Is it possible to limit yum so that it lists or installs only security updates?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9.x
  • Red Hat Enterprise Linux 8.x
  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.1 and later
  • Red Hat Network Hosted
  • Red Hat Satellite

Issue

  • Is it possible to limit yum so that it lists or installs only security updates?
  • How to update a system using yum and only apply security errata?
  • How to patch the system only with security erratas ?

Resolution

  • Install the yum-security plugin

It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) using Red Hat Enterprise Linux 5,6, and 7. To do so, simply install the yum-security plugin:

For Red Hat Enterprise Linux 7, 8 and 9
The plugin is already a part of yum itself, no need to install anything.

For Red Hat Enterprise Linux 6

# yum install yum-plugin-security

For Red Hat Enterprise Linux 5

# yum install yum-security

Alternatively, download the yum-security package from the Red Hat Network (RHN) and manually install it on the system.

For Red Hat Enterprise Linux 6, 7, 8 & 9

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum updateinfo list --available
  • To list all available security updates without installing them, run:
# yum updateinfo list --security

or

# yum updateinfo list sec
  • To get a list of the currently installed security updates this command can be used:
# yum updateinfo list --security --installed

or 

# yum updateinfo list sec --installed
  • To get a list of both available and installed security updates this command can be used:
# yum updateinfo list --security --all

or

# yum updateinfo list sec --all

For Red Hat Enterprise Linux 5

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum list-sec
  • To list all available security updates without installing them, run:
# yum list-security --security

For Red Hat Enterprise Linux 5, 6, 7, 8 and 9

  • To list all available security updates with verbose descriptions of the issues they apply to:
# yum updateinfo info security
  • Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:
# yum update --security

NOTE: It will install the last version available of any package with at least one security errata thus can install non-security erratas if they provide a more updated version of the package. Updating using --security may still increase the minor release of the system in question if the dependencies being installed result in a newer minor release being installed.

  • To only install the packages that have a security errata use
# yum update-minimal --security
  • yum-security also allows installing security updates based on the CVE reference of the issue. To install a security update using a CVE reference run:
# yum update --cve <CVE>

e.g.

# yum update --cve CVE-2008-0947

Viewing available advisories by severities:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

If you want to apply only one specific advisory:

# yum update --advisory=RHSA-2014:0159

However, if you would like to know more information about this advisory before to apply it:

# yum updateinfo RHSA-2014:0159

Similarly, you can view CVEs which affect the system with:

# yum updateinfo list cves
Loaded plugins: auto-update-debuginfo, product-id, search-disabled-repos, subscription-manager
 CVE-2017-1000380 Moderate/Sec. kernel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-devel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-headers-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-libs-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. perf-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. python-perf-3.10.0-693.11.1.el7.x86_64
 CVE-2016-10002   Moderate/Sec. squid-7:3.5.20-2.el7_3.2.x86_64
updateinfo list done

For more commands consult the manual pages of yum-security with

# man yum-security

If you face any missing dependency issue while applying security patches on system then refer to yum update --security fails with missing dependency errors.

  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments