Yum Command Check and Apply Only Security Updates

by on July 26, 2012 · 8 comments· LAST UPDATED July 26, 2012

in , ,

How do I only lists and/or updates to be limited using security relevant criteria when I run the yum command under CentOS / RHEL based server system?

You need to install plugin called yum-plugin-security. This plugin make it possible to limit list/upgrade of packages to specific security relevant ones. The commands give you the security information.

Install yum-plugin-security

Type the following yum command:
# yum -y install yum-plugin-security
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-security.noarch 0:1.1.30-14.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
 Package                    Arch          Version                 Repository                   Size
====================================================================================================
Installing:
 yum-plugin-security        noarch        1.1.30-14.el6           rhel-x86_64-server-6         38 k
Transaction Summary
====================================================================================================
Install       1 Package(s)
Total download size: 38 k
Installed size: 0
Downloading Packages:
yum-plugin-security-1.1.30-14.el6.noarch.rpm                                 |  38 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : yum-plugin-security-1.1.30-14.el6.noarch                                         1/1
Installed products updated.
  Verifying  : yum-plugin-security-1.1.30-14.el6.noarch                                         1/1
Installed:
  yum-plugin-security.noarch 0:1.1.30-14.el6
Complete!

Examples

To display all updates that are security relevant, and get a reutrn code on whether there are security updates enter:
# yum --security check-update
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Limiting package lists to security relevant ones
2 package(s) needed for security, out of 10 available Security: kernel-2.6.32-279.1.1.el6.x86_64 is an installed security update Security: kernel-2.6.32-279.el6.x86_64 is the currently running version
glibc.x86_64 2.12-1.80.el6_3.3 rhel-x86_64-server-6 glibc-common.x86_64 2.12-1.80.el6_3.3 rhel-x86_64-server-6

To show a list of all BZs that are fixed for packages you have installed enter:
# yum updateinfo list bugzillas
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
 838956 bugfix   bind-libs-32:9.8.2-0.10.rc1.el6_3.1.x86_64
 838956 bugfix   bind-utils-32:9.8.2-0.10.rc1.el6_3.1.x86_64
 826943 security glibc-2.12-1.80.el6_3.3.x86_64
 833703 security glibc-2.12-1.80.el6_3.3.x86_64
 833704 security glibc-2.12-1.80.el6_3.3.x86_64
 837026 security glibc-2.12-1.80.el6_3.3.x86_64
 826943 security glibc-common-2.12-1.80.el6_3.3.x86_64
 833703 security glibc-common-2.12-1.80.el6_3.3.x86_64
 833704 security glibc-common-2.12-1.80.el6_3.3.x86_64
 837026 security glibc-common-2.12-1.80.el6_3.3.x86_64
 837227 bugfix   kernel-2.6.32-279.2.1.el6.x86_64
 837227 bugfix   kernel-firmware-2.6.32-279.2.1.el6.noarch
 836252 bugfix   net-snmp-libs-1:5.5-41.el6_3.1.x86_64
updateinfo list done

To get a summary of advisories you haven't installed yet use:
# yum updateinfo summary
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Updates Information Summary: available
    1 Security notice(s)
    4 Bugfix notice(s)
    1 Enhancement notice(s)
Security: kernel-2.6.32-279.1.1.el6.x86_64 is an installed security update
Security: kernel-2.6.32-279.el6.x86_64 is the currently running version
updateinfo summary done

To upgrade packages that have security errata (upgrades to the latest available package) use:
# yum --security update
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
2 package(s) needed (+0 related) for security, out of 10 available
--> Running transaction check
---> Package glibc.x86_64 0:2.12-1.80.el6 will be updated
---> Package glibc.x86_64 0:2.12-1.80.el6_3.3 will be an update
---> Package glibc-common.x86_64 0:2.12-1.80.el6 will be updated
---> Package glibc-common.x86_64 0:2.12-1.80.el6_3.3 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
 Package              Arch           Version                     Repository                    Size
====================================================================================================
Updating:
 glibc                x86_64         2.12-1.80.el6_3.3           rhel-x86_64-server-6         3.8 M
 glibc-common         x86_64         2.12-1.80.el6_3.3           rhel-x86_64-server-6          14 M
Transaction Summary
====================================================================================================
Upgrade       2 Package(s)
Total download size: 18 M
Is this ok [y/N]:

To upgrade packages that have security errata (upgrades to the last security errata package) use:
# yum --security update-minimal
See yum-security man page for more information:
$ man 8 yum-security

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 8 comments… read them below or add one }

1 foobrew July 26, 2012 at 11:30 pm

Works well on RHEL6 but not so much on Fedora 16. F16 gives bad output:

# yum --security check-update
Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
Limiting package lists to security relevant ones
2 package(s) needed for security, out of 13 available
control-center.i686                                   1:3.2.3-1.fc16                            updates
dbus-glib.i686                                        0.98-2.fc16                               updates
firefox.x86_64                                        14.0.1-1.fc16                             updates
libnetfilter_conntrack.i686                           1.0.1-1.fc16                              updates
libv4l.i686                                           0.8.8-2.fc16                              updates
qt.i686                                               1:4.8.2-4.fc16                            updates
qt-x11.i686                                           1:4.8.2-4.fc16                            updates
xulrunner.x86_64                                      14.0.1-3.fc16                             updates

Notice that it says 2 pkgs are for security but it lists 8.

Try this instead:

# yum updateinfo list --security
Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
FEDORA-2012-10822 security firefox-14.0.1-1.fc16.x86_64
FEDORA-2012-10822 security xulrunner-14.0.1-3.fc16.x86_64

If you have yum-plugin-changelog installed, you can see the changelog for the security update:

# yum changelog all firefox-14.0.1-1.fc16.x86_64
Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
Listing all changelogs
==================== Available Packages ====================
firefox-14.0.1-1.fc16.x86_64             updates
* Mon Jul 16 05:00:00 2012 Martin Stransky  - 14.0.1-1
- Update to 14.0.1
* Tue Jul 10 05:00:00 2012 Martin Stransky  - 13.0.1-2
- Fixed rhbz#707100, rhbz#821169
* Sat Jun 16 05:00:00 2012 Jan Horak  - 13.0.1-1
- Update to 13.0.1
...etc...

Reply

2 enzo July 27, 2012 at 12:33 am

this advice can be used on centos dist.?

Reply

3 Deadmeat May 3, 2013 at 3:18 am

yum-security does *not* work for CentOS and there’s no ETA.

Reply

4 Admon July 27, 2012 at 2:02 am

Supposed the package named as yum-security on RHEL-5..

Reply

5 nabyl July 27, 2012 at 1:14 pm

on my centos 5.8 it’s called yum-security.noarch

Reply

6 Enzo March 19, 2013 at 11:09 am

Thank you nabyl, you are right, i find the package.

Best regards.

Reply

7 jules345 April 10, 2014 at 12:42 pm

doesn’t seem to work anymore, does nobody update the lists?, I ran:

$ yum update –security

and it claimed that nothing needed updating. however I urgently needed to patch openssl for CVE-2014-0160 (heartbleed).

Instead I restored to doing it manually:

$ yum update -y openssl

Reply

8 Stefan Lasiewski May 14, 2014 at 8:32 pm

`yum-plugin-security` still doesn’t work on CentOS6. But it does work on Scientific Linux.

On my SL6 box, yum security sees the following security alerts for the kernel.

“`
[root@SL6 ~]# cat /etc/issue
Scientific Linux release 6.5 (Carbon)
Kernel \r on an \m
[root@SL6 ~]# yum updateinfo list –security –quiet
SLSA-2014:0475-1 important/Sec. kernel-2.6.32-431.17.1.el6.x86_64
SLSA-2014:0475-1 important/Sec. kernel-firmware-2.6.32-431.17.1.el6.noarch
FEDORA-EPEL-2013-11393 security nagios-common-3.5.1-1.el6.x86_64
[root@SL6 ~]#
“`

In this next example, I deliberately install the httpd version 2.2.15-29 which has several security updates as mentioned in the RHSA/CESA security archives. `yum update –security` does nothing.

“`
[root@centos6 ~]# yum localinstall httpd-2.2.15-29.el6.centos.x86_64.rpm -y –quiet
[root@centos6 ~]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m
[root@centos6 ~]#
[root@centos6 ~]# yum update –security –quiet
[root@centos6 ~]# yum updateinfo list –security –quiet
[root@centos6 ~]#
“`

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: