5 Replies Latest reply on Oct 4, 2009 1:19 AM by jmichno

    Superseding Patches

    Apprentice

      Hi,

       

      I need some better understanding of how Landesk supersedes patches and how to move the superseded patches to the "do not scan" folder.

       

      I am running the ldms_core utility to do this and I think there's an issue there.  It seems to be moving patches that were only partially superceded.

       

      Let's take for example MS08-001:

      It's replaced by MS08-037 and it's description is : "Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)"

       

      Now, if you check MS08-037:

      It says that SOME KB's are replaced by MS09-008 and it's description is:  "Vulnerabilities in DNS Could Allow Spoofing (953230)"

       

      If you check MS09-008:

      It says that SOME KB's are replaced by MS09-039, with the description:  "Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)"

       

      If you check MS09-039:

      The description says:  "Vulnerabilities in WINS Could Allow Remote Code Execution (969883)

       

       

      Now, some questions:

       

      1.  If MS08-037 replaces MS08-001, shouldn't the desciption and the vulnerability be the same?  If one patch supersedes the other, it's patching the same vulnerability, so to me, it should list the same vulnerability as the original one it's fixing.

       

      2.  We go from patching TCP/IP, to DNS to DNS and WINS and then to WINS    ------------- HUH??

       

      3.  How do I manage my patches?  I guess I now have to scan for all 3 patches??  Then you install one over the other over the other?

       

      Thanks,

       

      Scott.....

        • 1. Re: Superseding Patches
          Jared Barneck SupportEmployee

          svillardi wrote:

           

          Now, some questions:

           

          1.  If MS08-037 replaces MS08-001, shouldn't the desciption and the vulnerability be the same?  If one patch supersedes the other, it's patching the same vulnerability, so to me, it should list the same vulnerability as the original one it's fixing.

           

          2.  We go from patching TCP/IP, to DNS to DNS and WINS and then to WINS    ------------- HUH??

           

          3.  How do I manage my patches?  I guess I now have to scan for all 3 patches??  Then you install one over the other over the other?

           

          Thanks,

           

          Scott.....

           

          1. There can be more than one bug in a file.  I can fix one bug release a patch with one description.  Then fix the other bug and release a patch with a different description but becuase it replaces the same file, it includes previous patches.

           

          2. So fi they patches are different bugs in the same files, these different descriptions can be very likely.  TCP/IP, DNS, WINS all are very related to the TCP/IP stack and network files and could easily be the same files.

           

          3. Get a box that is vulnerable to all three.  Apply the latest patch.  It should resolve all three vulnerabilities if it supercedes.  Test it and see if it really does

          • 2. Re: Superseding Patches
            Apprentice

            Rhyous,

             

            Thanks for the reply, sorry for getting back so late.

             

            We turned ldms_core off for now, as it was moving patches that WEREN'T fully superceded.

             

            Are there any solutions to managing FULLY superceded patches?

             

            Outside of the extra time it takes to scan for more patches, what is the repurcussions of not moving ANY patches into the "do not scan" folder?

             

            Thanks,

             

            Scott.....

            • 3. Re: Superseding Patches
              Jared Barneck SupportEmployee

              Outside of the extra time it takes to scan for more patches, what is the repurcussions of not moving ANY patches into the "do not scan" folder?

               

              1. Yes it takes more time to scan, resource hit on the client.

              2.  New clients have to download more definition files.

              3. The client has to send more data to the Core Server after the scan completes.

              4. The Core Database has to store information on which workstation is and which is not vulnerable for each vulnerability so you can get some extra large table sizes.

               

              LDMS_CORE is unfortunately no longer being maintained by the owne or I would say to submit the bug to him, but I guess he released it open source so the community of users will have to maintain it if they want to keep it going.

               

              So you can go to the source http://code.google.com/p/ldmscore/ and if you know perl, or have an employee who does know perl, you or your perl developer can view the source and debug and find the bug and fix it if you desire.

              • 4. Re: Superseding Patches
                mrspike SSMMVPGroup

                The way I handle this is to type "All" in the find box and choose "Replaced" in the column box, this will only show the replaced all.

                 

                I know move these to the Do Not Scan folder..  takes 5 seconds.

                 

                 

                BUT.....

                 

                Do Not Drag "IE501-SP3", even though it says "all" it has dependencies tied to it.

                 

                My TAM is working with the engineers to get this and a few other dependancy issues resolved

                • 5. Re: Superseding Patches
                  Apprentice

                  Are there any designs by LANDesk to incorporate any or all of the LDMS_core functionality into LDMS.  Seems that a lot of users liked the functionality of LDMS_core or at minimum recognized the need for the extra management it offered.

                   

                  I have always wondered why the functionality that was offered by LDMS_core was never actually built into LDMS directly.

                   

                  Maybe an ER is needed?

                   

                  At very minimum, it would be nice to see the process manager handle that is built into Patch perform that task.  It should find all patches, that have been replaced and that do not have dependencies, and automatically move them into "do not scan".