https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391102#M35860 Hi,<BR />I would like to verify if I understood redhat securiry patching procedure.<BR /><BR />1) Is it true that only way to apply security patches on redhat is installing new kernel ?<BR /><BR />2) I have to manage about 30 redhat enterprise systems of various releases (4.4, 4.6, 4.7) and I have to align all systems to last securiry patch without changing kernel release; all I have to do is to take last build of a kernel ? For example, a system has a rhel 4.6 (kernel 2.6.9-67), so I have to install last build for that kernel (2.6.9-67.0.22) that includes all security patches released till now. Is it right ?<BR /><BR />Thank you<BR /><BR />Claudio Tue, 31 Mar 2009 09:19:34 GMT ClaudioD'Anduono 2009-03-31T09:19:34Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391102#M35860 Hi,<BR />I would like to verify if I understood redhat securiry patching procedure.<BR /><BR />1) Is it true that only way to apply security patches on redhat is installing new kernel ?<BR /><BR />2) I have to manage about 30 redhat enterprise systems of various releases (4.4, 4.6, 4.7) and I have to align all systems to last securiry patch without changing kernel release; all I have to do is to take last build of a kernel ? For example, a system has a rhel 4.6 (kernel 2.6.9-67), so I have to install last build for that kernel (2.6.9-67.0.22) that includes all security patches released till now. Is it right ?<BR /><BR />Thank you<BR /><BR />Claudio Tue, 31 Mar 2009 09:19:34 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391102#M35860 ClaudioD'Anduono 2009-03-31T09:19:34Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391103#M35861 Hi Claudio,<BR /><BR />1. You may have security pathes for sshd daemon for example, not kernel related.<BR />2. Config up2date to install all needed patches, but exclude kernel. This will move your systems to the same patch level.<BR /><BR />regards,<BR />ivan Tue, 31 Mar 2009 09:57:50 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391103#M35861 Ivan Krastev 2009-03-31T09:57:50Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391104#M35862 Hi Ivan,<BR />thank you very much for your answer<BR />When Redhat releases a new build for a kernel (for example 2.6.9-67.0.1 for kernel 2.6.9-67) it's because there is an update (example: a security update) for this kernel, not an upgrade. So, if it's critical, I have to install new kernel. Right ?<BR /><BR />What about security patches ?<BR />Where can I find rpms to update system packages (only for security purposes) without "jump" to another redhat release (from 4.6 to 4.7) ?<BR /><BR />Thank you very much again Tue, 31 Mar 2009 11:14:35 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391104#M35862 ClaudioD'Anduono 2009-03-31T11:14:35Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391105#M35863 Ok, I found answer to my question; all errata are available on RHN; now my problem is that systems can't connect to internet and I can't setup a RHN Proxy, so I have to group errata for OS release (4.4, 4.5, 4.6) as I can deploy them on my systems.<BR />How can I do that ? Tue, 31 Mar 2009 11:59:35 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391105#M35863 ClaudioD'Anduono 2009-03-31T11:59:35Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391106#M35864 if you update you 4.4 with the latest security patches etc, it won't be 4.4 anymore.<BR /><BR />anyway, if there is no way to connect your systems to the net (why not? as long as you block incomming you should be fine), you should put the rpm's on a internal server and point your servers to that repository to get their updates from. Wed, 01 Apr 2009 07:19:41 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391106#M35864 dirk dierickx 2009-04-01T07:19:41Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391107#M35865 Shalom Claudio,<BR /><BR />Sorry for the late response but I'm on the go and am sitting in a mall between appointments.<BR /><BR />1) No. Red Hat provides security patches for critical components of the OS in rpm form, which replaces the old binaries. Many of these patches do not require a Kernel upgrade.<BR /><BR />Take note that security fix to RHCS, Red Hat Cluster Suite that updates its kernel components often does require a kernel upgrade. Also note that many security issues are with the kernel and DO require a kernel upgrade. If you use GFS or RHCS, take care that any kernel upgrades work with those two packages in the lab.<BR /><BR />2) Best thing to do is update them all to 4.7 stable kernel release. There may be application reasons not to do this, but its the way to go most of the time.<BR /><BR />You can use yum and set up your own little rpm patch repository to have a central patch server and lower the amount of traffic on the Internet to and from Red Hats servers.<BR /><BR />SEP Wed, 01 Apr 2009 08:50:37 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391107#M35865 Steven E. Protter 2009-04-01T08:50:37Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391108#M35866 Dirk, Steven,<BR />thank you very much.<BR />Now it's almost clear.<BR />I can't connect systems to internet because customer has a very strict firewall policy.<BR />I have only one other question. If I upgrade 2 systems in cluster 4.4 to 4.7, can I do a rolling upgrade ? Or have I to schedule a stop for both systems ?<BR /><BR />Thank you very much again Thu, 02 Apr 2009 07:34:36 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391108#M35866 ClaudioD'Anduono 2009-04-02T07:34:36Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391109#M35867 I have another question too.<BR />I'm tryng to update to 4.7 copying all rpms to a local repository (/var/spool/up2date) and I would like to run up2date reading rpms from that directory, but it fails because it tries to connect to RHN and my system is not connected to internet. How can I disable RHN registration ? I tried to read up2date config file but I found nothing.<BR /><BR />Thank you Fri, 03 Apr 2009 08:52:13 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391109#M35867 ClaudioD'Anduono 2009-04-03T08:52:13Z https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391110#M35868 Hi,<BR />For the last questions, perhaps, you could test first with this theads, the up2date to a local directory<BR /><A href="http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1115567" target="_blank">http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1115567</A><BR />or automated system updates with /usr/bin/up2date-config for example<BR /><A href="http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html#UP2DATE" target="_blank">http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html#UP2DATE</A><BR />Regards Fri, 03 Apr 2009 14:28:12 GMT https://community.hpe.com/t5/operating-system-linux/understanding-security-patching/m-p/4391110#M35868 smatador 2009-04-03T14:28:12Z