Matching CVE Numbers to Solaris Patches
July this year saw Solaris starting to comply with Oracle's standard practice of releasing quarterly Critical Patch Updates (CPUs) containing security fixes. Unfortunately, it also saw Solaris complying with Oracle's policy to not actually provide a correlation between CVE numbers and the corresponding patches in the CPU itself (CPU July 2010). This naturally caused a lot of uproar in the Solaris install base with a lot of big customers very upset.
Oracle have listened and a CVE-to-Patch list has now been released for the July 2010 CPU. Apparently the actual CPU will be updated to reflect this mapping too, however more importantly, Oracle are requesting feedback from customers so they can devise a more effective policy in time for the October 2010 CPU.
If you are a sysadmin with specific security patching requirements that have been affected by this change in policy, please head on over to the CVE-to-Patch list, review the list and then submit your feedback to either of the two addresses on the page to help Oracle in time for the next CPU.