Regarding the recently-released Critical Patch Update (CPU), you may be interested in the comments on Gerry Haskins' blog:
http://blogs.sun.com/patch/entry/solaris_critical_patch_updates_cpus#comments I found the relationship between the critical CVE's and Solaris patch revisions to be obscure. I asked whether there's a straightforward way to map between them, and was informed that this opaqueness is intentional. It seems that the prescribed way to apply the CPU fixes is simply to use the Recommended bundle. Okay, that's fine unless you are already committed to a different patch process. =-) Later in the thread, Oracle confirmed that applying all R and S flagged patches after the CPU release date will catch all of the fixes which involve the CPU. That's pretty good - it would be even better if Oracle publicized this equivalency. Beyond that, I would still like to know which CR contains the fix for each critical CVE. A few of the fixes I can discover through Patchfinder, some are a good guess, and others remain a mystery to me. Ideally the CVE numbers would go into the CR descriptions, and the patch revisions would appear in the CPU availability announcement. Q: How do I prove that I applied fixes for all vulnerabilities mentioned in the CPU? Is it reasonable to expect transparent documentation? Or should I settle for (and attempt to defend) "applying all R and S will cover it"? That works at cross-purposes with the sort of change analysis and security auditing that many sites require. Thank you for your thoughts... -cheers, CSB