≡ Menu

Yum Command Check and Apply Only Security Updates

How do I only lists and/or updates to be limited using security relevant criteria when I run the yum command under CentOS / RHEL based server system?

You need to install plugin called yum-plugin-security. This plugin make it possible to limit list/upgrade of packages to specific security relevant ones. The commands give you the security information.

Install yum-plugin-security

Type the following yum command:
# yum -y install yum-plugin-security
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-security.noarch 0:1.1.30-14.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                    Arch          Version                 Repository                   Size
====================================================================================================
Installing:
 yum-plugin-security        noarch        1.1.30-14.el6           rhel-x86_64-server-6         38 k

Transaction Summary
====================================================================================================
Install       1 Package(s)

Total download size: 38 k
Installed size: 0  
Downloading Packages:
yum-plugin-security-1.1.30-14.el6.noarch.rpm                                 |  38 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : yum-plugin-security-1.1.30-14.el6.noarch                                         1/1 
Installed products updated.
  Verifying  : yum-plugin-security-1.1.30-14.el6.noarch                                         1/1 

Installed:
  yum-plugin-security.noarch 0:1.1.30-14.el6                                                        

Complete!

Examples

To display all updates that are security relevant, and get a reutrn code on whether there are security updates enter:
# yum --security check-update
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Limiting package lists to security relevant ones
2 package(s) needed for security, out of 10 available Security: kernel-2.6.32-279.1.1.el6.x86_64 is an installed security update Security: kernel-2.6.32-279.el6.x86_64 is the currently running version
glibc.x86_64 2.12-1.80.el6_3.3 rhel-x86_64-server-6 glibc-common.x86_64 2.12-1.80.el6_3.3 rhel-x86_64-server-6

To show a list of all BZs that are fixed for packages you have installed enter:
# yum updateinfo list bugzillas
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
 838956 bugfix   bind-libs-32:9.8.2-0.10.rc1.el6_3.1.x86_64
 838956 bugfix   bind-utils-32:9.8.2-0.10.rc1.el6_3.1.x86_64
 826943 security glibc-2.12-1.80.el6_3.3.x86_64
 833703 security glibc-2.12-1.80.el6_3.3.x86_64
 833704 security glibc-2.12-1.80.el6_3.3.x86_64
 837026 security glibc-2.12-1.80.el6_3.3.x86_64
 826943 security glibc-common-2.12-1.80.el6_3.3.x86_64
 833703 security glibc-common-2.12-1.80.el6_3.3.x86_64
 833704 security glibc-common-2.12-1.80.el6_3.3.x86_64
 837026 security glibc-common-2.12-1.80.el6_3.3.x86_64
 837227 bugfix   kernel-2.6.32-279.2.1.el6.x86_64
 837227 bugfix   kernel-firmware-2.6.32-279.2.1.el6.noarch
 836252 bugfix   net-snmp-libs-1:5.5-41.el6_3.1.x86_64
updateinfo list done

To get a summary of advisories you haven’t installed yet use:
# yum updateinfo summary
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections

Updates Information Summary: available
    1 Security notice(s)
    4 Bugfix notice(s)
    1 Enhancement notice(s)
Security: kernel-2.6.32-279.1.1.el6.x86_64 is an installed security update
Security: kernel-2.6.32-279.el6.x86_64 is the currently running version
updateinfo summary done

To upgrade packages that have security errata (upgrades to the latest available package) use:
# yum --security update
Sample outputs:

Loaded plugins: product-id, protectbase, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
0 packages excluded due to repository protections
Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
2 package(s) needed (+0 related) for security, out of 10 available
--> Running transaction check
---> Package glibc.x86_64 0:2.12-1.80.el6 will be updated
---> Package glibc.x86_64 0:2.12-1.80.el6_3.3 will be an update
---> Package glibc-common.x86_64 0:2.12-1.80.el6 will be updated
---> Package glibc-common.x86_64 0:2.12-1.80.el6_3.3 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package              Arch           Version                     Repository                    Size
====================================================================================================
Updating:
 glibc                x86_64         2.12-1.80.el6_3.3           rhel-x86_64-server-6         3.8 M
 glibc-common         x86_64         2.12-1.80.el6_3.3           rhel-x86_64-server-6          14 M

Transaction Summary
====================================================================================================
Upgrade       2 Package(s)

Total download size: 18 M
Is this ok [y/N]: 

To upgrade packages that have security errata (upgrades to the last security errata package) use:
# yum --security update-minimal
See yum-security man page for more information:
$ man 8 yum-security

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 9 comments… add one }
  • foobrew July 26, 2012, 11:30 pm

    Works well on RHEL6 but not so much on Fedora 16. F16 gives bad output:

    # yum --security check-update
    Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
    Limiting package lists to security relevant ones
    2 package(s) needed for security, out of 13 available
    
    control-center.i686                                   1:3.2.3-1.fc16                            updates
    dbus-glib.i686                                        0.98-2.fc16                               updates
    firefox.x86_64                                        14.0.1-1.fc16                             updates
    libnetfilter_conntrack.i686                           1.0.1-1.fc16                              updates
    libv4l.i686                                           0.8.8-2.fc16                              updates
    qt.i686                                               1:4.8.2-4.fc16                            updates
    qt-x11.i686                                           1:4.8.2-4.fc16                            updates
    xulrunner.x86_64                                      14.0.1-3.fc16                             updates
    

    Notice that it says 2 pkgs are for security but it lists 8.

    Try this instead:

    # yum updateinfo list --security
    Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
    FEDORA-2012-10822 security firefox-14.0.1-1.fc16.x86_64
    FEDORA-2012-10822 security xulrunner-14.0.1-3.fc16.x86_64
    

    If you have yum-plugin-changelog installed, you can see the changelog for the security update:

    # yum changelog all firefox-14.0.1-1.fc16.x86_64
    Loaded plugins: changelog, langpacks, presto, refresh-packagekit, security
    
    Listing all changelogs
    
    ==================== Available Packages ====================
    firefox-14.0.1-1.fc16.x86_64             updates
    * Mon Jul 16 05:00:00 2012 Martin Stransky  - 14.0.1-1
    - Update to 14.0.1
    
    * Tue Jul 10 05:00:00 2012 Martin Stransky  - 13.0.1-2
    - Fixed rhbz#707100, rhbz#821169
    
    * Sat Jun 16 05:00:00 2012 Jan Horak  - 13.0.1-1
    - Update to 13.0.1
    ...etc...
    
  • enzo July 27, 2012, 12:33 am

    this advice can be used on centos dist.?

    • Deadmeat May 3, 2013, 3:18 am

      yum-security does *not* work for CentOS and there’s no ETA.

  • Admon July 27, 2012, 2:02 am

    Supposed the package named as yum-security on RHEL-5..

  • nabyl July 27, 2012, 1:14 pm

    on my centos 5.8 it’s called yum-security.noarch

  • Enzo March 19, 2013, 11:09 am

    Thank you nabyl, you are right, i find the package.

    Best regards.

  • jules345 April 10, 2014, 12:42 pm

    doesn’t seem to work anymore, does nobody update the lists?, I ran:

    $ yum update –security

    and it claimed that nothing needed updating. however I urgently needed to patch openssl for CVE-2014-0160 (heartbleed).

    Instead I restored to doing it manually:

    $ yum update -y openssl

  • Stefan Lasiewski May 14, 2014, 8:32 pm

    `yum-plugin-security` still doesn’t work on CentOS6. But it does work on Scientific Linux.

    On my SL6 box, yum security sees the following security alerts for the kernel.

    “`
    [root@SL6 ~]# cat /etc/issue
    Scientific Linux release 6.5 (Carbon)
    Kernel \r on an \m
    [root@SL6 ~]# yum updateinfo list –security –quiet
    SLSA-2014:0475-1 important/Sec. kernel-2.6.32-431.17.1.el6.x86_64
    SLSA-2014:0475-1 important/Sec. kernel-firmware-2.6.32-431.17.1.el6.noarch
    FEDORA-EPEL-2013-11393 security nagios-common-3.5.1-1.el6.x86_64
    [root@SL6 ~]#
    “`

    In this next example, I deliberately install the httpd version 2.2.15-29 which has several security updates as mentioned in the RHSA/CESA security archives. `yum update –security` does nothing.

    “`
    [root@centos6 ~]# yum localinstall httpd-2.2.15-29.el6.centos.x86_64.rpm -y –quiet
    [root@centos6 ~]# cat /etc/issue
    CentOS release 6.5 (Final)
    Kernel \r on an \m
    [root@centos6 ~]#
    [root@centos6 ~]# yum update –security –quiet
    [root@centos6 ~]# yum updateinfo list –security –quiet
    [root@centos6 ~]#
    “`

  • Monsoft December 10, 2015, 9:49 am

    Centos main repository doesn’t mark packages as security updates so yum plugin can’t see it. EPEL repo does.

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , , , , , , ,