Re: [pca] patch flood

2013-02-08 Thread Gael Martinez 
Don

Too many of the previous GA kernels were alas defective and it is not inspiring 
to use the initial release to be honest... Does that patch include a lot of new 
features ? Or is it just a big maintenance patch ?

Regards

Gael

On Feb 8, 2013, at 4:09, "Don O'Malley"  wrote:

> Hi Martin/All,
> 
> Yes, the imminent release of s10u11 is what's triggering the release of these 
> patches!
> 
> The key patches are the s10u11 KU patches - 147147-26 on SPARC and 147148-26 
> on x86.
> Please take the time to read the Special Install Instructions for these 
> patches prior to applying them to your systems to avoid any surprises.
> 
> If anyone finds any issues with any of the new patches, please do post to 
> this alias (in addition to filing a Service Request of course!) and I will 
> follow up.
> 
> I'll send on details of the s10u11 announcements to the PCA alias too in due 
> course.
> 
> Best,
> -Don
> 
> 
> On 02/ 8/13 09:54 AM, Martin Paul wrote:
>> 
>> Judging from today's patch flood, it's pretty sure that Solaris 10U11 is 
>> right around the corner :)   
>> 
>> As usual, I installed all the new patches with PCA on both sparc and x86 - 
>> works fine. Users of PCA's "--safe" option might want to get the current 
>> development release, where I added some whitelist entries. 
>> 
>> Martin.
> 
> -- 
>  
> Don O'Malley
> Manager, Software Maintenance Engineering
> Revenue Product Engineering | Solaris | Hardware 
> East Point Business Park, Dublin 3, Ireland

Re: [pca] patch flood

2013-02-08 Thread Gael Martinez 
On Fri, Feb 8, 2013 at 3:54 AM, Martin Paul wrote:

> Judging from today's patch flood, it's pretty sure that Solaris 10U11 is
> right around the corner :)
>
> As usual, I installed all the new patches with PCA on both sparc and x86 -
> works fine. Users of PCA's "--safe" option might want to get the current
> development release, where I added some whitelist entries.
>
> Martin.
>
>
As a fyi :) 1/13 is out.

http://docs.oracle.com/cd/E26505_01/html/E27003/index.html


-- 
Gaël Martinez

[pca] wesunsolve.net closed

2012-09-19 Thread Gael Martinez 
Just saw that...

Ouch... Well Thomas, sorry to see that, your site helped quite a bit while
it lasted...

Thanks for all your time and dedication trying to help the community...
Regards
-- 
Gaël Martinez

Re: [pca] Missing list in Solaris 11

2012-08-22 Thread Gael Martinez 
Hope you enjoy the world of Solaris :) Been immerged in it for 20 years
here and not regretting one bit yet :)

On Wed, Aug 22, 2012 at 9:59 AM, David Warren wrote:

> Thanks! I’m still new to the world of Solaris, but a coworker turned me on
> to pca. He wasn’t sure it would work, and I guess now we know. Thanks for
> the tip.
>
> ** **
>
> *From:* pca-boun...@lists.univie.ac.at [mailto:
> pca-boun...@lists.univie.ac.at] *On Behalf Of *Fred
> *Sent:* Tuesday, August 21, 2012 7:39 PM
> *To:* PCA (Patch Check Advanced) Discussion
> *Subject:* Re: [pca] Missing list in Solaris 11
>
> ** **
>
> Gael is right. Solaris 11 uses IPS repositories for patching. As much as
> we love pca -- this is still a very good thing. :)
>
> 'pkg update' is your new friend. 
>
> On Tue, Aug 21, 2012 at 6:23 PM, Gael.martinez 
> wrote:
>
> David,
>
> ** **
>
> Solaris 11 does not use patches but packages updates... Pca will not help
> you... 
>
> ** **
>
> Regards
>
> ** **
>
> Gael
>
> Sent from ze G(ael)Phone
>
>
> On Aug 21, 2012, at 16:37, David Warren  wrote:***
> *
>
> First time using PCA, I get this message:
>
>  
>
> root@:/tmp# ./pca
>
> Downloading xref file to /var/tmp/patchdiag.xref
>
> Trying Oracle
>
> Trying https://getupdates.oracle.com/ (1/1)
>
> Using /var/tmp/patchdiag.xref from Aug/20/12
>
> Host: eight (SunOS 5.11/11.0/sparc/sun4v)
>
> List: missing (0/0)
>
>  
>
> I’m not sure where to go from here.
>
>
>
>
> --
> Fred Chagnon
> fchag...@gmail.com
>



-- 
Gaël Martinez

Re: [pca] WeSunSolve : New feature: Security / Patch Report for your servers

2012-04-27 Thread Gael Martinez 
Thomas,

security by obscurantism is alas prefered by large corporations
security teams... such usually rely on network scanners to figure out
exploitable issues and yea... the output is usually kept secret even
within the enterprise...

The other topic could be corporations like mine with thousands of
servers, a lot of variances, dmz, firewalls, etc..., what is your
scalability ? :)


On Fri, Apr 27, 2012 at 8:41 AM, Thomas Gouverneur  wrote:
> The code itself is not opensource, but even if it was, it would not
> help you that much... the code without the database behind is not very
> useful ;)
>
> What would you need to bypass your "security breach"? an automatic NDA
> agreement which wesunsolve would take? something else?
>
> You can also upload patch information without specifying the real
> hostname of the server and without giving information about your
> company...
>
> Information retention looks like security by obscurantism... anyway.
>
> Regards,
>
> Thomas
>
>
> On Fri, 27 Apr 2012 08:46:45 -0400
> Rajiv Gunja  wrote:
>
>> Is this code open source? Will it be possible to share it with
>> community? For some of us giving out server information is also
>> considered security breach. Please let me know. Thanks.
>> -GGR
>> On Apr 27, 2012 3:20 AM, "Thomas Gouverneur"  wrote:
>>
>> > Hello dear patcher!
>> >
>> > Martin suggested me to announce this here also: WeSunSolve website
>> > has integrated PCA to make some patches and security (CVE) report
>> > for your servers!
>> >
>> > Moreover, you can setup mail report to be sent to you periodically.
>> > Last but not least, you can define a "Patchdiag Delay" for theses
>> > reports: Define a delay (one day, one week, one month, six
>> > months...) and patchdiag.xref selection for your report will be
>> > made accordingly.
>> >
>> > To have more details on that, I recommend you to read the today's
>> > WeSunSolve site news: http://ws2.be/19xtf3fh and also the Wiki:
>> > http://ws2.be/19xtf38k
>> >
>> > If you give a try, don't hesitate to give feedback or to make
>> > suggestion on what's eventually missing in theses reports...
>> >
>> > Thanks for your attention ;)
>> > Best Regards,
>> >
>> > --
>> > Thomas Gouverneur
>> > T: +32 498 23 00 40
>> > W: http://espix.net
>> > M: 
>> >
>> >
>
>
> --
> Thomas Gouverneur
>  _           _
> | |___ _ __ (_)_  __
> |  _| / __| '_ \| \ \/ /
> | |___\__ \ |_) | |>  <
> |_|___/ .__/|_/_/\_\
>  Network  |_|       SPRL
>   TVA: BE683601811
>
> T: +32 498 23 00 40
> W: http://espix.net
> M: 
>



-- 
Gaël Martinez

Re: [pca] anyone seen patch 145957-09 ? SunOS 5.10: fcp and fcip Patch

2012-02-15 Thread Gael Martinez 
vsmd8008:/root #pca -d 145957
Using /var/tmp/patchdiag.xref from Feb/14/12
Host: vsmd8008 (SunOS 5.10/Generic_142900-03/sparc/sun4u)
List: 145957 (1/5)

Patch  IR   CR RSB Age Synopsis
-- -- - -- --- --- ---
145957 -- < 09 R--   5 SunOS 5.10: fcp and fcip Patch

Looking for 145957-09 (1/1)
Trying http://10.115.176.59/cgi-bin/pca-proxy.cgi
Done
--
Download Summary: 1 total, 1 successful, 0 skipped, 0 failed
vsmd8008:/root #ls -l 145957-09.zip
-rw-r--r--   1 root root 1051672 Feb 10 21:51 145957-09.zip

On Wed, Feb 15, 2012 at 2:02 PM, Dennis Clarke  wrote:
>
> For some obscure black magic reason the 145957-08 patch rev was fine
> for me to fetch with pca but this -09 is special and I am not allowed
> to get it.
>
>
>      145957-09  SunOS 5.10: fcp and fcip Patch
>
> Is this a screw up or am I screwed ?  Pick one :
>
>             [  ]  screw up
>
>             [  ]  you're screwed
>
> I would love to see the logic behind this .. if any .
>
> dc
>
>
>
>
> --
> --
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x1D936C72FA35B44B
> +-+---+
> | Dennis Clarke           | Solaris and Linux and Open Source |
> | dcla...@blastwave.org   | Respect for open standards.       |
> +-+---+
>
>



-- 
Gaël Martinez

[pca] confirming the validiting of a home grown patch_order file

2012-01-24 Thread Gael Martinez 
Hello All

What would be the fastest/cleanest way with pca to confirm/correct the
right patching order for all patches placed in a flat file ?

Regards
-- 
Gaël Martinez

Re: [pca] can patch 147440-09 be trusted ?

2012-01-09 Thread Gael Martinez 
Weren't security related patches always "secret" ?

But to be honnest, the 147440- serie of patches has been a real
plague... We have been sticking to -02 as it was in the CPU and at
least, I hope was more seriously tested than the others... Getting the
daily reports on OS alerts is very stressing too, hoping to never see
147440-02 listed as broken and withdrawn like a few others in that
serie...

Regards

Gael

On Mon, Jan 9, 2012 at 7:38 AM, Dennis Clarke  wrote:
>
>> Dennis Clarke wrote:
>>> I guess really the question is, can MOS and Oracle be trusted to provide a
>>> kernel patch that won't make things far worse?
>>
>> I can't answer that, but I agree in that the bug descriptions
>> have become pretty useless recently (since Oracle took over?).
>> Like revision 04 of 145080 ("SunOS 5.10: Firefox 3 patch") which
>> reads:
>>
>>    Problem Description:
>>    7030533 problem with Firefox browser
>>
>> Never would've guessed that the patch for firefox would fix a
>> problem with firefox.
>>
>> Martin.
>
> Well I am fine with "problem with NFS - see bugid 6549871" if
> and only if the bugid offers some clear information. What we
> have now is a production OS where the patch updates to something
> minor, like the kernel, are a total mystery. I don't like "magic"
> patches and mystery bugids.
>
> It seems clear to me that no one is at the helm of the software
> maintenance ship and certainly there is no quality control anymore
> in the Solaris OS department.
>
> In truth I have no idea what bugids were addressed in the recent
> kernel patch and some of the bugids I do see are from bug reports
> filed back in 2004 and 2005.
>
> https://supporthtml.oracle.com/ep/faces/secure/km/BugDisplay.jspx?id=6216670
>
> On the other hand some bugids are perfect and even have source code :
>
> https://supporthtml.oracle.com/ep/faces/secure/km/BugDisplay.jspx?id=4491376
>
> https://supporthtml.oracle.com/ep/faces/secure/km/BugDisplay.jspx?id=7030516
>
> Anyway, I am just really frustrated with the way Oracle has handled
> a world class OS. Seriously, do they do this with Oracle Database too?
>
>
> Dennis
>
>
>
> --
> --
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x1D936C72FA35B44B
> +-+---+
> | Dennis Clarke           | Solaris and Linux and Open Source |
> | dcla...@blastwave.org   | Respect for open standards.       |
> +-+---+
>
>



-- 
Gaël Martinez

Re: [pca] 143128-05 - Readme not up to date ?

2011-12-07 Thread Gael Martinez 
On Wed, Dec 7, 2011 at 2:16 AM, Martin Paul  wrote:
> Gael Martinez wrote:
>>
>> Is that expected ? I have grown used to trust pca, but apparently the
>> data it uses may not be completly up to date ? Should I worry ? or is
>> it just a rare occurence ?
>
>
> Most probably you have local copy of the README or the patch zip file
> around, which PCA finds and uses. In an attempt to reduce the accesses to
> Oracle's patch server (to speed things up), pca and pca-proxy.cgi will
> deliver local copies if available.
>
> You can force pca to ignore local copies by using "--force". Using that, you
> will get the up-to-date copy.
>
> Martin.
>

I will try with --force, I did delete the README and zip local files
before trying... but maybe I missed a copy somewhere (using the proxy
mode)

Regards

-- 
Gaël Martinez

[pca] 143128-05 - Readme not up to date ?

2011-12-06 Thread Gael Martinez 
We were looking at a bug today here at work and I was using pca -r as
usual to check the README on that patch...

I could not find a reference to the patch being OBSOLETED, and with
147701-01 patching the same file, it was an interesting concept...

When checking the README online via
https://updates.oracle.com/Orion/Services/download?type=readme&bugfix_name=143128-05
the OBSOLETED mention was there...

Is that expected ? I have grown used to trust pca, but apparently the
data it uses may not be completly up to date ? Should I worry ? or is
it just a rare occurence ?

Regards
-- 
Gaël Martinez

Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?

2011-06-08 Thread Gael Martinez 
On Wed, Jun 8, 2011 at 8:46 AM, Jeff  wrote:

>   What would be even better is if the CPU contained a copy of
> patchdiag.xref that can be used by PCA users to replicate the CPU.
>

Why don't you use the patch_order file included in the CPU ? pca does accept
a list of patch in a  file ...

-- 
Gaël Martinez

Re: [pca] Sun contracts

2011-02-02 Thread Gael Martinez 
try to download mysql :) reps will be calling/mailing you very quickly :)

Regards

On Wed, Feb 2, 2011 at 8:14 PM, Jones, Eric CIV SRF 1236 <
eric.jo...@srf.navy.mil> wrote:

> Thanks, there used to be a link where you could purchase from the website
> but now I guess you need a rep.
>
>
>  Eric R. Jones
> SRF JRMC
> C1236
> DSN 315-243-4196
>
> STICK \'stik\ n. 1: A boomerang that doesn't work.
> -Original Message-
> From: pca-boun...@lists.univie.ac.at [mailto:
> pca-boun...@lists.univie.ac.at]
> On Behalf Of Nishimura, Scott L (IT Solutions)
> Sent: Thursday, February 03, 2011 11:03 AM
> To: PCA (Patch Check Advanced) Discussion
>  Subject: Re: [pca] Sun contracts
>
> Eric,
>
>  I forwarded your email to my Oracle account rep; hopefully he has a simple
> solution.
>
>
> Scott
>
> -Original Message-
> From: pca-boun...@lists.univie.ac.at [mailto:
> pca-boun...@lists.univie.ac.at]
> On Behalf Of Jones, Eric CIV SRF 1236
> Sent: Wednesday, February 02, 2011 5:44 PM
> To: PCA (Patch Check Advanced) Discussion
> Subject: EXTERNAL:[pca] Sun contracts
>
> Hello, about 4 or 5 weeks ago I asked if anyone know how to get a Sun
> contract so servers could be updated.
> I finally found the oracle government rep who said she had to generate a
> quote for us.
> That was about 4 weeks ago on the phone and I haven't heard anything yet
> and
> this person hasn't replied to my email on.
> Barring the snow storms I'm guessing folks back east are going to work.
> Does anyone know of a Oracle/Sun rep who would like to make some money
> selling a Sun software contract for 9 servers?
> Apparently no one at Oracle is hungry for sales.
> Nothing on the site to click and purchase unless you have Oracle/Sun on non
> Oracle hardware.
>
> Eric R. Jones
> SRF JRMC
> C1236
> DSN 315-243-4196
>
> STICK \'stik\ n. 1: A boomerang that doesn't work.
>
>


-- 
Gaël Martinez

Re: [pca] liveupgrade x86 and GRUB problem

2010-12-29 Thread Gael Martinez 
On Wed, Dec 29, 2010 at 6:30 PM, Roland Soderstrom <
rola...@logicaltech.com.au> wrote:

> Hi,
>
> I used liveupgrade for the first time today and run into a problem.
> This is a Solaris 10 U7 x86 host.
>
> I used the PCA instructions after creating the ABE
>
> Live Upgrade
>
> PCA can be used in combination with Live Upgrade to analyze or install
> patches in an inactive boot environment. Use *lumount* to mount the BE and
> PCA's *--root=DIR* option to set the alternative root directory:
>
>   lumount BE_name
>   pca --root=/.alt.BE_name --install
>   luumount BE_name
>
> When you're done patching, activate the new BE and reboot with *init 6*.
>
> In the instructions for LiveUpgrade in MOS I need to select the new BE in
> the GRUB menu upon boot.
> I DON'T have a console to this x86 host, so I can't choose the new BE in
> the GRUB menu as described in MOS.
> Searched for an answer how to do this but can't find any, the docs says I
> shouldn't manually edit menu.lst.
> And looking in the lumounted filesystem the new BE is not in there anyway
> (after doing luactivate)
>
> How do I solve this? (without going to the computer room 20km away and hook
> up a console to the server)
>
> - Roland
>


Have you looked at /boot/grub/menu.lst  ?


-- 
Gaël Martinez

Re: [pca] pca 20101216-02 reports ERROR 403: Service Error.

2010-12-17 Thread Gael Martinez 
Mike,

Can you access that document without a valid entitlement  ?  Just dumping
the Doc ID into Google didn't show any hit. (or via www.oracle.com search
feature using ALL site filter while connected with a valid user)

Regards

On Fri, Dec 17, 2010 at 2:19 PM, Mike Brown wrote:

> The following knowledge article is available with this information - How
> Patches and Updates Entitlement Works (Doc ID 1269292.1)
>
> Mike
>
> Martin Paul said the following on 12/17/2010 7:01 AM:
>
> Stuart F. Biggar wrote:
>
> At about 7 AM MST (1400 GMT) OS downloads work for me but the new
> Studio patch fails:
>
> 145357 01 < 02 ---   1 Oracle Solaris Studio 12.2_x86: Patch for Compiler
> Common
>
> I expect that is because I don't have a compiler support agreement yet
> even though I do have OS/machine contracts for both SPARC and x86.
>
>
> Same here, and I think that the explanation is correct. Which reminds me of
> a yet unanswered question:
>
> Does anybody have an idea or found a way to find out (a) which entitlements
> are required to download a certain patch and (b) which entitlements are
> connected to a certain "Support Identifier" or MOS account?
>
> Martin.
>
>
> --
> [image: Oracle] 
> Michael Brown | Principal Product Strategy Manager
> Phone/Fax: +1.858.526.9136  | Mobile: 
> +1.858.248.7473
> Oracle - Proactive Support Center, Knowledge Management
> 9515 Towne Centre Dr | San Diego, California 92121, USA
> [image: Green Oracle]  Oracle is
> committed to developing practices and products that help protect the
> environment
>



-- 
Gaël Martinez

[pca] Jar format bye bye - what's up with patch patch_order and jumpstart ?

