When patching RedHat based operating systems (RHEL, CentOS, Oracle Linux, among others), there may be some confusion due to the fact that the number of patches required in JetPatch differ in count from the packages seen locally on the endpoint.
This is because JetPatch works on the Errata (commonly known as Advisory) level and not Package.
Advisories can help users track which Common Vulnerabilities and Exposures (CVE) are resolved, which bugs have been addressed, and which features have been added.
Red Hat based Advisories come in 3 categories (ordered by importance):
Security (SA) - SAs contain one or more security fixes and might also contain bug or enhancements fixes (cumulative patches). SAs are ranked using a severity rating of Low, Moderate, Important, or Critical based on the severity of the vulnerability.
- Working at the Advisory level as opposed to the Package level allows for better management of packages, as they can be rolled into a single Advisory.
- This also allows the secondary benefit of easier rollbacks if a patch happens to cause issues.
- Another benefit is a seamless integration with vulnerability scanners/management tools, as remediation's are usually a bundle of packages based on Advisories.
yum updateinfo --list
ELSA-2022-6457 Moderate/Sec. platform-python-3.6.8-47.0.1.el8_6.x86_64
ELSA-2022-6457 Moderate/Sec. python3-libs-3.6.8-47.0.1.el8_6.x86_64