RHEL / CentOS: yum Lists / Installs Only Security Updates

How do I only list or install only security updates under RHEL 5.x or CentOS Linux server? How do I find out security updates descriptions such as CVE, bugs, issued date and type for each patch?

You can easily find out security patches related information using yum-security plugin. This plugin adds the options –security, –cve, –bz and –advisory flags to yum and the list-security and info-security commands. The options make it possible to limit list/upgrade of packages to specific security relevant ones. The commands give you the security information.

Install Plugin

Type the following command:
# yum install yum-security

How Do I Display Available Security Updates?

Type the following command:
# yum list-security
Sample Outputs:

Loaded plugins: rhnplugin, security
RHSA-2009:1148-1 security httpd-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security httpd-devel-2.2.3-22.el5_3.2.i386
RHSA-2009:1148-1 security httpd-manual-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security mod_ssl-1:2.2.3-22.el5_3.2.x86_64
list-security done

To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:
# yum --security check-update
To get a list of all BZs that are fixed for packages you have installed use:
# yum list-security bugzillas
To get the information on advisory RHSA-2009:1148-1 use:
# yum info-security RHSA-2009:1148-1
Sample Outputs:

Loaded plugins: rhnplugin, security

  Update ID : RHSA-2009:1148-1
    Release : 
       Type : security
     Status : final
     Issued : 2009-07-08 23:00:00
       Bugs : 509125 - None
	    : 509375 - None
       CVEs : CVE-2009-1890
	    : CVE-2009-1891
Description : Important: httpd security update  \The Apache HTTP Server is a
            : popular Web server.  A denial of service flaw was
            : found in the Apache mod_proxy module when it was
            : used as a reverse proxy. A remote attacker could
            : use this flaw to force a proxy process to consume
            : large amounts of CPU time. (CVE-2009-1890)  A
            : denial of service flaw was found in the Apache
            : mod_deflate module. This module continued to
            : compress large files until compression was
            : complete, even if the network connection that
            : requested the content was closed before
            : compression completed. This would cause
            : mod_deflate to consume large amounts of CPU if
            : mod_deflate was enabled for a large file.
            : (CVE-2009-1891)  All httpd users should upgrade to
            : these updated packages, which contain backported
            : patches to correct these issues. After installing
            : the updated packages, the httpd daemon must be
            : restarted for the update to take effect.
      Files : mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-devel-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
	    : mod_ssl-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-manual-2.2.3-22.el5_3.2.i386.rpm
info-security done

To get an info list of the latest packages which contain fixes for Bugzilla 3595; CVE # CVE-2009-1890 and advisories RHSA-2009:1148-1, use:
# yum --bz 3595 --cve CVE-2009-1890 --advisory RHSA-2009:1148-1 info updates

How Do I Install All The Security Updates Only?

Type the following command to download and install all the available security updates:
# yum update --security

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 23 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
23 comments… add one
  • hywl51 Jul 10, 2009 @ 2:24

    After install the yum-security, when I run the command: yum list-security and get the following info:

    yum list-security
    usage: yum [options]

    -h, –help show this help message and exit
    -t, –tolerant be tolerant of errors
    -C run entirely from cache, don’t update cache
    -c [config file] config file location
    -R [minutes] maximum command wait time
    -d [debug level] debugging output level
    -e [error level] error output level
    -q, –quiet quiet operation
    -v, –verbose verbose operation
    -y answer yes for all questions
    –version show Yum version and exit
    –installroot=[path] set install root
    –enablerepo=[repo] enable one or more repositories (wildcards allowed)
    –disablerepo=[repo] disable one or more repositories (wildcards allowed)
    -x [package], –exclude=[package]
    exclude package(s) by name or glob
    disable exclude from main, for a repo or for
    –obsoletes enable obsoletes processing during updates
    –noplugins disable Yum plugins
    –nogpgcheck disable gpg signature checking
    disable plugins by name

    It’s seem the plugin wast not working. OS is CentOS release 5 (Final).

    • 🐧 nixCraft Jul 10, 2009 @ 5:15

      This plugin only works with CentOS v5.1 / RHEL v5.1 / Fedora v7 or above.

      • Jonathan Matthews Apr 21, 2010 @ 16:29

        This plugin appears to have no effect on CentOS 5.2, 5.3 or 5.4 installed from DVD iso. Tested today, 21/04/10.

        It installs fine, but indicates that none of the (5.4: 58; 5.3/2: >100) packages are “security relevant”.


  • ashwani Jul 10, 2009 @ 10:40

    nice info i”ll try this out

  • AG Jul 10, 2009 @ 11:30

    Great, Thanks to all for nice inf……

  • Tapas Mallick Jul 10, 2009 @ 12:59

    Hi Vivek,

    Will you please post an article on “How to create CentOS 5.x local repository for internal systems with CD/DVD RPMs, createrepo and rsync”


  • 🐧 nixCraft Jul 10, 2009 @ 13:58

    @ Tapas,

    Added to queue .. watch out faq section for further update but no ETA ;)

  • jack Jul 11, 2009 @ 0:01

    should be made also for CentOS v5.1 >

  • alireza sadeh seighalan Jul 13, 2009 @ 20:11

    hi dear

    your tutorial is amazing.thanks for your kind of help

  • kunal Jul 20, 2009 @ 12:12

    Will this plugin work with Centos5.2 64bit.

  • Adrian Jul 29, 2009 @ 15:52

    i’m not sure, but i think this plugin only works in RedHat, never in CentOS.



  • Todd Nov 18, 2009 @ 0:29

    By default, YUM has plugins disabled. Change your YUM.CONF to include plugins=1 if you are getting the usage error.

  • Stefan Lasiewski Dec 18, 2009 @ 20:26

    yum-security does not work in CentOS. They are working on it, but the infrastructure to support the fasttrack rpms is not fully functional yet.

    See this thread for details:


    • DontForget Sep 19, 2012 @ 23:41

      The “yum security” plugin does work on CentOS.

      The setup is a little involved though.

  • jazzy jeph Mar 26, 2010 @ 16:10

    Worked well on Fedora 12, thanks

  • jack Apr 22, 2010 @ 3:50

    Are there similar options for Ubuntu?

  • Eric Zhu Dec 3, 2011 @ 9:49

    That’s great.For some internal security principle , all the RHEL systems under my administration are only allowed to install the security relevant patches manually.This plugin can help me figure out the rpm packages mentioned in a certain advisory ID.Will to learn more about syntax of this command.

  • Abhi May 9, 2012 @ 13:23

    Any way to run this on a server with no internet access..
    [ofcourse copy the relevant repository updates manually via scp or similar..]

  • Martin Oct 16, 2012 @ 9:20

    It is running but NOT working!!!!
    It never reports ANY security update. But that’s wrong. I had many on my system on CentOS 5.8.

  • Iyappan V Jan 14, 2013 @ 12:36

    What are the steps required to perform security patches in Oracle Entreprise Linux 5.6.
    Can I use the above steps to perform the same in OEL Servers

  • Cletus Jan 31, 2013 @ 13:30

    DUDE! Yuda man! Works perfectly in Centos 6.2 and 6.3. Thank you!

  • Not Working Jun 27, 2014 @ 20:09

    Does not work for an initial install of CentOS 6.5. Specifically, it fails to identify openssl as having the heartbleed bug. I know for a fact (and I have tested it myself with another install) that the openssl that came initially with 6.5 does have the bug in it, and that they have backported the fix into the 1.0.1e.

    Oh, that and the fact that an initial install has 0 security updates. Hmm… very suspicious, especially coupled with the glaring mistake for openssl.

  • Rahul Oct 4, 2016 @ 10:07

    What is the procedure for patching registering with RHN and how to find latest release patch, after installing patches is there any way to verify the update and how to rollback if something went wrong.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum