Is it possible to limit yum so that it lists or installs only security updates?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8.x
  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.1 and later
  • Red Hat Network Hosted
  • Red Hat Satellite

Issue

  • Is it possible to limit yum so that it lists or installs only security updates?
  • How to update a system using yum and only apply security errata?
  • How to patch the system only with security erratas ?

Resolution

  • Install the yum-security plugin

It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) using Red Hat Enterprise Linux 5,6, and 7. To do so, simply install the yum-security plugin:

For Red Hat Enterprise Linux 7 and 8
The plugin is already a part of yum itself, no need to install anything.

For Red Hat Enterprise Linux 6

# yum install yum-plugin-security

For Red Hat Enterprise Linux 5

# yum install yum-security

Alternatively, download the yum-security package from the Red Hat Network (RHN) and manually install it on the system.

For Red Hat Enterprise Linux 6, 7 & 8

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum updateinfo list available
  • To list all available security updates without installing them, run:
# yum updateinfo list security all
# yum updateinfo list sec
  • To get a list of the currently installed security updates this command can be used:
# yum updateinfo list security installed

For Red Hat Enterprise Linux 5

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum list-sec
  • To list all available security updates without installing them, run:
# yum list-security --security

For Red Hat Enterprise Linux 5, 6, 7 and 8

  • To list all available security updates with verbose descriptions of the issues they apply to:
# yum updateinfo info security
  • Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:
# yum -y update --security

NOTE: It will install the last version available of any package with at least one security errata thus can install non-security erratas if they provide a more updated version of the package. Updating using --security may still increase the minor release of the system in question if the dependencies being installed result in a newer minor release being installed.

  • To only install the packages that have a security errata use
# yum update-minimal --security -y
  • yum-security also allows installing security updates based on the CVE reference of the issue. To install a security update using a CVE reference run:
# yum update --cve <CVE>

e.g.

# yum update --cve CVE-2008-0947

Viewing available advisories by severities:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

If you want to apply only one specific advisory:

# yum update --advisory=RHSA-2014:0159

However, if you would like to know more information about this advisory before to apply it:

# yum updateinfo RHSA-2014:0159

Similarly, you can view CVEs which affect the system with:

# yum updateinfo list cves
Loaded plugins: auto-update-debuginfo, product-id, search-disabled-repos, subscription-manager
 CVE-2017-1000380 Moderate/Sec. kernel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-devel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-headers-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-libs-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. perf-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. python-perf-3.10.0-693.11.1.el7.x86_64
 CVE-2016-10002   Moderate/Sec. squid-7:3.5.20-2.el7_3.2.x86_64
updateinfo list done

For more commands consult the manual pages of yum-security with

# man yum-security

If you face any missing dependency issue while applying security patches on system then refer to yum update --security fails with missing dependency errors.

  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

25 Comments

Log in to comment
R. Hinton's picture Guru 6827 points
11 September 2014 5:30 PM

For those seeking to discover what CVEs are addressed in a given existing RPM, try this method that Marc Milgram from Red Hat kindly provided at this discussion.

1) First download the specific rpm you are interested in.
2) Use the below command...

$ rpm -qp --changelog openssl-0.9.8e-27.el5_10.4.x86_64.rpm | grep CVE
- fix CVE-2014-0221 - recursion in DTLS code leading to DoS
- fix CVE-2014-3505 - doublefree in DTLS packet processing
- fix CVE-2014-3506 - avoid memory exhaustion in DTLS
- fix CVE-2014-3508 - fix OID handling to avoid information leak
- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
- fix for CVE-2014-0224 - SSL/TLS MITM vulnerability
- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)
- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)
  environment variable is set (fixes CVE-2012-4929 #857051)
- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)
- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)
- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)
- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery
- fix for CVE-2011-4109 - double free in policy checks (#771771)
- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)
- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)
- fix CVE-2010-4180 - completely disable code for
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)
- fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
- fix CVE-2009-3555 - support the safe renegotiation extension and
- fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197)
- fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data()
- fix CVE-2009-1386 CVE-2009-1387 (DTLS DoS problems)
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
- fix CVE-2009-0590 - reject incorrectly encoded ASN.1 strings (#492304)
- fix CVE-2008-5077 - incorrect checks for malformed signatures (#476671)
- fix CVE-2007-3108 - side channel attack on private keys (#250581)
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309881)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321221)
- CVE-2006-2940 fix was incorrect (#208744)
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
R. Hinton's picture Guru 6827 points
11 September 2014 5:34 PM

Additionally,

If you are interested to see if a given CVE, or list of CVEs are applicable, you can use this method:

1) get the list of all applicable CVEs from Red Hat you wish,
- If you wanted to limit the search to a specific rpm such as "openssl", then at that above Red Hat link, you can enter "openssl" and filter out only openssl items, or filter against any other search term
- Place these into a file, one line after another, such as this limited example:
NOTE: These CVEs below are from limiting the CVEs to "openssl" in the manner I described above, and the list is not completed, there are plenty more for your date range.