2010-12-14 Thread Gael Martinez 
Hello

Quick question to the PCA list, with the jar format being discontinued, who
else is stuck with the profile entry not working ?

patch patch_order http://10.115.176.59/Images/10/1009/RC1/Patches/sparctimeout 5

10.113.249.152249.152 - - [14/Dec/2010:15:56:23 -0600] "HEAD
/Images/10/0910/RC0/Patches/sparc/patch_order HTTP/1.1" 200 - "-" "-"
10.113.249.152249.152 - - [14/Dec/2010:15:56:23 -0600] "GET
/Images/10/0910/RC0/Patches/sparc/patch_order HTTP/1.1" 200 10 "-" "-"
10.113.249.152249.152 - - [14/Dec/2010:15:56:23 -0600] "HEAD
/Images/10/0910/RC0/Patches/sparc/144488-05.jar HTTP/1.1" 404 - "-" "-"



Before opening a slow case, I was wondering if somebody knew how to continue
using that jumpstart feature  ?

Regards
-- 
Gaël Martinez

Re: [pca] getupdates.oracle.com now available for testing!

2010-11-21 Thread Gael 
On Sun, Nov 21, 2010 at 10:18 AM, Dennis Clarke wrote:

>
> Is sunsolve now officially dead ?
>
> Looking for 119255-77 (1/1)
> Trying SunSolve
> Trying https://sunsolve.sun.com/ (1/1)
>
> No response there anymore so I have to assume that there is an "official"
> replacement.
>
> What would that be at this time ? Anyone know ?
>
> --
> Dennis Clarke
> dcla...@opensolaris.ca  <- Email related to the open source Solaris
> dcla...@blastwave.org   <- Email related to open source for Solaris
>
>
>
>

I was able to download the signed version via the sun provided wget script,
but not via pca.

Downloading signed patch 119255-77.
--2010-11-21 10:26:22--
http://sunsolve.sun.com/pdownload.pl?target=119255-77&method=hs
Resolving sunsolve.sun.com... 192.18.108.40
Connecting to sunsolve.sun.com|192.18.108.40|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: 
http://sunsolve.sun.com/pdownload.do?target=119255-77&method=hs[following]
--2010-11-21 10:26:22--
http://sunsolve.sun.com/pdownload.do?target=119255-77&method=hs
Reusing existing connection to sunsolve.sun.com:80.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://getupdates2.sun.com/all_signed/119255-77.jar [following]
--2010-11-21 10:26:32--
https://getupdates2.sun.com/all_signed/119255-77.jar
Resolving getupdates2.sun.com... 192.18.110.15
Connecting to getupdates2.sun.com|192.18.110.15|:443... connected.
WARNING: cannot verify getupdates2.sun.com's certificate, issued by `/O=Sun
Microsystems Inc/OU=VeriSign Trust Netwo
rk/OU=Class 3 MPKI Secure Server CA/CN=Sun Microsystems Inc SSL CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location:
https://a248.e.akamai.net/f/248/21808/15m/sun.download.akamai.com/21808/patches/patchroot/all_signed/11925
5-77.jar?AuthParam=&GroupName=SWUP&FilePath=/21
808/patches/patchroot/all_signed/119255-77.jar&File=119255-77.jar
[following]
--2010-11-21 10:26:39--
https://a248.e.akamai.net/f/248/21808/15m/sun.download.akamai.com/21808/patches/patchroot/a
ll_signed/119255-77.jar?&GroupName=SW
UP&FilePath=/21808/patches/patchroot/all_signed/119255-77.jar&File=119255-77.jar
Resolving a248.e.akamai.net... 63.84.95.8, 63.84.95.80
Connecting to a248.e.akamai.net|63.84.95.8|:443... connected.
WARNING: cannot verify a248.e.akamai.net's certificate, issued by
`/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutio
ns, Inc./CN=GTE CyberTrust Global Root':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 1372402 (1.3M) [text/plain]
Saving to: `/Jumpstart/Images/10/0910/Patches/sparc/119255-77.jar'


Regards

-- 
Gael Martinez