11.2.0.3.7打安全补丁CPUAPR2014，Patch 18139695

说明：安全厂家对现网数据库进行了一次安全扫描，扫出了N多问题，这里针对数据库11.2.0.3.7出现的安全漏洞，于是打上CPU补丁规避。

环境：SLES Linux 11ps1 x86_64 + Oracle 11.2.0.3.7

1. 用root备份主机的数据库软件和grid的安装目录inventory目录

# cd /opt/oracle/product/11gR2/db
# tar -cvf /ora_bak/db_11203_db.tar db
# cd /opt/oracle/
# tar -cvf /ora_bak/oraInventory_11203.tar oraInventory

（1）停止监听
$ lsnrctl stop LISTENER
$ emctl stop dbconsole
（2）检查数据库是否还存在连接:
$ ps -ef |grep LOCAL=NO


（3）中止数据库连接
$ ps -ef |grep LOCAL=NO |awk '{print $2}' |xargs kill -9


（4）再次确认数据库是否还存在连接
$ ps -ef |grep LOCAL=NO


（5）关闭数据库
$sqlplus / as sysdba
SQL> shutdown immediate

3. 打安全补丁

$ unzip p18139695_112030_Linux-x86-64.zip
$ cd 18139695/
$ opatch napply -skip_subset -skip_duplicate

[Jul 18, 2014 12:14:55 AM]   OPatch invoked as follows: 'napply -skip_subset -skip_duplicate -invPtrLoc /opt/oracle/product/11gR2/db/oraInst.loc '
[Jul 18, 2014 12:14:55 AM]   OUI-67077:
                             Oracle Home       : /opt/oracle/product/11gR2/db
                             Central Inventory : /opt/oraInventory
                                from           : /opt/oracle/product/11gR2/db/oraInst.loc
                             OPatch version    : 11.2.0.3.5
                             OUI version       : 11.2.0.3.0
                             OUI location      : /opt/oracle/product/11gR2/db/oui
                             Log file location : /opt/oracle/product/11gR2/db/cfgtoollogs/opatch/opatch2014-07-18_00-14-55AM_1.log
[Jul 18, 2014 12:14:55 AM]   Patch history file: /opt/oracle/product/11gR2/db/cfgtoollogs/opatch/opatch_history.txt
[Jul 18, 2014 12:14:58 AM]   Verifying environment and performing prerequisite checks...
[Jul 18, 2014 12:14:58 AM]   Ignoring file "/home/oracle/18139695/README.html" in the patch directory.
[Jul 18, 2014 12:14:58 AM]   Ignoring file "/home/oracle/18139695/README.txt" in the patch directory.
[Jul 18, 2014 12:14:58 AM]   Ignoring file "/home/oracle/18139695/patchmd.xml" in the patch directory.

…………

[Jul 18, 2014 12:15:25 AM]   Interim patch 15862019 is a subset of the patch(es) [  16619892 ] in OH /opt/oracle/product/11gR2/db.
                             All the fixes of this patch 15862019 is already present in the Oracle Home. No need to apply this patch.
[Jul 18, 2014 12:15:25 AM]   Interim patch 16314467 is a subset of the patch(es) [  16619892 ] in OH /opt/oracle/product/11gR2/db.
                             All the fixes of this patch 16314467 is already present in the Oracle Home. No need to apply this patch.
[Jul 18, 2014 12:15:25 AM]   Conflicts/Supersets for each patch are:
                             
                             Patch : 15862019
                             
                                Bug Conflict with 14727310
                                Conflicting bugs are:
                                15862019,  14469008
                                                                Bug Conflict with 13923374
                                Conflicting bugs are:
                                14062793,  14062794,  14062796,  14063281,  13916709,  14062792
                             
                                Bug Conflict with 13696216
                                Conflicting bugs are:
                                13554409,  13742464,  12780098,  12748240,  13772618,  13503598
                             
                                Bug Conflict with 13343438
                                Conflicting bugs are:
                                13528551,  13499128
[Jul 18, 2014 12:15:25 AM]   OUI-67301:
                             Following patches have conflicts: [   14727310   15862019   13696216   16056266   16314467   13923374   16619892   17748832   14275605   17748833   18139695   133
43438   18173593 ]
                             Refer to My Oracle Support Note 1299688.1 for instructions on resolving patch conflicts.
[Jul 18, 2014 12:15:25 AM]   OUI-67302:
                             OPatch found that the following patches are not required.
                             They are either subset of the patches in Oracle Home (or) subset of the patches in the given list 
                             (or) duplicate : 
                                13742433   13742434   13742435   13742436   13742438   14062795   14062797   14480675   14480676   15862016   15862017   15862018   15862020   15862021   15862
022   15862023   15862024   16794241   16794242   16794244
[Jul 18, 2014 12:15:25 AM]   OUI-67124:Conflict with patches in OracleHome detected. Please run OPatch again as
                             <ORACLE_HOME>/OPatch/opatch napply /home/oracle/18139695 -id 17333197,17333198,17333199,17333203,17748830,17748831,17748835,18173592,18173595 -skip_duplicate -inv
PtrLoc /opt/oracle/product/11gR2/db/oraInst.loc
                             
                             If the command is too long, please paste the patch id list in a file and
                             invoke with 'idfile' option. Please refer 'opatch napply -help' for 
                             'idfile' option.
[Jul 18, 2014 12:15:25 AM]   OUI-67073:UtilSession failed: NApply stops on user's request.

经分析输出日志，最后跳过了有冲突的补丁，执行：

$ opatch napply /home/oracle/18139695 -id 17333197,17333198,17333199,17333203,17748830,17748831,17748835,18173592,18173595 -skip_duplicate -invPtrLoc /opt/oracle/product/11gR2/db/oraInst.loc

$ cd $ORACLE_HOME/rdbms/admin
$ sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> STARTUP
SQL> @catbundle.sql cpu apply
SQL> QUIT

$ opatch lsinv

4. 开监听，对外服务。