甲骨文发布2012 7月数据库安全补丁Critical Patch Update July 2012

Oracle甲骨文公司在2012年7月17日发布了最新的数据库安全补丁Critical Patch Update July 2012:在OTN的CPU security专题页面上已经生成了《Oracle Critical Patch Update Advisory – July 2012》的页面;发布的安全补丁涵盖多个版本的Oracle数据库:
包括主流数据库版本上的以下补丁:

 

11.2.0.3:

Database 11.2.0.3 CPU Patch 14038787, or
Database 11.2.0.3.3 PSU Patch 13923374, or
GI 11.2.0.3.3 PSU Patch 13919095, or
Microsoft Windows (32-Bit) Bundle Patch 14095819, or
Microsoft Windows x64 (64-Bit) Bundle Patch 14095820

 

 

11.2.0.2:

Database 11.2.0.2 CPU Patch 14038791, or
Database 11.2.0.2.7 PSU Patch 13923804, or
GI 11.2.0.2.7 PSU Patch 14192201, or
Microsoft Windows (32-Bit) Bundle Patch 14134042, or
Microsoft Windows x64 (64-Bit) Bundle Patch 14134043

11.1.0.7:

Database 11.1.0.7 CPU Patch 14038803, or
Database 11.1.0.7.12 PSU Patch 13923474, or
Microsoft Windows (32-Bit) Bundle Patch 14109867, or
Microsoft Windows x64 (64-Bit) Bundle Patch 14109868

10.2.0.5:

Database 10.2.0.5 CPU Patch 14038805, or
Database 10.2.0.5.8 PSU Patch 13923855, or
Microsoft Windows (32-Bit) Bundle Patch 14134051, or
Microsoft Windows x64 (64-Bit) Bundle Patch 14134053, or
Microsoft Windows Itanium (64-Bit) Patch 14134052

 

10.2.0.4:

 

Database 10.2.0.4 CPU Patch 14038814, or
Database 10.2.0.4.13 PSU Patch 13923851

 

Exadata:

Quarterly Database patch for Exadata – July 2012 11.2.0.3.8 Patch 14103267, or
Quarterly Full Stack download for Exadata (July 2012) Patch 14207418, or
Exadata Database Recommended Patch 17 Patch 14084153, or

甲骨文发布2012 1月数据库安全补丁Critical Patch Update January 2012

甲骨文公司(Oracle Corp)会在今天的(2012-01-17 Tuesday)的晚些时候发布最新的数据库安全补丁Critical Patch Update January 2012;

在OTN的CPU security专题页面上已经生成了《Oracle Critical Patch Update Pre-Release Announcement – January 2012》的页面;将要发布的安全补丁涵盖多个版本的Oracle数据库:

 

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5

 

实际因为版本10gR2已经正式进入Extended Support扩展支持阶段,所以下载10.2.0.4、10.2.0.5今后的CPU、PSU将(10.2.0.4.10、10.2.0.5.5 以后)需要用户已购买甲骨文公司的扩展支持服务包。

 

“甲骨文称,有27个补丁是修复MySQL数据库中的安全漏洞。其中一个安全漏洞不需要登录证书就可以在网络上利用。按照通用安全漏洞评分系统(CVSS)数据库的平分,MySQL数据库安全漏洞的最高等级是5.5,属于中等风险等级。

另外两个补丁修复甲骨文数据中的安全漏洞。甲骨文还计划为Fusion中间件软件发布11个补丁。其中修复的5个安全漏洞能够远程利用,不需要用户身份识别。

在应用程序方面,甲骨文电子商务套装软件将得到3个安全补丁。供应链应用套装软件将得到1个安全补丁。仁科软件得到6个补丁。JD Edwards软件得到8个补丁。

大约17个安全补丁与Sun的产品有关,其中包括6个不需要证书就可以远程利用的安全漏洞。受影响的产品包括GlassFish企业服务器和和Solaris OS。

另外3个补丁用于甲骨文包括VirtualBox在内的虚拟化技术。”

 

在My Oracle Support (MOS)服务站点上已经生成了<Oracle Critical Patch Update January 2012 Documentation Map [ID 1368685.1]>这个补丁文档patch note:

 

“Oracle provides Critical Patch Updates to its customers to fix security vulnerabilities. This document defines the Documentation Map to documents identifying patches and minimum releases that are required for the Oracle products to address the security vulnerabilities that are announced in the Advisory for January 2012 (the updates will be entered here when CPU is released). ”

 

补丁列表已发布:

 

Patch Availability for Oracle Database 11.2.0.3

 

Oracle Database 11.2.0.3 UNIX Microsoft Windows (32-Bit) Microsoft Windows x64 (64-bit) Advisory Number Comments
Oracle Database home CPU Patch 13466801, or DB PSU Patch 13343438, or GI PSU Patch 13348650, or Database patch for Exadata Patch 13513783, or Quarterly Full Stack download for Exadata Patch 13551280 Bundle Patch 13413167 Bundle Patch 13413168

