SLES 16 — whois — vulnerability — patch and remediation guide

📖 ~4 min read  •  Source: SUSE advisory SUSE-SA:2011:035 (see also SUSE bugzilla)

Related CVEs: CVE-2011-2483

Upstream summary: crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On SLES 16 hosts that have whois installed, administrators report behaviour consistent with SUSE advisory SUSE-SA:2011:035: zypper patch-check lists open patches, services backed by whois fail or restart unexpectedly, SELinux denials (avc) appear in ausearch — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever whois sits on the serving path.

Environment & Reproduction

Reproduction targets SLES 16. Confirm release, registration, and installed package:

cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q whois
zypper info whois | head -20

Trigger the workflow that exposes whois — vulnerability — patch and remediation guide while collecting:

sudo journalctl -u whois -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B whois

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SA:2011:035. SUSE security maintainers shipped fixes in the corresponding whois update for SLES 16; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep whois
sudo zypper history --since='-7 days' | tail -40
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on SLES 16 to capture the current state of whois:

rpm -q whois                              # installed NVR
rpm -V whois                              # verify shipped files
sudo zypper patch-check                    # open patches
sudo zypper lp -r SUSE-SLE-Server-16-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce                                  # SELinux mode
# If whois ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i whois | head

Step-by-Step Diagnosis

1. List failed systemd units.

   systemctl --failed --no-pager

2. Tail the journal for whois and the system bus.

   sudo journalctl -u whois -f --no-pager
   sudo journalctl -xe -f --no-pager

3. Inspect firewall posture (firewalld is the default on SLES 15+).

   sudo firewall-cmd --list-all-zones --permanent
   sudo nft list ruleset 2>/dev/null | head -50

4. Surface SELinux denials and author a local policy module if needed.

   sudo ausearch -m AVC,USER_AVC -ts today
   sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix
   sudo semodule -i /tmp/local-fix.pp

5. Verify whois integrity and reinstall if anything is altered.

   sudo rpm -V whois
   sudo zypper verify
   sudo zypper install --force whois

6. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory SUSE-SA:2011:035 to pin the change that introduced whois — vulnerability — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SA:2011:035, then reload affected systemd units:

sudo zypper ref                        # refresh repos
sudo zypper -n patch                   # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update whois
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i whois | head
sudo systemctl restart whois
rpm -q whois                           # confirm new NVR
systemctl is-active whois 2>/dev/null  # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):

sudo zypper ps -s                      # services using deleted libs
sudo systemctl reboot                  # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches                         # active livepatches

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

• Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 16):

  sudo snapper list
  sudo snapper undochange <pre>..<post>  # diff between two snapshot numbers
  sudo snapper rollback <pre>            # boot the host into the chosen snapshot

• Lock the package so zypper cannot upgrade it:

  sudo zypper al whois                   # add lock
  zypper ll | grep whois                 # list locks
  sudo zypper rl whois                   # remove lock

• Install an older NVR if a regression is suspected:

  zypper se -s whois                     # show all available versions
  sudo zypper install --oldpackage whois-<older-NVR>

• Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:

  sudo setenforce 0
  # reproduce, capture denials, author a custom module:
  sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal
  sudo semodule -i mylocal.pp
  sudo setenforce 1

• Where SLE Live Patching is licensed, apply kernel fixes without reboot:

  klp -v patches                         # active livepatches
  sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q whois                                            # expected fixed NVR
sudo zypper patch-check                                  # 0 critical patches outstanding
systemctl is-active whois 2>/dev/null
sudo journalctl -u whois --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for whois — vulnerability — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-whois'   # explicit named snapshot
sudo snapper list | head

To revert if the patch is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage whois-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart whois
# Custom security policy cleanup:
sudo semodule -r mylocal

Prevention & Hardening

Reduce the chance of this recurring on SLES 16:

• Enable automatic patch installation:

  sudo zypper install -y zypper-automatic
  sudo systemctl enable --now zypper-automatic.timer
  # Or use YaST: yast2 online_update_configuration

• Subscribe to sle-security-updates and watch suse.com/support/update.

• Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:

  sudo zypper install -y rmt-server rmt-cli
  sudo rmt-cli sync
  sudo rmt-cli products enable SLES/16/x86_64

• Lock sensitive packages so they cannot be auto-upgraded:

  sudo zypper al whois

• Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:

  sudo snapper -c root get-config | head
  # Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin

• Monitor file integrity with AIDE:

  sudo zypper install -y aide
  sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo aide --check

• Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:

  sudo SUSEConnect -p sle-module-live-patching/16.0/x86_64
  sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
  klp -v patches

• SLES 16 ships with SELinux in enforcing mode by default; review and maintain custom modules in /etc/selinux/targeted/ rather than disabling enforcement.

• Apply CIS SUSE Linux Enterprise Server Benchmark hardening.

Related Errors & Cross-Refs

Issues that commonly surface alongside whois — vulnerability — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted

View all sles-16 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SA:2011:035 (see also SUSE bugzilla). Manual pages useful on SLES 16:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man semanage
man audit2allow
man SUSEConnect
man klp

Other resources: SUSE Linux Enterprise Server 16 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/whois/ for components implicated in whois — vulnerability — patch and remediation guide.