Tracking Security Updates and Errata Releases

Oracle releases important changes to the Oracle Linux software as individual package updates, known as errata. These package updates are made available for download on ULN before they're gathered into a release or distributed through the _patch channel.

Errata packages can contain the following:

  • Security advisories, which have names prefixed by ELSA-* (for Oracle Linux) and OVMSA-* (for Oracle VM).

  • Bug fix advisories, which have names prefixed by ELBA-* and OVMBA-*.

  • Feature enhancement advisories, which have names prefixed by ELEA-* and OVMEA-*.

To be notified when new errata packages are released, you can subscribe to the Oracle Linux and Oracle VM errata mailing lists at https://oss.oracle.com/mailman/listinfo/el-errata and https://oss.oracle.com/mailman/listinfo/oraclevm-errata.

If you're signed in to ULN, you can also subscribe to these mailing lists by following the Subscribe to Enterprise Linux Errata mailing list and Subscribe to Oracle VM Errata mailing list links that are provided on the Errata tab.

Oracle publishes a complete list of errata made available on ULN at https://linux.oracle.com/errata. You can also see a published listing of Common Vulnerabilities and Exposures (CVEs) and explore their details and status at https://linux.oracle.com/cve.

You can also track updates to Oracle Linux yum server repositories by visiting https://yum.oracle.com/whatsnew.html, where you can see which packages were updated within each repository for the previous six months.

Note:

Oracle doesn't comment on existing security vulnerabilities except through Errata announcements at https://linux.oracle.com/errata. To provide the best security posture to all Oracle customers, Oracle fixes significant security vulnerabilities in severity order. So, the most critical issues are always fixed first. Fixes for security vulnerabilities are produced in the following order:
  • Latest code line refers to the code being developed for the next major Oracle release of the product.
  • Next patch set for all non terminal releases

Using DNF to See Security Updates

DNF includes integrated options to handle any requirement for managing security and errata updates that are available for packages installed in Oracle Linux.

For more information, see the dnf(8) manual page.

  • List available errata and security updates.

    List the errata that are available for a system as follows: 

    sudo dnf updateinfo list

    The output from the command sorts the available errata in order of their IDs and identifies their types, which can be one of the following:

    • Security patch (severity/Sec.)
    • Bug fix (bugfix)
    • Feature enhancement (enhancement)

    Security patches are also listed according to their severity, which can be Critical, Important, Moderate, or Low.

    • Use the --sec-severity option to filter the security errata by severity, for example: 

      sudo dnf updateinfo list --sec-severity=Critical

    • To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument: 

      sudo dnf updateinfo list cves
      Similarly, the keywords bugfix, enhancement, and security filter the list for all bug fixes, enhancements, and security errata.

    • You can use the --cve option to display the errata that correspond to a specific CVE ID, for example: 

      sudo dnf updateinfo list --cve CVE-2022-3545
  • Display more information about a security updated.

    To display more information about a CVE, specify info instead of list, for example: 

    sudo dnf updateinfo info --cve CVE-ID
  • Perform security related updates on a system.

    Use any of the following options:

    • To update all the packages for which security-related errata are available to the latest versions of the packages, even if those packages that include bug fixes or new features but not security errata, use the following command: 

      sudo dnf --security update

    • To update all packages to the latest versions that contain security errata, ignoring any newer packages that don't contain security errata, use the following command: 

      sudo dnf --security upgrade-minimal

    • To update all kernel packages to the latest versions that contain security errata, use the following command: 

      sudo dnf --security upgrade-minimal kernel*

    • To update only those packages that correspond to a CVE or erratum, use the dnf update --cve command. For Enterprise Linux Security Advisory (ELSA) patches, use dnf update --advisory. 

      sudo dnf update --cve CVE-ID
      sudo dnf update --advisory ELSA-ID

    Note:

    Some updates might require that you reboot the system. By default, the boot manager automatically enables the most recent kernel version.

Using ULN to Manage System-Specific Errata

Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.

You can only manage errata for systems that are registered with ULN.

With this task, you can download a CVS report about errata that affect a specific system. Through the report, you can identify the necessary RPMs to download to update that system.

  1. Sign in to https://linux.oracle.com with valid SSO credentials.
  2. On the Systems tab, select the link named for the system in the list of registered machines.
    The System Details page lists the available errata for the system in the Available Errata table, which might be split over several pages.
  3. Select Download All Available Errata for this System.

    Or, use the sudo dnf upgrade command directly on the affected system to download the RPMs and update the system with all available errata updates.

  4. To see more detail about an advisory and to download the RPMs:
    1. Select the link for the advisory.
    2. On the System Errata Detail page for an advisory, you can download the RPMs for the affected releases and system architectures.

Using ULN to Browse Available Errata

Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.

You can only monitor errata for systems that are registered with ULN.

With this task, you can browse all available errata directly in ULN and then select to download the errata RPMs that registered systems require.

  1. Sign in to https://linux.oracle.com with the appropriate SSO credentials.
  2. Select the Errata tab.
    The Errata page displays a table of the available errata for all releases that are available on ULN.
  3. On the Errata page, you can perform the following actions on the displayed errata:

    • To sort the table of available errata, select the title of the Type, Severity, Advisory, Systems Affected, or Release Date column. Select the title again to reverse the order of sorting.

      Note:

      The Systems Affected column shows how many systems might be affected by an advisory.

    • To display or hide advisories of different types, select or clear the Bug, Enhancement, and Security check boxes and select Go.

    • To display only advisories for a certain release of Oracle Linux or Oracle VM, select that release from the Release list and select Go.

    • To search within the table, enter a string in the Search field and select Go.

  4. To see more detail about an advisory and to download the RPMs:
    1. Select the link for the advisory.
    2. On the Errata Detail page for an advisory, you can download the RPMs for the supported releases and system architectures. The Superseded By Advisory column displays a link to the most recent advisory (if any) that replaces the advisory you're browsing.