 

Patch Availability for Oracle Database 11.2.0.2

 

Oracle Database 11.2.0.2 UNIX Microsoft Windows (32-Bit) Microsoft Windows x64 (64-bit) Advisory Number Comments
Oracle Database home CPU Patch 13343244, or DB PSU Patch 13343424, or GI PSU Patch 13343447, or Exadata Database Recommended Patch 14 Patch 13556724 Bundle Patch 13413154 Bundle Patch 13413155 CVE-2012-0072, CVE-2012-0082

 

Patch Availability for Oracle Database 11.1.0.7

 

Oracle Database 11.1.0.7 UNIX Microsoft Windows (32-Bit) Microsoft Windows x64 (64-Bit) Advisory Number Comments
Oracle Database home CPU Patch 13343453, or PSU Patch 13343461 Bundle Patch 13460955 Bundle Patch 13460956 CVE-2012-0072, CVE-2012-0082
Oracle Database home Patch 9288120 Patch 9288120 Patch 9288120 Released April 2011 Database UIX

For Oracle Secure Enterprise Search 11.1.2.x installations, follow the instructions given in MOS note Note 1359600.1.

Oracle Database home Patch 10073948 Patch 10073948 Patch 10073948 Released April 2011 Enterprise Manager Database Control UIX

Not applicable to Oracle Secure Enterprise Search 11.1.2.x

Oracle Database home Patch 11738232 Patch 11738232 Patch 11738232 Released April 2011 Warehouse Builder

Not applicable to Oracle Secure Enterprise Search 11.1.2.x

 

Patch Availability for Oracle Database 10.2.0.5

 

Oracle Database 10.2.0.5 UNIX Microsoft Windows (32-Bit) Microsoft Windows Itanium (64-Bit) Microsoft Windows x64 (64-Bit) Advisory Number Comments
Oracle Database home CPU Patch 13343467, or PSU Patch 13343471 Bundle Patch 13460967 NA Bundle Patch 13460968 CVE-2012-0072, CVE-2012-0082
Oracle Database home Patch 12536181 NA NA NA Released July 2011 Enterprise Manager Database Control

For HP-UX PA-RISC and HP-UX Itanium platforms only

Oracle Database home Patch 11738172 Patch 11738172 Patch 11738172 Patch 11738172 Released April 2011 Warehouse Builder

 

 

Patch Availability for Oracle Database 10.2.0.4

 

Oracle Database 10.2.0.4 UNIX Advisory Number Comments
Oracle Database home CPU Patch 12879912, or PSU Patch 12879929 CVE-2012-0072, CVE-2012-0082
Oracle Database home Patch 12536167 Released July 2011 Enterprise Manager Database Control

For HP-UX PA-RISC and HP-UX Itanium platforms only

Oracle Database home Patch 9249369 Released April 2011 Database UIX
Oracle Database home Patch 12758181 Released July 2011 Enterprise Manager Database Control UIX
Oracle Database home Patch 9273865 Released April 2011 iSqlPlus UIX

 

Component IBM zSeries (z/OS) Advisory Number Comments
Oracle Database home CPU Patch 13343479 CVE-2012-0072, CVE-2012-0082

 

Patch Availability for Oracle Database 10.1.0.5

 

Oracle Database 10.1.0.5 UNIX Microsoft Windows (32-Bit) Microsoft Windows Itanium (64-Bit) Advisory Number Comments
Oracle Database home Patch 6640838 Patch 6640838 Patch 6640838 Released October 2010 Oracle Universal Installer
Oracle Database home Patch 11842285 NA NA Released July 2011 Oracle Universal Installer
Oracle Database home CPU Patch 13343482 Bundle Patch 13413002 Bundle Patch 13413003 CVE-2012-0072, CVE-2012-0082
Oracle Database home Patch 12535977 NA NA Released July 2011 Enterprise Manager Database Control

For HP-UX PA-RISC and HP-UX Itanium platforms only

Oracle Workspace Manager home Patch 7341989 Patch 7341989 Patch 7341989 Released April 2009
Oracle Database home Patch 9249369 Patch 9249369 Patch 9249369 Released April 2011 Database UIX
Oracle Database home Patch 10036362 Patch 10036362 Patch 10036362 Released April 2011 Enterprise Manager Database Control UIX
Oracle Database home Patch 9273888 Patch 9273888 Patch 9273888 Released April 2011 iSqlPlus UIX

 

Patch Set Update Availability for Oracle Database

 

Oracle Database UNIX Advisory Number Comments
11.2.0.2.4 Database PSU Patch 13343424 See Section 3.1.3.3, “Oracle Database 11.2.0.2”
11.2.0.2.4 Grid Infrastructure PSU Patch 13343447 See Section 3.1.3.3, “Oracle Database 11.2.0.2” Includes CPUJan2012 and 11.2.0.2.4 Database PSU

IBM: Linux on System Z and HP-UX PA-RISC are On-Request Platforms for GI PSU 11.2.0.2.4

11.2.0.2 BP12 for Exadata Patch 13556724 See Section 3.1.3.3, “Oracle Database 11.2.0.2” Includes CPUJan2012 and 11.2.0.2.4 Database and Grid Infrastructure PSU fixes for Exadata
11.1.0.7.9 Database PSU Patch 13343461 See Section 3.1.3.4, “Oracle Database 11.1.0.7”
11.1.0.7.7 CRS PSU Patch 11724953 Released April 2011
10.2.0.5.5 Database PSU Patch 13343471 See Section 3.1.3.5, “Oracle Database 10.2.0.5”
10.2.0.5.2 CRS PSU Patch 9952245 Released January 2011 IBM: Linux on System Z, Solaris x86-64 and HP-UX PA-RISC are On-Request Platforms for CRS PSU 10.2.0.5.2
10.2.0.4.10 Database PSU Patch 12879929 See Section 3.1.3.6, “Oracle Database 10.2.0.4” Overlay PSU
10.2.0.4.4 Database PSU Patch 9352164 Released April 2010 Base PSU for 10.2.0.4.10
10.2.0.4.4 CRS PSU Patch 9294403 Released April 2010

 

在11gR2 当前最新版本11.2.0.3的第一个psu 11.2.0.3.1中修复了几十个bug:

 

CPU molecules in PSU 11.2.0.3.1:

PSU 11.2.0.3.1 contains the following new PSU 11.2.0.3.1 molecules:

13499128 – DB-11.2.0.3-MOLECULE-001-CPUJAN2012

13528551 – DB-11.2.0.3-MOLECULE-002-CPUJAN2012

Bug Fixes

See My Oracle Support Note 1340011.1 that documents all the non-security bugs fixed in each 11.2.0.2 Patch Set Update (PSU).

PSU 11.2.0.3.1 contains the following new fixes:

Automatic Storage Management

9703627 – 11.2.0.2: ROOT USE OF ASMCMD PLACES ALERT.LOG IN USER DIRECTORY

12620823 – SOL-SP64-11203:ASM INSTANCE HANG DURING CRS STACK STARTING ON THE SECOND NODE

12797765 – SOL_SP64: AFTER ALL DISKS FAILURE, DG CAN’T BE DISMOUNTED ON T2000-3

12905058 – REBOOT 2 CELL NODES, CHECKFILE FOUND CORRUPTION BLOCK IN 3 UNDO DATAFILES

12938841 – 11203_ASM_SOL_SP64:RACE BETWEEN ADD DISK AND DISMOUNT MAY CAUSE KFGUSENUM01

12950644 – RBAL HIT ORA-07445:[KFDGLOBALOPEN()+738], ASM INST ABORT

 

Generic

9873405 – ORA-600 DURING FAST REFRESH AFTER 11.2.0.1.0 TO 11.2.0.2.0 UPDATE.

 

High Availability

12718090 – LNX64-11203-RAC:DB FG RROC HIT ORA-00600[KCLCHKBLK_3]

12834027 – ORA-00600 [KJBMPRLST:SHADOW] & [KJBRASR:PKEY] IN A READ MOSTLY & SKIP LOCK ENV

12847466 – AROLTP-C: HANG SIGNATURE: ‘GC CURRENT REQUEST'<=’GC BUFFER BUSY ACQUIRE’

12861463 – RAC PERF: DEFAULT VALUE FOR _LM_SINGLE_INST_AFFINITY_LOCK SHOULD BE FALSE

12917230 – QUERY WITH TEMP TABLE TRANSFORMATION RUNS 5X SLOWER WAITING FOR REMASTERING

12998795 – AROLTP-C: HANG SIGNATURE: ‘GC CURRENT REQUEST'<=’GC BUFFER BUSY ACQUIRE’

13035804 – LACK OF DLM PSEUDO RECONFIGURATION TEXTUAL REASON

 

Oracle Space Management

13041324 – HCC ON ZFS AND PILLAR STORAGE

13492735 – DISALLOW ADDING NON-HCC DATAFILE TO HCC TABLESPACE

 

Oracle Virtual Operating System Services

13362079 – HCC SHOULD NOT BE ENABLED FOR NON ZFS/ PILLAR STORAGE ARRAY

Slide:了解Oracle critical patch update

Critical Patch Update July 2011 Released

2011年7月的CPU在19日发布了,Database相关的PSU/CPU包括:

11.2.0.2:CPU Patch 12419321, or DB PSU Patch 12419331, or GI PSU Patch 12419353, or Exadata BP9 Patch 12681774

11.2.0.1:CPU Patch 12419278, or DB PSU Patch 12419378, or Exadata BP11 Patch 12608545

11.1.0.7: CPU Patch 12419265, or PSU Patch 12419384

10.2.0.5:CPU Patch 12419258, or PSU Patch 12419392

10.2.0.4:CPU Patch 12419249, or PSU Patch 12419397

Oracle Database Patch Set Update (PSU)

Oracle Database UNIX Advisory Number Comments
11.2.0.2.3 Database PSU Patch 12419331 See Section 3.1.3.2, “Oracle Database 11.2.0.2”
11.2.0.2.3 Grid Infrastructure PSU Patch 12419353 See Section 3.1.3.2, “Oracle Database 11.2.0.2” Includes CPUJul2011 and 11.2.0.2.3 Database PSU
11.2.0.2 BP9 for Exadata Patch 12681774 See Section 3.1.3.2, “Oracle Database 11.2.0.2” Includes CPUJul2011 and 11.2.0.2.3 Database and Grid Infrastructure PSU fixes for Exadata
11.2.0.1.6 Database PSU Patch 12419378 See Section 3.1.3.3, “Oracle Database 11.2.0.1”
11.2.0.1 BP11 for Exadata Patch 12608545 See Section 3.1.3.3, “Oracle Database 11.2.0.1” Includes CPUJul2011 and 11.2.0.1.6 PSU fixes for Exadata
11.2.0.1.2 Grid Infrastructure Patch 9655006 Released July 2010
11.1.0.7.8 Database PSU Patch 12419384 See Section 3.1.3.4, “Oracle Database 11.1.0.7”
11.1.0.7.7 CRS PSU Patch 11724953 Released April 2011
10.2.0.5.4 Database PSU Patch 12419392 See Section 3.1.3.5, “Oracle Database 10.2.0.5”
10.2.0.5.2 CRS PSU Patch 9952245 Released January 2011
10.2.0.4.9 Database PSU Patch 12419397 See Section 3.1.3.6, “Oracle Database 10.2.0.4” Overlay PSU
10.2.0.4.4 Database PSU Patch 9352164 Released April 2010 Base PSU for 10.2.0.4.9
10.2.0.4.4 CRS PSU Patch 9294403 Released April 2010

具体见<Patch Set Update and Critical Patch Update July 2011 Availability Document [ID 1323616.1]>

了解Oracle Critical Patch Update

Oracle Critical Patch Update是什么?

Critical Patch Update(以下简称CPU),是Oracle在2005年开始引入的产品安全更新策略。一般来说CPU包含了Oracle产品安全漏洞的修复补丁集(set of security bug fix)。CPU最早的雏形出现在2005年,该项目致力于为客户周期性地提供累积性的补丁以修复安全漏洞。

通常CPU补丁会在每季度开始第一个月的15号发布,按照发布日期的不同可以划分为:

  • January :    CPU JAN
  • April :          CPU APR
  • July :           CPU JUL
  • October :    CPU OCT

存在以下3种类型的CPU补丁:

  • Normal CPU:在10.2.0.2之前所有的CPU均是Normal CPU
  • Molecular CPU:Molecular解释为分子,从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布,之后我们会介绍Normal/Molecular格式的区别
  • CPU Bundle Patch:由于在Windows平台无法利用替换共享库文件后relink的方式来更新Oracle binary,所以Oracle特别针对Windows发布区别于Unix上Normal/Molecular CPU的CPU Bundle patch(也因此Bundle Patch会别较大)。Windows bundle patches通常每一个季度都会发布

接下来我们通过2个实例来了解Normal CPU与Molecular CPU之间的区别。Linux x86平台上的CPUJAN2009 for 9.2.0.8的bug#补丁号为7592365。我们可以通过该补丁号从My Oracle Support上下载到压缩为zip的补丁包,试着将该压缩包解压后我们会发现该CPU补丁包的目录结构类似于一个one-off patch(一次性补丁):

$cd 7592365
$ls
/etc     /files       readme

之前已经介绍过了从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布。我们选取Linux x86平台上的CPUAPR2009 for 10.2.0.4为Molecular CPU的示例,下载并解压该CPU后会发现补丁包目录下有不少以Patch number为名的子目录,这就是Molecular-分子式的寓意所在,其实你也可以简单地理解为是对散装的安全补丁打了包:

$cd 8290506
$ls
7155248  7155251  7155254  7375613  7609058  8309592  8309637  cpu_root.sh
7155249  7155252  7197583  7375617  8290506  8309623  8309639  patchmd.xml
7155250  7155253  7375611  7609057  8309587  8309632  8309642  README.html

以上每一个数字代表一个molecules,称作分子补丁
注意!一个molecules可能包含有多个小的fix!!

Normal CPU与Molecular CPU间的差异还表现在所包含的补丁类型上。Normal CPU也被叫做Classic CPU即传统CPU,不同于molecular CPU,Normal CPU不仅包含安全漏洞修复,针对于特定的产品、产品版本及平台还可能包含了非安全的补丁。

而Molecular CPU(在MOS上有时也被叫做New format CPU)从10.2.0.3开始改变了既往Normal CPU的习惯,Molecular CPU仅仅包含安全漏洞补丁(security bug fixes),这是目前CPU与另一种补丁更新策略Patch Set Update(PSU)间的主要区别之一(PSU在格式上类似于Normal CPU),CPU专门负责修复安全漏洞,而PSU往往会包含CPU(INCLUDES CPU)。

第一个以Molecular形式发布的是CPU是CPUJUL2007(DB-10.2.0.3-MOLECULE-013-CPUAPR2007):

此外根据Oracle Product lifetime的介绍CPU的发布遵循几个原则:

  1. CPU仅为最新的patchset补丁集发布
  2. 对于之前的patchset补丁集存在一个宽限期,在此宽限期内仍会针对老的patchset发布CPU,关于这个宽限期(grace period)在MOS文档<Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]>中有详细描述,实际上如Fusion Middleware、Application等Oracle产品的维护保障期也受到该宽限期的影响,以下摘录Database部分的附录:
Grace Period: up to 1 year, minimum 3 months.
You have up to one year from the release of a patch set on the first platform (currently Linux x86) to plan for
and install the new patch set. During that year we will create new bug fixes for the previous patch set.
This grace period is effective with the release of 10.2.0.4.
For example, 10.2.0.4 was released first on Linux x86. The release date was 22 February 2008.
Until 22 February 2009 we will create new fixes for both 10.2.0.3 and 10.2.0.4.
After that date new fixes for 10.2.0.3 will cease on all platforms and we will only create new fixes for 10.2.0.4.
Grace period for current patch sets can be found on Metalink in Note 742060.1

Exceptions:
3 Month minimum grace period: Since the release of a patch set on different platforms happens over time,
not all platforms will be supported for error correction for the full year. Because of this,
we will always support the previous patch set for error correction for at least 3 months.
For example, if the initial release of patchset A.x.y.z is on January 1st on Linux x86 and the same patch set
is released on Univac on November1, Oracle will still provide new patches on Univac A.x.y.z-1 until
the end of January of the next year. Outside of the specific exceptions listed below,
CPUs will NOT be provided beyond the initial 12-month grace period.

Bundle patches for Windows: Oracle releases patches for Windows via periodic patch bundles instead of
interim patches. Patch bundles are released periodically (at least quarterly), and include the security fixes
from that quarter’s Critical Patch Update.

举例来说10R2上的CPUJAN2009发布时有10.2.0.3和10.2.0.4这2个版本的,因为当时10.2.0.3还在宽限期内;而到了CPUAPR2009也就是三个月后,10.2.0.3的宽限期也超过了,所以10GR2上的CPUAPR2009只有10.2.0.4一个版本的了。

在Unix平台上10.2.0.3之前(包含9iR2,10gR1,10.2.0.2),因为当时是以Normal格式发布的CPU,用户apply CPU时要么不打,要打就必须打上整个CPU,这导致出现补丁冲突(conflict patch)的概率大大提高了。依照当时的support流程,在Oracle发布CPU的4周内用户若发现CPU与现有patch间存在冲突,那么可以提交Service Request让Oracle开发部门去开发出一个超集合并(superset merge)的CPU版本,若用户在超过4周后才提交SR那么会被告知等下一次CPU的发布,Oracle在接到开发合并版本CPU的要求后会在以后的2周内(也就是CPU发布的第六周)发布用户需要的merged cpu。CPUJAN2009发布于2009年1月15日,假设我是一家对数据库安全性要求极其严格的公司,我希望实施该CPUJAN2009以提高自身数据库的安全,那么如果我在1月15日即发现CPUJAN2009与现有补丁存在冲突并通过MOS向oracle报告了该冲突问题,那么Oracle理论上会在2009年的2月28日向我提供相应的超集合并补丁;若我在2月15日才刚刚发现冲突的存在,那么我将不得不等待下一次CPU的发布,在这个假设中是4月15日,也就是2个月之后。

实施Normal CPU的原子性要求给用户和Oracle Support都带来了不小的工作量,为了缓解这种矛盾,Molecular CPU应运而生。

从10.2.0.3开始发布的Molecular CPU在apply时没有如Normal CPU那样强的原子性要求,即我们可以安装Molecular CPU中所包含的一部分安全补丁,而跳过一些存在冲突的安全补丁。此外因为Molecular CPU的特有格式,patch conflict补丁冲突仅可能发生在某个特定的分子补丁(molecule)上,而不会整个补丁包都存在冲突。针对这部分存在冲突的分子补丁(一般来说就是普通的one-off patch),用户可以随时向Oracle支持部分提出合并patch的请求,这打破了Normal CPU所造成的不便。如上文所述Molecular CPU仅针对最新的补丁集(patchset)或仍处在宽限期(grace period)的补丁集发布。

从理论上讲在实施新的Molecular CPU时,一般不会出现如Normal CPU那样opatch报整个补丁都存在冲突的现象,取而代之冲突会存在于个别molecule分子补丁上。在此情形下用户可以跳过存在冲突的molecule,以便安装剩余的无冲突的安全补丁,并申请对已安装的one-off patch和存在冲突的molecule实施合并。one-off patch merge是Oracle Support日常的客户服务项目,所以不用担心得不到merge patch,当然这仍是在最新补丁集或宽限期的前提下,举例来说如果现在我们去申请10.2.0.3上的patch merge则很可能被Oracle Support以要求升级为由来拒绝。
cpu_molecule

此外我们需要铭记CPU补丁总是累加(cumulative)的,这一点同PSU(Patch Set Update)恰恰不同!新的PSU补丁可能未包含之前发布的PSU补丁内容,而CPU补丁总是包含所有之前的CPU内容。举例来说10.2.0.4.5即10204上的PSU5就没有包含10.2.0.4.4(PSU4)中的所有fix,这要求我们在安装PSU5时以PSU4为基础(Patch Set Update PSU 10.2.0.4.5 is an overlay PSU whose base PSU is 10.2.0.4.4. This patch can only be applied in an Oracle home for which PSU 10.2.0.4.4 has already been installed);而10.2.0.4上的CPUAPR2011就会包含CPUJAN2011及之前的所有补丁内容。

因为传统CPU与Molecular CPU在格式上的差异,所以它们在apply时的步骤亦不相同。Normal CPU会在apply之前将所有旧的CPU全都回滚掉,以保持自身能被打上。而Molecular CPU则不那么简单粗暴,它只需要apply其所包含的新的molecules分子补丁即可,即如果之前有安装过老的CPU,那么老的cpu补丁是不动的。

同时CPU补丁的内容还会被包含在今后发布的Patch Set或Patch Set Update(PSU)中(CPU molecules in PSU),注意针对如9.2.0.8这样的最终补丁集,Oracle将不再发布新的Patchset或PSU;10.2.0.5作为10g的最终版本今后将不会再有Patchset发布,但包含了CPU的PSU仍会被发布。

很多朋友都会要问CPU补丁是否是必须要安装的?实际上并没有一个强制要求安装CPU的理由,Oracle仅仅是强烈推荐实施这些补丁以降低潜在的安全风险并降低受到骇客入侵成功的概率。

安装CPU与安装普通的one-off patch或PSU没有太大的区别,同样要使用著名的opatch工具。Normal CPU具有强的原子性要求,所以我们不可能去不完整(partial)的安装一个Normal CPU。而对于10.2.0.3后出现的Molecular CPU则没有这种限制,Molecular CPU总是由一定数量的molecules分子补丁组成,注意实际上每一个molecules还可能包含了一个或多个的小的Fix。虽然我们在没有补丁冲突的情况下,也可以选择仅安装CPU中的一个子集的molecules,但Oracle强烈推荐尽可能安装整个CPU。

我们在安装Normal CPU时使用和安装one-off patch同样简单的”opatch apply”命令。在安装Molecular CPU时的命令要负责一些,在不同需求下可能分为:

1.
安装CPU中所有的molecules

$./opatch napply <patch_location> -skip_subset -skip_duplicate

-skip_subset意为跳过那些已安装补丁的子集(subset patches--patches under  that are subsets of patches
installed in the ORACLE_HOME)

-skip_duplicate,跳过已安装过的molecule(provides the additional benefit of detecting when a molecule
patch has already been applied, as in the case of a previous CPU, and to skip application of it.
This reduces the length of time required to do the n-apply CPU installation and minimizes
the overall change to the Oracle home)

2.
安装CPU中的部分molecules

$ ./opatch napply 8290506 -id 7155248,7155249,7155250 -skip_subset -skip_duplicate

以上意为apply patch 7155248,7155249,7155250 

Invoking OPatch 11.2.0.1.3
Oracle Interim Patch Installer version 11.2.0.1.3
Copyright (c) 2010, Oracle Corporation.  All rights reserved.
UTIL session
Oracle Home       : /s01/db_1
Central Inventory : /s01/oraInventory
   from           : /etc/oraInst.loc
OPatch version    : 11.2.0.1.3
OUI version       : 10.2.0.4.0
OUI location      : /s01/db_1/oui
Log file location : /s01/db_1/cfgtoollogs/opatch/opatch2011-06-02_22-37-02PM.log

Patch history file: /s01/db_1/cfgtoollogs/opatch/opatch_history.txt

Invoking utility "napply"
Checking conflict among patches...
Checking if Oracle Home has components required by patches...
Checking skip_duplicate
Checking skip_subset
Checking conflicts against Oracle Home...
OPatch continues with these patches:   7155250  7155249  7155248  

Do you want to proceed? [y|n]
y
User Responded with: Y

Running prerequisite checks...

OPatch detected non-cluster Oracle Home from the inventory and will patch the local system only.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/s01/db_1')

Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files affected by the patch 'NApply' for restore. This might take a while...

Applying patch 7155250...

ApplySession applying interim patch '7155250' to OH '/s01/db_1'
Backing up files affected by the patch '7155250' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Updating archive file "/s01/db_1/lib/libserver10.a"  with "lib/libserver10.a/kupp.o"
Copying file to "/s01/db_1/rdbms/admin/prvtbpp.plb"
ApplySession adding interim patch '7155250' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155250 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155250 are present in Oracle Home.

Applying patch 7155249...

ApplySession applying interim patch '7155249' to OH '/s01/db_1'
Backing up files affected by the patch '7155249' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/admin/prvtdefr.plb"
ApplySession adding interim patch '7155249' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155249 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155249 are present in Oracle Home.

Applying patch 7155248...

ApplySession applying interim patch '7155248' to OH '/s01/db_1'
Backing up files affected by the patch '7155248' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/lib/env_rdbms.mk"
ApplySession adding interim patch '7155248' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155248 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155248 are present in Oracle Home.
Running make for target ioracle
Running make for target iextjob
Running make for target iextjobo
The local system has been patched and can be restarted.
UtilSession: N-Apply done.
OPatch succeeded.

另外我们可以使用opatch lsinventory -bugs_fixed命令列出已安装的CPU/PSU

$ ./opatch lsinventory -bugs_fixed

List of Bugs fixed by Installed Patches:
Bug        Fixed by  Installed at                   Description
            Patch
---        --------  ------------                   -----------
8309642    8309642   Thu Jun 02 22:54:51 CST 2011   DB-10.2.0.4-MOLECULE-018-CPUAPR2009
8309639    8309639   Thu Jun 02 22:54:48 CST 2011   DB-10.2.0.4-MOLECULE-019-CPUAPR2009
8309637    8309637   Thu Jun 02 22:54:45 CST 2011   DB-10.2.0.4-MOLECULE-020-CPUAPR2009
8309632    8309632   Thu Jun 02 22:54:42 CST 2011   DB-10.2.0.4-MOLECULE-017-CPUAPR2009
8309623    8309623   Thu Jun 02 22:54:39 CST 2011   DB-10.2.0.4-MOLECULE-016-CPUAPR2009
8309592    8309592   Thu Jun 02 22:54:35 CST 2011   DB-10.2.0.4-MOLECULE-015-CPUAPR2009
8309587    8309587   Thu Jun 02 22:54:30 CST 2011   DB-10.2.0.4-MOLECULE-014-CPUAPR2009
7150470    8290506   Thu Jun 02 22:54:26 CST 2011   MLR BUG FOR 10.2.0.4 FOR CPUJUL2008
7375644    8290506   Thu Jun 02 22:54:26 CST 2011   MLR BUG FOR 10.2.0.4 FOR CPUOCT2008
7592346    8290506   Thu Jun 02 22:54:26 CST 2011   CPUJAN2009 DATABASE 10.2.0.4
8290506    8290506   Thu Jun 02 22:54:26 CST 2011   CPUAPR2009 DATABASE 10.2.0.4
7609058    7609058   Thu Jun 02 22:54:21 CST 2011   DB-10.2.0.4-MOLECULE-013-CPUJAN2009
7609057    7609057   Thu Jun 02 22:54:17 CST 2011   DB-10.2.0.4-MOLECULE-012-CPUJAN2009
7375617    7375617   Thu Jun 02 22:54:14 CST 2011   DB-10.2.0.4-MOLECULE-0011-CPUOCT2008
7375613    7375613   Thu Jun 02 22:54:11 CST 2011   DB-10.2.0.4-MOLECULE-0010-CPUOCT2008
7375611    7375611   Thu Jun 02 22:54:07 CST 2011   DB-10.2.0.4-MOLECULE-009-CPUOCT2008
7197583    7197583   Thu Jun 02 22:54:03 CST 2011   DB-10.2.0.4-MOLECULE-008-CPUJUL2008
7155254    7155254   Thu Jun 02 22:54:00 CST 2011   DB-10.2.0.4-MOLECULE-007-CPUJUL2008
7155253    7155253   Thu Jun 02 22:53:35 CST 2011   DB-10.2.0.4-MOLECULE-006-CPUJUL2008
7155252    7155252   Thu Jun 02 22:53:13 CST 2011   DB-10.2.0.4-MOLECULE-005-CPUJUL2008
7155251    7155251   Thu Jun 02 22:53:07 CST 2011   DB-10.2.0.4-MOLECULE-004-CPUJUL2008
7155250    7155250   Thu Jun 02 22:53:02 CST 2011   DB-10.2.0.4-MOLECULE-003-CPUJUL2008
7155249    7155249   Thu Jun 02 22:52:58 CST 2011   DB-10.2.0.4-MOLECULE-002-CPUJUL2008
7155248    7155248   Thu Jun 02 22:52:54 CST 2011   DB-10.2.0.4-MOLECULE-001-CPUJUL2008

3.
回滚CPU中的部分molecules

$ ./opatch nrollback  -id 7155248,7155249,7155250 

This will roll back patches 7155248,7155249,7155250 that have been installed under the ORACLE_HOME.
If a patch is not installed, it does not have any impact and roll back skips the patch.

Invoking OPatch 11.2.0.1.3
Oracle Interim Patch Installer version 11.2.0.1.3
Copyright (c) 2010, Oracle Corporation.  All rights reserved.
UTIL session
Oracle Home       : /s01/db_1
Central Inventory : /s01/oraInventory
   from           : /etc/oraInst.loc
OPatch version    : 11.2.0.1.3
OUI version       : 10.2.0.4.0
OUI location      : /s01/db_1/oui
Log file location : /s01/db_1/cfgtoollogs/opatch/opatch2011-06-02_22-41-49PM.log
Patch history file: /s01/db_1/cfgtoollogs/opatch/opatch_history.txt
Invoking utility "nrollback"
Patches will be rolled back in the following order:
   7155248   7155249   7155250

Running prerequisite checks...
The following patch(es) will be rolled back: 7155248  7155249  7155250
OPatch detected non-cluster Oracle Home from the inventory and will patch the local system only.
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/s01/db_1')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files affected by the patch 'NRollback' for restore. This might take a while...
Rolling back patch 7155248...
RollbackSession rolling back interim patch '7155248' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/lib/env_rdbms.mk"
RollbackSession removing interim patch '7155248' from inventory
Rolling back patch 7155249...
RollbackSession rolling back interim patch '7155249' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/admin/prvtdefr.plb"
RollbackSession removing interim patch '7155249' from inventory
Rolling back patch 7155250...
RollbackSession rolling back interim patch '7155250' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Updating archive file "/s01/db_1/lib/libserver10.a"  with "lib/libserver10.a/kupp.o"
Copying file to "/s01/db_1/rdbms/admin/prvtbpp.plb"
RollbackSession removing interim patch '7155250' from inventory
Running make for target iextjob
Running make for target iextjobo
Running make for target ioracle
The local system has been patched and can be restarted.
UtilSession: N-Rollback done.
OPatch succeeded.

安装CPU补丁除去以上列出的命令外还可以参考MOS文档<OPatch Utility Guide – 10.2 [ID 554417.1]>
<Critical Patch Update – Introduction to Database n-Apply CPUs [ID 438314.1]>

完成以上opatch操作后针对既有的数据库(已经创建在使用的数据库)还需要在数据库级别运行数据字典升级脚本:

SQL> select * from global_name;
GLOBAL_NAME
--------------------------------------------------------------------------------
www.askmac.cn

1.
针对传统的Normal CPU运行

@?/rdbms/admin/catcpu.sql

2.
针对Molecular CPU补丁需要运行
sqlplus /nolog
SQL> CONNECT / AS SYSDBA

@?/rdbms/admin/catbundle cpu apply

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA

SQL> @recompile_precheck_jan2008cpu.sql
SQL> QUIT

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> SHUTDOWN IMMEDIATE

SQL> STARTUP UPGRADE

SQL> @view_recompile_jan2008cpu.sql
SQL> SHUTDOWN;
SQL> STARTUP;

SQL> @?/rdbms/admin/utlrp

SQL> QUIT

以上字典升级工作的步骤可以从补丁包自带的README.HTML网页中找到,另外你可以参考MOS文档<Introduction To Oracle Database catbundle.sql [ID 605795.1]>

虽然Oracle宣称其发布的每一个CPU都经过广泛和长时间的测试,但实际Oracle不可能具体到每一个用户的环境中去做测试,所以贸然实施CPU还是可能有一定风险的。Oracle推荐用户在将CPU安装到生产系统之前,首先在自己客制化的环境中充分测试安装CPU所可能带来的影响。

我们可以从Critical Patch Update Advisory上找到Oracle产品相关的安全风险信息,作为是否实施CPU补丁的依据之一。此外随CPU附带的文档将是用户所能找到最为详细的同时也是最有用的安全信息来源。

Reference:

Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]

<OPatch Utility Guide – 10.2 [ID 554417.1]>

<Critical Patch Update – Introduction to Database n-Apply CPUs [ID 438314.1]>

<Introduction To Oracle Database catbundle.sql [ID 605795.1]>

http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

PS:如果对PSU有兴趣,可以读一读Kamusis的Notes for Oracle Database PSU/CPU

Oracle Patch Set Update and Critical Patch Update April 2011 Released

2011 April的Oracle Patch set Update与Critical Patch Update发布了,本次发布包括了对Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite and Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle JDEdwards EntepriseOne, Oracle Siebel CRM, Oracle Industry Applications, Oracle Sun products suite, and Oracle OpenOffice Suite等多个产品的补丁更新。

其中与数据库相关的主要有补丁集更新和紧急补丁更新如下:

  1. Database 11.2.0.2上的CPU Patch 11724984, or PSU Patch 11724916
  2. Database 11.2.0.1上的CPU Patch 11724991, or PSU Patch 11724930
  3. Database 11.1.0.7上的CPU Patch 11724999, or PSU Patch 11724936
  4. Database 10.2.0.5上的CPU Patch 11725006, or PSU Patch 11724962
  5. Database 10.2.0.4上的CPU Patch 11725015, or PSU Patch 11724977

Oracle Critical Patch Updates Unwrapped

沪ICP备14014813号-2

沪公网安备 31010802001379号