补丁术语
oracle 打patch 总结
http://blog.itpub.net/15412087/viewspace-2150735/
Advisory
adj. 咨询的;顾问的;劝告的
n. 报告;公告
Oracle Critical Patch Update Advisory - January 2018
cpu
psu
spu
CPU:Critical Patch Update,紧急补丁更新。每季度发布一次,用来修复安全方面的累积型补丁,即最新的CPU补丁已经包含以往的CPU补丁,只需安装最新的CPU补丁即可。
CPU已更名为SPU(Security Patch Update)。
PSU:Patch Set Update,补丁集更新。Oracle选取在每个季度用户下载数量最多、且得到验证具有较低风险的补丁放入到每个季度的PSU中。在每个PSU中不但包含Bug的修复,还包含了最新的CPU。PSU通常随CPU一起发布。PSU通常是增量的,大部分PSU可以直接安装,但有些PSU必须要求安装上一个版本的PSU之后才能继续安装。
1.interim patch/one-off patch
个别补丁(InterimPatch,one-off patch 或 Patch Set Exception)
是我们常说的小补丁,为了修复某个bug而发布的补丁,这种补丁推荐在测试库上测试无误后再安装在生产库上。
2.merged patch
合并的补丁,当几个小补丁之间冲突,不能同时安装的时候,需要提供这种 merged patch。补丁冲突主要是由于2个或者多个补丁修改同一个文件,但是修改的内容是不同的。
3.bundle patch
补丁集,修复多个bug。在windows 平台的oracle 没有小补丁,只有这种补丁集,至少每季度发布一次,是累积性的,也就是说每个bundle patch 会包含之前所有的bundle patch。例如 windows bundle patch 16,它会包含之前所有的15个bundle patch,所以,建议总是安装最新的bunlde patch。oracle 的集群软件和数据库软件的Windows bundle patch是同一个,例如Windows bundle patch 16 即可以打在集群上,也可以打在数据库上,要了解windows bundle patch 的补丁号,可参考mos:Note 161549.1 Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms
4.critical patch update(CPU)
Oracle公司还定期发布安全补丁,称之为CPU(Critical Patch Updates)
每季度发布一次,用来修复安全方面的一些补丁,是累积型的,目前已更名为security patch update(SPU)。可以通过下面的链接查看各个CPU所修复的具体问题:http://www.oracle.com/technetwork/topics/security/alerts-086861.html
5.patch set update (PSU)
每季度发布一次,修复比较严重的问题,包含每季度的CPU,是累积型的。虽然在描述PSU的时候会用到数据库版本的第五位,比如 Database PSU 11.2.0.3.5,但实际上打完PSU后,并不会真正的改变数据库的版本。从v$version中看到的版本还是11.2.0.3.0。
Windows上没有CPU和PSU。oracle数据库的集群和数据库软件使用不同的PSU。可以参考下面的mos文档了解每个季度的CPU,PSU,Windows bundle patch 的具体补丁号:Assistant: Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases (文档 ID 2118136.2)
6.patch set
是在大版本上发布的补丁集,修复了较多的bug,可能会包含一些增强功能,比如 11.2是一个大版本,那么11.2.0.2就是一个patch set。这种补丁集经过了严格的集成测试,也是累积型的。所以我们总是推荐安装最新的patch set。
7.diagnostic patch
诊断补丁,有时候诊断一个问题的时候。为了获得更多的诊断信息,oracle的开发部门会提供一个diagnostic patch 这种补丁不是为了修复问题,而是诊断问题。
8.composite patch
从2012年4月份的database psu 11.2.0.3.2开始,推出一种新的概念叫composite patches,这是一种新型的补丁包。它不同于其他类型的补丁包,如果第一次安装composite patches 那么composite patches所包含的全部补丁都会被安装, 后续安装的composite patches,只会安装对比前一次composite patches 有变化的部分和新增加的补丁。
==============================================
You must use the OPatch utility version 11.2.0.3.5 or later to apply this patch.
Oracle recommends that you use the latest released OPatch version for 11.2, which is available for download from My Oracle Support patch 6880880 by selecting the 11.2.0.0.0 release.
==============================================
Patch 6880880
Description: OPatch patch of version 11.2.0.3.21 for Oracle software releases 11.2.0.x (APR 2019)
Product: Universal Installer
Select a Release: Oracle 11.2.0.0.0
Platform or Language: Linux x86-64
Last Updated: 17-APR-2019
Size: 107M (113112960 bytes)
==============================================
oracle database psu 、bundle patch 的命名规则一般是按照推出的先后顺序,比如在2015年10月 推出的11.2.0.4的第8个db psu 就命名为:db psu 11.2.0.4.8 ;
2016年1月份推出对PSU、SPU、Bundle Patch新的命名规则。 新的命名规则为(以11.2.0.4为例):11.2.0.4.YYMMDD ,YYMMDD为主要patch (PSU、SPU、Bundle)发布的具体日期年份后两位、两位的月份以及两位的日期。如:11.2.0.4.180116表示这11.2.0.4的PSU 是在18年1月16日推出的patch。通过补丁号可以很直观的看到数据库是否打了对应时间的补丁。
数据库/GI PSU,SPU(CPU),Bundle Patches 和 Patchsets 补丁号码快速参考 (文档 ID 1922396.1)
Assistant: Download Reference for Oracle Database/GI Update, Revision, PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases (文档 ID 2118136.2)
11.2.0.4 | ||||
Description | PSU | SPU(CPU) | GI PSU | Bundle Patch (Windows 32bit & 64bit) |
APR2019 (11.2.0.4.190416) | ||||
JAN2019 (11.2.0.4.190115) | ||||
OCT2018 (11.2.0.4.181016) | ||||
JUL2018 (11.2.0.4.180717) | ||||
APR2018 (11.2.0.4.180417) | ||||
JAN2018 (11.2.0.4.180116) | N/A | |||
OCT2017 (11.2.0.4.171017) | ||||
AUG2017 (11.2.0.4.170814) | N/A | |||
JUL2017 (11.2.0.4.170718) | ||||
APR2017 (11.2.0.4.170418) | ||||
JAN2017 | N/A | N/A | N/A | N/A |
OCT2016 (11.2.0.4.161018) | ||||
JUL2016 (11.2.0.4.160719) | 23530402 | |||
APR2016 (11.2.0.4.160419) | 22839608 | |||
JAN2016 (11.2.0.4.160119) | 22310544 | |||
OCT2015 | 21352635 (11.2.0.4.8) | 21523375 (11.2.0.4.8) | 21821802 (11.2.0.4.20) | |
JUL2015 | 20760982 (11.2.0.4.7) | 20996923 (11.2.0.4.7) | 21469106 (11.2.0.4.18) | |
APR2015 | 20299013 (11.2.0.4.6) | 20485808 (11.2.0.4.6) | 20544696 (11.2.0.4.15) | |
JAN2015 | 19769489 (11.2.0.4.5) | 19955028 (11.2.0.4.5) | 20127071 (11.2.0.4.12) | |
OCT2014 | 19121551 (11.2.0.4.4) | 19380115 (11.2.0.4.4) | 19651773 (11.2.0.4.10) | |
JUL2014 | 18522509 (11.2.0.4.3) | 18706472 (11.2.0.4.3) | 18842982 (11.2.0.4.7) | |
APR2014 | 18031668 (11.2.0.4.2) | 18139609 (11.2.0.4.2) | 18296644 (11.2.0.4.4) | |
JAN2014 | 17478514 (11.2.0.4.1) | N/A | 17987366 (11.2.0.4.1) | |
Patchsets | - |
12.1.0.2 (12.1.0.2.0 PATCH SET FOR ORACLE DATABASE SERVER) | 21419221 |
11.2.0.4 (11.2.0.4.0 PATCH SET FOR ORACLE DATABASE SERVER) | 13390677 |
11.2.0.3 (11.2.0.3.0 PATCH SET FOR ORACLE DATABASE SERVER) | 10404530 |
11.2.0.2 (11.2.0.2.0 PATCH SET FOR ORACLE DATABASE SERVER) | 10098816 |
==============================================
p29251270_112040_Linux-x86-64.zip 有
p29255947_112040_Linux-x86-64.zip 无
p29141056_112040_Linux-x86-64.zip 有,oracle rac
p27734982_112040_Linux-x86-64.zip 有
p24732075_112040_Linux-x86-64.zip 无,安装文档中看到的
CVE-2018-2575 Core RDBMS
Applicable only to Windows platform.
