Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

does SAP upgrade cover prievious security notes.

Former Member

‎08-21-2013 2:08 PM

0 Kudos

Hi, i am beginner in security field and have this confusion. I am using Solution Manager to find out missing security notes from my system. Should i filter the result and implement security notes that have been released after the date of the upgrade or should I include all security notes including thoses notes relased before the upgrade date.

Thank You..

3 REPLIES 3

MaheshKumar
Contributor

‎08-23-2013 8:32 AM

0 Kudos

Hi Abdul

If you are updating patches frequently in system new patches contains all these notes. If a security note is high priority you need to update this manually.

You can get more information from https://service.sap.com/securitynotes

For your information im putting content from above link.

SAP delivers important security fixes on its monthly Security Patch Day. SAP strongly recommends its customers to implement security fixes, flagged with priority 1 and priority 2, primarily fixing externally reported issues. The fixes are released on the second Tuesday of every month, and can be used to fix a particular vulnerability without needing to update a system to service packs.other security fixes like priority 3 and 4 will generally be delivered with support packages. SAP strongly recommends its customers to apply Support Packages on their systems as soon as a support pack is available.

Former Member

‎08-28-2013 3:28 PM

0 Kudos

This message was moderated.

Frank_Buchholz
Advisor
Advisor

‎09-09-2013 4:59 PM

0 Kudos

In addition to the list of security notes at https://service.sap.com/securitynotes you should have a look to the Security Patch Process FAQ as well.

Concerning your question:

Yes, all security corrections of SAP are part of a Support Package.

But there exist some pitfalls:

  1. By the time when you finally have upgraded your production system, it's already some month old compared with the corresponding development close date for the support package at SAP. Therefore you always will find some new security notes -> Use the Maintenace Optimizer to find new security notes while you are preparing the upgrade and the application System Recommendations monthly. 
  2. Several security notes contain manual instructions to configure the system (e.g. concerning profile parameters, RFC Gateway access control lists or logical filenames), which are valid for the new support package. -> I recommend to skip any date selection while searching for security notes. (Use a date interval only if you explicitely want to have a look, e.g. to the notes of the most recent patch day.)

Kind regards

Frank