Re: Rate of Critical/Security Patches

From: Bryan Brock (bbrock_at_gmail.com)
Date: 12/28/04

  • Next message: Douglas Siebert: "Re: Rate of Critical/Security Patches" 
    Date: 27 Dec 2004 17:01:49 -0800

    > Can anyone here point me to a site for reliable unbiased
    > patching rate for SuSE Enterprise Linux, HP-UX, AIX and
    > Windows Server?

    Sounds like you're concerned with patches/time or critical patches/time
    that would need to be done by someone on site.

    I don't know of any site that has information on that, but if patching
    rate = the number of patches released by a vendor over time, then it
    should be possible to calculate it based on the dates of the last few
    patch bundles for a target OS and the number of patches in each patch
    bundle.

    If you are looking for number of critical patches/month, you could do
    something like this:

    1. Download all the latest patch bundles for an OS.

    2. Use a patch utility to count the patches and extract their dates.
    If that's not possible, you could go to the vendor's patch site, count
    the patches there, and try to find an associated date for each patch or
    bundle on the site.

    SLES patch dates:
    rpm -q -a -P --info | grep "Build Date:"

    HP-UX patch dates:
    swlist -d -a readme -l patch @
    /usr/local/adm/GOLDQPK11i_B.11.11.0406.5.depot | grep 'Creation'

    AIX patch dates:
    Couldn't find patch dates using either lslpp or instfix. May have to
    use brute force on this one and just grab the date for patch bundles
    off of IBMs AIX patch site if it's available.
    http://www.ibm.com/eserver/support/fixes/

    Windows patch dates:
    Similar story here. Not sure how to get the patch dates. May only be
    able to get the dates of the last few Service Packs and try to find a
    count of critical hotfixes included in each.

    3. Then you could calculate the patch rate (patches/time) by dividing
    the # patches or patch bundles by days, weeks, or months.

    This was the only thing I could come up with. I know it's pretty
    sketchy...

    Interesting question though. Hope someone has some more useful info on
    this for you. Now I'm curious about it too.

  • Next message: Douglas Siebert: "Re: Rate of Critical/Security Patches"

    Relevant Pages

    • 9_Recommended error codes (specifically return code 5)
      ... * "return code 2" indicates patches are already installed. ... * "return code 25" means a patches requires another patch that is not yet installed. ... With or without using the save option, the patch installation process ... Installing 114008-01... ...
      (SunManagers)
    • Re: This is [Re:] How to improve the quality of the kernel[?].
      ... The -mm kernel already implements what your proposed PTS would do. ... If patch have no TS ID, ... Thus i can apply for example lguest patches and implement and test new ... How many open source projects use Bugzilla and how many use the Debian BTS? ...
      (Linux-Kernel)
    • Re: ATTACK of the WEEK-fentanyl patches
      ... FDA warns of deaths from fentanyl patch ... Some of the deaths came after doctors prescribed the patches to the ... The drug is only for chronic pain in people used to narcotics, ...
      (alt.support.chronic-pain)
    • Tru64 and OpenVMS patch announcements change after next month
      ... distribution of various patches ... OpenVMS systems with DCE and/or RPC installed. ... Update on OpenVMS and Tru64 UNIX Patches in HP ITRC ... Tru64 patch server will soon be shutdown. ...
      (Bugtraq)
    • Re: Conflicting info between the global Security Bulletin and some SPi Security Bulletin
      ... The MS02-050 is explicitly listed as included in SP4 AND in Rollup 1 ... I think the correct answer is that it depends on the era of the patch. ... installers do not always use such ... patches later than the end of 2002 are ...
      (microsoft.public.win2000.security)