: This provides details about RPMs and versions of other packages that an RPM depend upon. For example, you can use the following command to list the direct dependencies for the bash RPM package:
```
dnf deplist bash
```
A series of scripts that can be run at various stages during update or installation.

About Security Errata and CVEs

A security errata is a corrective action intended to address security vulnerabilities identified in one or more Common Vulnerabilities and Exposures (CVEs).

CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities. Oracle uses CVE numbers to identify and track corrective actions driven by a reported security vulnerability. The CVE program is co-sponsored by the office of Cybersecurity and Communications at the US Department of Homeland Security and is managed by the MITRE corporation.

About Bug and Enhancement Errata

A bug is a corrective action generated from an issue discovered by a customer or a vendor. Oracle normally provides the bug ID involved in the event in the errata notification. Including bug updates in a maintenance policy is considered good security practice because they can prevent issues that haven't already been planned for or affected the system yet. For example, a bug errata might prevent a problem that isn't exposed until a combination of events occur that destabilizes a system. Therefore it's important to keep Oracle Linux systems updated with bug errata.

Enhancements are incremental new features or updates provided by Oracle.

Obtaining Errata and CVE Notices

To be notified when Oracle releases new errata packages, you can subscribe to the Oracle Linux and Oracle VM errata mailing lists at https://oss.oracle.com/mailman/listinfo/el-errata and https://oss.oracle.com/mailman/listinfo/oraclevm-errata.

If you're logged in to ULN, you can also subscribe to these mailing lists by following the Subscribe to Enterprise Linux Errata mailing list and Subscribe to Oracle VM Errata mailing list links that are provided in the Errata tab.

Oracle publishes a complete list of errata made available on ULN at https://linux.oracle.com/errata. You can also see a published listing of Common Vulnerabilities and Exposures (CVEs) and explore their details and status at https://linux.oracle.com/cve.

You can also track updates to Oracle Linux yum server repositories by visiting https://yum.oracle.com/whatsnew.html, where you can see which packages were updated within each repository for the previous six months.

About Premier Backports

You can request through the premier backport program that errata available on a later release be backported to a previous release that you're using. The previous release you're using can qualify for a backport up to six months from the time when a new release becomes "generally available".

For example, the following table shows glibc packages available based on a package version with a hypothetically latest release of June 19, 2022:

RPM

Release Date

Backports available until

glibc-2.28-164.0.3.el8.x86_64

18-Feb-2022

18-Aug-2022

(Based on 08-Mar-2022 plus 6 months)

glibc-2.28-164.0.5.el8.x86_64

08-Mar-2022

08-Sept-2022

(Based on 16-Mar-2022 plus 6 months)

glibc-2.28-164.0.5.el8_5.3.x86_64

16-Mar-2022

16-Sept-2022

(Based on 19-Jun-2022 plus 6 months)

glibc-2.28-189.5.0.1.el8_6.x86_64

19-Jun-2022

Latest release in this example

Oracle publishes a list of RPMs that can qualify for a backport here: https://linux.oracle.com/backport-schedule.html. To determine when premier backport availability expires, add six months to the packages release date listed in the Release Date column. For additional information, see the description of Oracle Linux Premier support levels in the Oracle Linux and Oracle VM Support Policies.