Update: Oracle Linux: A better alternative to CentOS …really?

Got a nice hint from Oracle this week that they fixed the lack of having CVE information in their yum repos. As I wrote in a previous blog post, it was disappointing that at the time of releasing OEL for the “masses” they did not have metadata available which put them on par with CentOS. You basically  needed a spacewalk server to get a brief security, bugfixes or an enhancements overview of installed packages on your system. Having meta data available changes a lot because it makes life for admins easier. Compared to CentOS, which does not provide any meta data information or Redhat where you need to buy a subscription, Oracle now gives you security information for free! And as far as I know they might integrate bugfixes and enhancements too!

http://public-yum.oracle.com/repo/OracleLinux/OL6/3/base/x86_64/repodata/

updateinfo.xml.gz file is there, which is very nice. Lets do some tests on a freshly installed oel6.3:

[root@oel6.3 ~]# yum list-security

CVE-2012-3817 security bind-libs-32:9.8.2-0.10.rc1.el6_3.2.x86_64
CVE-2012-4244 security bind-libs-32:9.8.2-0.10.rc1.el6_3.3.x86_64
CVE-2012-3817 security bind-utils-32:9.8.2-0.10.rc1.el6_3.2.x86_64
CVE-2012-4244 security bind-utils-32:9.8.2-0.10.rc1.el6_3.3.x86_64
CVE-2012-3524 security dbus-1:1.2.24-7.0.1.el6_3.x86_64
CVE-2012-3524 security dbus-libs-1:1.2.24-7.0.1.el6_3.x86_64
CVE-2012-3954 security dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3571 security dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3571 security dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3954 security dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-4405 security ghostscript-8.70-14.el6_3.1.x86_64
CVE-2012-3405 security glibc-2.12-1.80.el6_3.3.x86_64
CVE-2012-3406 security glibc-2.12-1.80.el6_3.3.x86_64

Nice, having the CVE information is very important. This allows us to see if we have any security related updates. The good thing about having this information is that CVE can be queried and specific security updates can be made.

Let’s query a CVE information:

[root@oel63 ~]# yum info-security CVE-2012-2390
Loaded plugins: security

===============================================================================

===============================================================================
Update ID : CVE-2012-2390
Release :
Type : security
Status : final
Issued : 2012-05-17
CVEs : CVE-2012-2390
Description : Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2
: allows local users to cause a denial of service
: (memory consumption or system crash) via invalid
: MAP_HUGETLB mmap operations.
updateinfo info done

Howto update a specific CVE:

[root@oel63 ~]# yum update –cve CVE-2012-2337
Loaded plugins: security
Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
1 package(s) needed (+0 related) for security, out of 50 available
–> Running transaction check
—> Package sudo.x86_64 0:1.7.4p5-11.el6 will be updated
—> Package sudo.x86_64 0:1.7.4p5-13.el6_3 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

To update all security related problems you can execute:

[root@oel63 ~]# [root@oel63 ~]# yum update –security
Loaded plugins: security
Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
29 package(s) needed (+0 related) for security, out of 50 available
–> Running transaction check

As you can see it would only update the packages which have security related issues.

Conclusion:

The fact that Oracle has meta data for their repository and gives it away for free puts them, from a business perspective, clearly ahead of CentOS. It is very important for admins to have the CVE information. Some people will now say, but I can have that too with spacewalk and even get the bugfixes and feature enhancement information. Yes you’re right, but its another component which you’ll have to administrate and maintain. Having the ability to check security updates and maybe in the future bugfixes and enhancements  with yum is just so much easier and nicer.  So Thanks Oracle for giving us CVE meta data information!