Oracle CPU patch January 2006 installation instructions
This Wiki page has the scope of documenting the installation steps for the Oracle security patch
CPUJAN2006 for the database servers at PSS.
Database Oracle Homes needs to be patched (all versions) as documented in
Metalink's Note 343382.1
. A third-party link with a description of the vulnerabilities:
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
The following Oracle home types are not affected by this CPU patched:
- Oracle CRS
- Oracle Agent
- Oracle Client (there are 3 vulnerabilities for Oracle clients, but not relevant for our environment)
Note: Since Jan 20th the patchinstallation guide reports that CPU Jan06 patch is rolling installable for 10.1.0.4 and 10.2.0.1. The instructions here below refer to the previous indication were the patch was marked as non-rolling installable. Minor changes are needed for the rolling installation procedure.
Additional configurations steps are documented below. These steps require instance shutdown and therefore have been 'queued in' this maintenance window for CPUJAN06.
Patching schedule and DB List: ScheduleCPUJan2006
RAC 10gR1 (10.1.0.4)
Note: These are pre-install steps that should be done just before the maintenance window starts
Additional configuration steps
- Configure the dump directories to use the correct filesystem (/ORA/dbs00) when not already so. (Check the DB and the ASM instances).
Sample code:
mkdir /ORA/dbs00/oracle/admin/DBNAMEHERE/bdump
alter system set background_dump_dest='/ORA/dbs00/oracle/admin/DBNAMEHERE/bdump' scope=spfile;
mv /ORA/dbs01/oracle/admin/DBNAMEHERE/bdump /ORA/dbs01/oracle/admin/DBNAMEHERE/OLD_bdump
mkdir /ORA/dbs00/oracle/admin/DBNAMEHERE/udump
alter system set user_dump_dest='/ORA/dbs00/oracle/admin/DBNAMEHERE/udump' scope=spfile;
mv /ORA/dbs01/oracle/admin/DBNAMEHERE/udump /ORA/dbs01/oracle/admin/DBNAMEHERE/OLD_udump
mkdir /ORA/dbs00/oracle/admin/DBNAMEHERE/cdump
alter system set core_dump_dest='/ORA/dbs00/oracle/admin/DBNAMEHERE/cdump' scope=spfile;
mv /ORA/dbs01/oracle/admin/DBNAMEHERE/cdump /ORA/dbs01/oracle/admin/DBNAMEHERE/OLD_cdump
mkdir /ORA/dbs00/oracle/admin/DBNAMEHERE/adump
alter system set audit_file_dest='/ORA/dbs00/oracle/admin/DBNAMEHERE/adump' scope=spfile;
mv /ORA/dbs01/oracle/admin/DBNAMEHERE/adump /ORA/dbs01/oracle/admin/DBNAMEHERE/OLD_adump
Note 1: Similar settings for the ASM instance (audit_file_dest ONLY on the DB instance)
Note 2: Directory and filesystem changes have to be applied to all RAC nodes
NOTE: Service downtime starts here
- Check whether everything is really stopped:
crsstat.sh
- Review the log created in the
$ORACLE_HOME/cpu/CPUJan2006
directory
RAC 10gR2 addendum (10.2.0.1)
Same patch installation instructions as for 10gR1 apply here with the additions:
- the patchset is rolling (tested successfully, but only on a test DB with no users)
- 10.2.0.1-specific binaries are required both for the patchset and the opatch utility (see metalink for details)
- CPUpatch: 4751931 (version from 20th Jan)
- Opatch version: 10.2.0.1.1
Note: on January 20th Oracle released a 2nd version of this patch. Oracle homes patched with the previous version need to be repatched.
10g (10.1.0.4)
Note: These are pre-install steps that should be done just before the maintenance window starts
- Make sure you have Perl 5.00503 (or later)
perl -v
- You must use OPatch version 1.0.0.0.54 or later.
Check the current version:
$ORACLE_HOME/OPatch/opatch version
If not, install it. To the $ORACLE_HOME directory copy the p2617419_10102_GENERIC.zip and unzip it:
cp p2617419_10102_GENERIC.zip $ORACLE_HOME/
mv $ORACLE_HOME/OPatch/ $ORACLE_HOME/OPatch.bak
cd $ORACLE_HOME
unzip p2617419_10102_GENERIC.zip
Check again the current version and if it works:
$ORACLE_HOME/OPatch/opatch lsinventory
- Before starting the installation check whether "java" and "jar" executables are present in your Oracle Home. In a standard Oracle installation, "java" is available in $ORACLE_HOME/jre//bin directory and "jar" is available in $ORACLE_HOME/jdk/bin directory.
ls -l $ORACLE_HOME/jre/<JDKversion>/bin
ls -l $ORACLE_HOME/jdk/bin
If you don't have a standard installation and these commands are not present, then invoke the "opatch apply" command with the -jdk flag, specifying the full path to the JDK to be used.
- Check if the following executables must be present in the $PATH: make, ar, ld, and nm.
- Copy the p4751928_10104_LINUX.zip file to your oracle's home directory, unzip it there and go to the 4751928 subdircetory.
unzip p4751928_10104_LINUX.zip
cd ~/4751928
NOTE: Service downtime starts here
- Start up all database instances running out of the ORACLE_HOME being patched and run a postinstallation script.
cd $ORACLE_HOME/cpu/CPUJan2006
sqlplus "/ as sysdba";
SQL> startup;
SQL> @catcpu.sql;
SQL> exit;
Examin the log file. If you encounter any errors, please refer to the "Known issues" section of the 343384.1 document.
- If catcpu.sql reports any Invalid Objects, compile the invalid objects using the following:
cd $ORACLE_HOME/rdbms/admin
sqlplus "/ as sysdba";
SQL> @utlrp.sql
Check again if invalid objects exist:
SQL> select OBJECT_NAME from DBA_OBJECTS where status = 'INVALID';
SQL> exit;
- Start the listener:
lsnrctl start
9i (9.2.0.7)
Note: These are pre-install steps that should be done just before the maintenance window starts
- Make sure you have Perl 5.00503 (or later)
perl -v
- You must use OPatch version 1.0.0.0.54 or later.
Check the current version:
$ORACLE_HOME/OPatch/opatch version
If not, install it. To the $ORACLE_HOME directory copy the p2617419_10102_GENERIC.zip and unzip it:
cp p2617419_10102_GENERIC.zip $ORACLE_HOME/
mv $ORACLE_HOME/OPatch/ $ORACLE_HOME/OPatch.bak
cd $ORACLE_HOME
unzip p2617419_10102_GENERIC.zip
Check again the current version and if it works:
$ORACLE_HOME/OPatch/opatch lsinventory
- Before starting the installation check whether "java" and "jar" executables are present in your Oracle Home. In a standard Oracle installation, "java" is available in $ORACLE_HOME/jre//bin directory and "jar" is available in $ORACLE_HOME/jdk/bin directory.
ls -l $ORACLE_HOME/jre/<JDKversion>/bin
ls -l $ORACLE_HOME/jdk/bin
If you don't have a standard installation and these commands are not present, then invoke the "opatch apply" command with the -jdk flag, specifying the full path to the JDK to be used.
- Check if the following executables must be present in the $PATH: make, ar, ld, and nm.
- Copy the p4751923_92070_LINUX.zip file to your oracle's home directory, unzip it there and go to the 4751923 subdircetory.
unzip p4751923_92070_LINUX.zip
cd ~/4751923
NOTE: Service downtime starts here
- Start up all database instances running out of the ORACLE_HOME being patched and run a postinstallation script.
cd $ORACLE_HOME/cpu/CPUJan2006
sqlplus "/ as sysdba";
SQL> startup;
SQL> select OBJECT_NAME from DBA_OBJECTS where status = 'INVALID';
SQL> @catcpu.sql;
SQL> exit;
Examin the log file. If you encounter any errors, please refer to the "Known issues" section of the 343384.1 document.
- If catcpu.sql reports any Invalid Objects, compile the invalid objects using the following:
cd $ORACLE_HOME/rdbms/admin
sqlplus "/ as sysdba";
SQL> @utlrp.sql
Check again if invalid objects exist:
SQL> select OBJECT_NAME from DBA_OBJECTS where status = 'INVALID';
SQL> exit;
- Start the listener:
lsnrctl start