7 Replies Latest reply on Apr 1, 2014 1:24 AM by ccsungrp

    Oralce Linux  Vulnerabilities


      Hi All,


      May I know if those Vulnerability reported in the RedHat as mentioned in  Vulnerability Summary for the Week of February 3, 2014  will also affect the Oracle Linux.


      Thanks & Regards

        • 1. Re: Oralce Linux  Vulnerabilities

          have you checked oracle website and oracle metalink ?

          • 2. Re: Oralce Linux  Vulnerabilities
            Avi Miller-Oracle

            You can check via the Oracle Linux CVE database: http://linux.oracle.com/cve


            Just enter the CVE number and it'll tell you what package version (if any) resolves that CVE. Though, many of the CVEs listed on that page you've provided do not apply to either Red Hat or Oracle Linux.

            • 3. Re: Oralce Linux  Vulnerabilities

              Why bother asking if you do not have the time to read and evaluate each US-CERT bulletin or CVE, or do not have the necessary understanding to judge the practical impact in your environment? If you are looking for a general answer how to deal with security issues, then simply apply regular software updates. Updates for Oracle Linux, unlike Red Hat, are provided for free without the need for a subscription.


              You can install and list available security patches using yum, e.g.:


              yum list-security


              To find out what CVE patches have been applied:


              rpm -qa --changelog | grep CVE

              • 4. Re: Oralce Linux  Vulnerabilities

                Hi Dudel,


                Thanks for your quick reply. In effect, our Managment hope to know what sort of Vulnerabiliy's published in US-CERT bullein that will affect the Oracle Linux.   So, we hope to know if those mentioned CVE related to Redhhat will affect Oracle Linux as well. Hope that is more clear about our  orginal Question. Thanks in advance.

                • 5. Re: Oralce Linux  Vulnerabilities

                  Thanks for alll who have give us a reply promptly.  But, we really hope to know if those Redhat related CVE will affect Oracle Linux as well.  Thanks in advance.

                  • 6. Re: Oralce Linux  Vulnerabilities

                    Beside the Oracle UEK kernel and other Oracle specific software, OL and RHEL use the same source code. You will have to distinguish between the kernel space and user space. Security issues that apply to the RHEL user space have a potential to also apply to the Oracle Linux user space as well.


                    One cannot really criticize the efforts by US-Cert, but to my experience, it always sounds critical and the practical aspects are typically exaggerated. The urge or importance is often driven by the press for political reasons or simply by people who do not understand the technical circumstances and how vulnerabilities are applicable to their environment.


                    Unless you really want to go into the very details and analysis of CVE's and have the necessary technical background to evaluate vulnerabilities, I suggest to leave it up to Oracle to determine. The easiest way is to simply apply security updates on a regular basis.

                    • 7. Re: Oralce Linux  Vulnerabilities

                      Hi Dunde,


                      Thans for you further elaboration. It really helps.