SUSE Linux Enterprise Server 12 SP4 security updates with zypper

SUSE Product Topics SLES Updates
1

Hi Folks,

I am new here to the community. We have a script in my organization for patching SUSE linux. The script uses zypper module commands to install the patches and we also specify the patch name,type, etc.

We have recently noticed that when trying to install the patch SUSE-SU-2019:0765-1: important: Security update for the Linux Kernel it is performing the patch check and it was showing that the criteria for the patch to be applicable was TRUE:

kernel-default.x86_64 < 4.12.14-95.13.1

From what I understand, it was supposed to install kernel-default-4.12.14-95.13.1 which is the kernel version listed for the patch SUSE-SU-2019:0765-1: important: Security update for the Linux Kernel. However, when looking at the output, it actually installed kernel-default-4.12.14-95.54.1 instead.

Cab someone help me understand why it is installing a newer version of the kernel instead of the actual one which is listed for patch SUSE-SU-2019:0765-1: important: Security update for the Linux Kernel? Is this expected behaviour (default)?

I have pasted the script output below for reference as well:

Script start time (GMT): 2022-11-22 13:47:12

The script params: START_TIME=1669075200000,END_TIME=4824737777704,BULKINSTALL=false оn host=BR-SUSE12-SP4-01/...

zypper repos

Repository priorities are without effect. All enabled repositories share the same priority.

| Alias | Name | Enabled | GPG Check | Refresh

–±------------------------------------------------------------------------±-----------------------------±--------±----------±-------
1 | SLES12-SP4-12.4-0 | SLES12-SP4-12.4-0 | Yes | (r ) Yes | No
2 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Debuginfo-Pool | SLES12-SP4-Debuginfo-Pool | No | ---- | ----
3 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Debuginfo-Updates | SLES12-SP4-Debuginfo-Updates | No | ---- | ----
4 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Pool | SLES12-SP4-Pool | Yes | (r ) Yes | No
5 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Source-Pool | SLES12-SP4-Source-Pool | No | ---- | ----
6 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Updates | SLES12-SP4-Updates | Yes | (r ) Yes | Yes

Executing installation of the following advisories: SUSE-SLE-SERVER-12-SP4-2019-765=1
check_installation_suse=SLES12-SP4-Updates | SUSE-SLE-SERVER-12-SP4-2019-765 | security | important | reboot | needed | Security update for the Linux Kernel
Refreshing service ‘SUSE_Linux_Enterprise_Server_12_SP4_x86_64’.
Loading repository data…
Reading installed packages…
Resolving package dependencies…

The following NEW package is going to be installed:
kernel-default-4.12.14-95.54.1

The following NEW patch is going to be installed:
SUSE-SLE-SERVER-12-SP4-2019-765

The following patch requires a system reboot:
SUSE-SLE-SERVER-12-SP4-2019-765

1 new package to install.
Overall download size: 47.1 MiB. Already cached: 0 B. Download only.

Note: System reboot required.

Continue? [y/n/…? shows all options] (y): y

Retrieving package kernel-default-4.12.14-95.54.1.x86_64 (1/1), 47.1 MiB (232.5 MiB unpacked)
Retrieving: kernel-default-4.12.14-95.54.1.x86_64.rpm […done (11.3 MiB/s)]
Warning: One of the installed patches requires a reboot of your machine. Reboot as soon as possible.
Refreshing service ‘SUSE_Linux_Enterprise_Server_12_SP4_x86_64’.
Loading repository data…
Reading installed packages…
Resolving package dependencies…

The following NEW package is going to be installed:
kernel-default-4.12.14-95.54.1

The following NEW patch is going to be installed:
SUSE-SLE-SERVER-12-SP4-2019-765

The following patch requires a system reboot:
SUSE-SLE-SERVER-12-SP4-2019-765

1 new package to install.
Overall download size: 0 B. Already cached: 47.1 MiB. After the operation, additional 232.5 MiB will be used.

Note: System reboot required.

Continue? [y/n/…? shows all options] (y): y

In cache kernel-default-4.12.14-95.54.1.x86_64.rpm (1/1), 47.1 MiB (232.5 MiB unpacked)
Checking for file conflicts: […done]
(1/1) Installing: kernel-default-4.12.14-95.54.1.x86_64 […done]

Additional rpm output:
Creating initrd: /boot/initrd-4.12.14-95.54-default
dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-4.12.14-95.54-default 4.12.14-95.54-default
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: warpclock ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: btrfs ***
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: resume ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-btrfs ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut: resume=UUID=17b05c05-cf49-46d3-b555-0e1108795c43
dracut: root=UUID=ba3c350f-56fe-4d54-942b-be7b4ff3823f rootfstype=btrfs rootflags=rw,relatime,ssd,space_cache,subvolid=259,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot
dracut: *** Creating image file ‘/boot/initrd-4.12.14-95.54-default’ ***
dracut: *** Creating initramfs image file ‘/boot/initrd-4.12.14-95.54-default’ done ***

Warning: One of the installed patches requires a reboot of your machine. Reboot as soon as possible.
check_installation_suse=SLES12-SP4-Updates | SUSE-SLE-SERVER-12-SP4-2019-765 | security | important | reboot | applied | Security update for the Linux Kernel
SUCCESS_PATCH_ACTIONS_COUNT=1
CUR_LOG_FILE=/var/log/intigua/log.install_patch.2022-11-22-13-47-12.1
Script end time (GMT): 2022-11-22 13:48:10
Exit code=0"}

Transaction ID script output / Expected kernel version:
kernel-default.x86_64 < 4.12.14-95.13.1

Installed Kernel version / Different from expected kernel version:
kernel-default-4.12.14-95.54.1

Many thanks for the help in advance!

Kind regards,
Bruno