SLES 10 SP3 Kernel Update

Hi All,

Could someone give me a pointer on a kernel update please ?

We have installed SLES 10 SP3, 64 bit (6 core CPU). The customer is
requesting we install kernel patch 7568 due to security improvements.
(Kernel is ‘here’
(http://download.novell.com/protected/Summary.jsp?buildid=EYCOXyxfFS0))

a) Is that patch definitely OK for 64 bit ? It mentions i586/x86 only,
no mention of x86_64.
b) Am I right in thinking I need to install only the one rpm, the smp
kernel “kernel-smp-2.6.16.60-0.79.1.i586.rpm” ? Output from uname is
Kernel 2.6.16.60-0.54.5-smp. So I don’t want the default kernel ? Or
any of the other rpm’s available under that patch ?

Thanks for your help in avoiding any midnight disasters.

JF.


Jupiter_Ferris

Jupiter_Ferris’s Profile: http://forums.novell.com/member.php?userid=123140
View this thread: http://forums.novell.com/showthread.php?t=451386

Jupiter_Ferris;2170819 Wrote:[color=blue]

Hi All,

Could someone give me a pointer on a kernel update please ?

We have installed SLES 10 SP3, 64 bit (6 core CPU). The customer is
requesting we install kernel patch 7568 due to security improvements.
(Kernel is ‘here’
(http://download.novell.com/protected/Summary.jsp?buildid=EYCOXyxfFS0))

a) Is that patch definitely OK for 64 bit ? It mentions i586/x86 only,
no mention of x86_64.
b) Am I right in thinking I need to install only the one rpm, the smp
kernel “kernel-smp-2.6.16.60-0.79.1.i586.rpm” ? Output from uname is
Kernel 2.6.16.60-0.54.5-smp. So I don’t want the default kernel ? Or
any of the other rpm’s available under that patch ?

Thanks for your help in avoiding any midnight disasters.

JF.[/color]

Does the customer not have an update subscription for this SLES server?
That is the recommended way to get the fixes on the server (using YOU,
the YaST Online Update tool or rug).

Also, the rpm’s you are pointing to are for 32bit systems (hence the
i568 in the name indicating 32bit arch, 64bit is indicated by x86_64).

An added consideration is that along with the kernel there are also
modules and sources that need to match the running kernel. So there
could be bits that brake if you only patch this bit but don’t also
update other packages. Normally the packaging mechanism will warn
against updating a package that might brake others, but that only takes
packages in account that have been added as rpm package, an not those
pieces that have been manually added/compiled.

In all this, my advise would be to update using the YOU tool and via
the official SLES update channel. It should contain the fix in patch
7568 plus more that have been included there after (as this particular
patch was released on 2011-06-29).

Hope that helps,
Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=451386

Hi Willem. Thanks for the response. This server is in a highly secure
environment and no online update is available or indeed allowed. I need
to apply that patch as a one off, and nothing else.


SandyGBR

SandyGBR’s Profile: http://forums.novell.com/member.php?userid=123138
View this thread: http://forums.novell.com/showthread.php?t=451386

Hi Willem. Thanks for the reply. This server is in a highly secure
environment and no internet access is available or indeed allowed.
Also, only that patch should be applied, and nothing else. So I just
need a bit of direction on which rpm to use… default? smp ? etc…


Jupiter_Ferris

Jupiter_Ferris’s Profile: http://forums.novell.com/member.php?userid=123140
View this thread: http://forums.novell.com/showthread.php?t=451386

Jupiter_Ferris;2171330 Wrote:[color=blue]

Hi Willem. Thanks for the reply. This server is in a highly secure
environment and no internet access is available or indeed allowed.
Also, only that patch should be applied, and nothing else. So I just
need a bit of direction on which rpm to use… default? smp ? etc…[/color]

For these types of environments, having an SMT update server could be a
way to go. Another option could be to do an offline update or using the
patch CD method to bring that server to SLES 10 SP4, which has a newer
kernel than the patch you are looking for IIRC.

To know which rpm’s are the right ones for that system, look at the
output of ‘uname -a’ on the server you need to apply it to. It should
show all relevant details of the running kernel.

Cheers,
Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=451386

Yes we can’t go to SP4. It’s a highly controlled environment and only
that kernel patch should be activated. uname output I mentioned in the
original post, it shows as smp kernel… Does that mean we only apply
the smp rpm, because that’s a 20mb download whereas the default kernel
for that patch release was 40mb. Do we only need to apply the one rpm,
or two ?


Jupiter_Ferris

Jupiter_Ferris’s Profile: http://forums.novell.com/member.php?userid=123140
View this thread: http://forums.novell.com/showthread.php?t=451386

Jupiter_Ferris;2171371 Wrote:[color=blue]

Yes we can’t go to SP4. It’s a highly controlled environment and only
that kernel patch should be activated.[/color]
Ok… if it’s not an option… it’s not an option. I do not get that
newer patches are not to be applied if patching is something that is
required anyway, but that is for you/your customer to decide.

Jupiter_Ferris;2171371 Wrote:[color=blue]

uname output I mentioned in the original post, it shows as smp
kernel… Does that mean we only apply the smp rpm, because that’s a
20mb download whereas the default kernel for that patch release was
40mb. Do we only need to apply the one rpm, or two ?[/color]

I missed that that actually was the output of uname. :slight_smile:

In that case, yes, you only need the smp package. Assuming there are
no other kernel versions also installed (which you can quickly check
with ‘rpm -qa|grep kernel-’), it should be ok.

You can update the kernel package by itself, or use the --test switch
to see if any errors would occur. On the other hand dependent packages
will let you know, well rpm will, if something does not agree and
requires to be updated as well (like the kernel-sources package if it’s
installed).

-Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=451386

Thanks for the reply Willem.

Could you also confirm this is OK for 64bit ? There is no mention of
64 bit anywhere on these rpm downloads, just i586. Is the kernel
compatible for both 32/64 ?

Thanks.


Jupiter_Ferris

Jupiter_Ferris’s Profile: http://forums.novell.com/member.php?userid=123140
View this thread: http://forums.novell.com/showthread.php?t=451386

Jupiter_Ferris;2171571 Wrote:[color=blue]

Thanks for the reply Willem.

Could you also confirm this is OK for 64bit ? There is no mention of
64 bit anywhere on these rpm downloads, just i586. Is the kernel
compatible for both 32/64 ?

Thanks.[/color]

No, that’s what I mentioned before. The patches you linked to are only
for 32bit systems and will break your system if you install/force it
onto a 64bit system.

I did a search for this patch number and SLES 10 SP3 to see if there
were any 64bit options, but none that I could find. Possibly the patch
number for 64bit is slightly different. Searching on the highest CVE
patch numbers mentioned in the 32bit download page gives me patches for
SLES 10 SP4.

You could do the search on the patch for the security fix you are
specifically after and see if you can find the specific patch for 64bit
systems.

Cheers,
Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=451386

Ok Willem. I also searched for 64 bit equivalent and couldn’t find any,
I wasn’t sure if this patch did both or it wasn’t required for 64 bit.

Thanks very much for your help, it’s been much appreciated.

JF.


Jupiter_Ferris

Jupiter_Ferris’s Profile: http://forums.novell.com/member.php?userid=123140
View this thread: http://forums.novell.com/showthread.php?t=451386

Hi Jupiter

Something weird has indeed happened to
kernel-smp-2.6.16.60-0.79.1.x86_64.rpm. Although it is not in the
SLES10-SP3-Updates/sles-10-x86_64/ repository, there are traces like
kernel-smp-2.6.16.60-0.79.1_0.81.2.x86_64.delta.rpm left…
Nevertheless, what I wanted to say is, that if your concern is security
fixes and the server(s) must be updated anyway, I would highly recommend
taking the last published kernel for SP3, which is
kernel-smp-2.6.16.60-0.83.2.x86_64.rpm.
//Andreas


ataschner

ataschner’s Profile: http://forums.novell.com/member.php?userid=7706
View this thread: http://forums.novell.com/showthread.php?t=451386