关于这个危急漏洞,只适用于windows平台,我们是在linux,就不用管这个了
==============================================
背景知识
需要support identifier
https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=13390677
https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=10404530
映射关系
CVE-2019-2444--------->Oracle Critical Patch Update January 2019
https://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2575
Learn more at National Vulnerability Database (NVD)
CVE ID CVE-2018-2575
CNNVD CNNVD-201801-779
有资源
p29251270_112040_Linux-x86-64.zip
注意是64位的操作系统。请配合最新Opath补丁安装软件p6880880_112000_Linux-x86-64.zip(11.2.0.3.21)
p6880880_112000_Linux-x86-64.zip(11.2.0.3.21)
p6880880_112000_Linux-x86-64.zip(11.2.0.3.21) 最新Opath补丁安装软件,注意是64位的操作系统。
请配合最新补丁进行安装p29255947_112040_Linux-x86-64.zip、p29141056_112040_Linux-x86-64.zip
==================================================
具体实施
1、IP:192.168.1.220
2、操作系统:CentOS 6.10 x86_64
3、Oracle软件安装包:p13390677_112040_Linux-x86-64_1of7.zip、p13390677_112040_Linux-x86-64_2of7.zip
4、Oracle版本:11.2.0.4.0
5、OPatch软件安装包:p6880880_112000_Linux-x86-64.zip(大小为108M)
6、OPatch版本:11.2.0.3.20
7、Patch补丁包:p28729262_112040_Linux-x86-64.zip
8、Patch ID:Patch 28729262(Oracle Database Patch Set Update 11.2.0.4.190115)
这是初始版本
p13390677_112040_Linux-x86-64_1of7.zip
这是较新的补丁集
p6880880_112000_Linux-x86-64.zip
p28729262_112040_Linux-x86-64.zip
unzip -q p6880880_112000_Linux-x86-64.zip
unzip -q p28729262_112040_Linux-x86-64.zip
根据补丁包中的README.html帮助文档,Patch 28729262要求的OPatch最低版本为11.2.0.3.5
============================================================
具体实施命令
p6880880_112000_Linux-x86-64.zip
p27734982_112040_Linux-x86-64.zip
tar zcvf optach4.tar /u01/app/oracle/product/11.2.0.4/db_1/OPatch/
rm -rf /u01/app/oracle/product/11.2.0.4/db_1/OPatch/
unzip -d /u01/app/oracle/product/11.2.0.4/db_1/ /ceph/fileserver/soft/oracle/p6880880_112000_Linux-x86-64.zip
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch lsinventory
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch version
unzip /ceph/fileserver/soft/oracle/p27734982_112040_Linux-x86-64.zip
cd 27734982
lsnrctl stop
shutdown immediate
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -ph ./
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch apply
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch lsinventory
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch lspatches
lsnrctl start
startup
select * from dba_registry;
select * from dba_registry_history;
SQL> @?/rdbms/admin/catbundle.sql psu apply
SQL> @?/rdbms/admin/utlrp.sql
select * from dba_registry_history;
This document describes how you can install Patch 20406239 - Oracle JavaVM Component 11.2.0.4.3 Database PSU on your Oracle Database 11g Release 2 (11.2.0.4.0).
Patch 27734982 - Oracle Database Patch Set Update 11.2.0.4.180717
===========================
/u01/app/oracle/product/11.2.0.4/db_1/OPatch/opatch apply
报了这个错
Applying sub-patch '27734982' to OH '/u01/app/oracle/product/11.2.0.4/db_1'
Patching component oracle.ctx, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.ctx.rsf, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
OPatch found the word "error" in the stderr of the make command.
Please look at this stderr. You can re-run this make command.
Stderr output:
chmod: changing permissions of `/u01/app/oracle/product/11.2.0.4/db_1/bin/extjobO': Operation not permitted
make: [iextjob] Error 1 (ignored)
Composite patch 27734982 successfully applied.
OPatch Session completed with warnings.
Log file location: /u01/app/oracle/product/11.2.0.4/db_1/cfgtoollogs/opatch/opatch2019-08-01_08-31-40AM_1.log
OPatch completed with warnings.
[oracle@cu-dbs-152 27734982]$