CVE-2014-0016
CVE-2014-0017
CVE-2014-0036
CVE-2014-0041
...

2) Keep in mind the information in the article in this page, and run something like the following as root (a "for loop" will work in a bash shell):

[root@yoursystem]# for i in `cat listofcves.txt`;yum update --cve $i;done

And if the cve applies, it will prompt you to take the update, if it does not apply, it will tell you

Alternatively, I used this "echo n |" prior to the "yum update" exit the yum command with "n" if it found a hit:

[root@yoursystem]# for i in `cat listyoumade.txt`;echo n |yum update --cve $i;done

Then redirect the output to another file to make your determinations.

Walid Shaari's picture Expert 1266 points
25 November 2014 3:19 AM

I would like to create a puppet fact that would tell me the last security update applied to a box, what would by the best way to find out from the system when was the last security update applied?

f3 Newbie 5 points
7 January 2015 9:54 AM

'yum info-sec' actually lists all patches, you need to use 'yum info-sec --security'

rh Newbie 10 points
22 May 2015 11:14 AM

Hello,

I'm trying to do this "yum updateinfo list" in Red Hat Enterprise Linux 5.11 and doesn't work, the version of plugin is:

yum-security-1.1.16-21.el5

Regards

SB Active Contributor 365 points
25 May 2015 9:33 AM

Following statement is not right:
"For both Red Hat Enterprise Linux 5, 6, and 7"

It should be
"For Red Hat Enterprise Linux 5, 6, and 7"

SF Community Member 78 points
29 December 2015 1:49 PM

I am trying to automate just SECURITY update my redhat servers. On redhat 7.1 I have edited "/etc/yum/yum-cron.conf" and put " update_cmd = security" in that file, which I hope it is right. But I can not find possibility to do it on redhat 6.x. What I was able to do was to edit file " /etc/sysconfig/yum-cron" and add the line " YUM_PARAMETER="--exclude='kernel' --exclude='grub'" which is not the same. I have commit following commandds:

yum install yum-plugin-security yum install yum-cron chkconfig yum-cron on service yum-cron start service yum-cron status

How can I configure automate just SECURITY update on redhat 6.x?

RC Active Contributor 248 points
10 February 2016 1:00 PM

How is this the Severity information of RHSA updated populated?

Specifically the article shows the following output:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

On all of my systems, the output seems to be missing the severity information:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 security       kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 security       mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 security       mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 security       mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 security       mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

I can't see how to configure it to transform "security" to "Severity/Sec."

Walid Shaari's picture Expert 1266 points
20 September 2016 8:27 AM

same in here, what I did was use info-sec with filters, like below:

test-node# yum info-sec|grep  'Critical:'
  Critical: glibc security and bug fix update
  Critical: samba and samba4 security, bug fix, and enhancement update
  Critical: samba security update
  Critical: samba security update
  Critical: nss and nspr security, bug fix, and enhancement update
  Critical: nss, nss-util, and nspr security update
  Critical: nss-util security update
  Critical: samba4 security update
b.scalio's picture Expert 1083 points
20 June 2017 1:49 PM

What's annoying is that "yum update --security" shows 20 packages to update for security but when listing the installable errata in Satellite it shows 102 errata available and yet all those errata don't contain the errata.

Pavel Moravec's picture Red Hat Guru 4365 points
20 June 2017 2:05 PM

You might hit https://bugzilla.redhat.com/show_bug.cgi?id=1408508 where metadata generated has empty package list for some errata in some circumstances, causing yum thinks such an errata is not applicable (as no package would be updated by applying that errata).

I recommend finding out one of the errata that Sat WebUI offers but yum isnt aware of, and (z)grep that errata id within yum cache - if there will be something like:

<pkglist>
  <collection short="">
    <name>rhel-7-server-rpms__7Server__x86_64</name>
  </collection>
</pkglist>

with no package in it, you hit that bug.

b.scalio's picture Expert 1083 points
20 June 2017 2:32 PM

Wasn't there a KB article on this as well, do you have that link on how to fix it?

Pavel Moravec's picture Red Hat Guru 4365 points
20 June 2017 3:14 PM

There hasnt been any - I just wrote https://access.redhat.com/solutions/3087631 .

The BZ is fixed in Satellite 6.2.10 we are about to release now.

pixdrift ‏‏‎ ‎'s picture Guru 6643 points
14 August 2017 1:25 AM

I've got an interesting requirement in that a customer wants to only allow updates of packages with attached security errata (to limit unecessary drift/update of the OS platform). ie. restrict, warn or block the use of generic 'yum update' by an admin as it will update all packages.

There are other approaches which I have currently implemented, including limiting what is made available to the servers through Satellite so yum update doesn't 'see' non security errata.. but I guess what i'm really interested in is limiting (through client config) the inadvertant use "yum update" by an administrator, or redirecting/mapping 'yum update' to 'yum update --security'. I appreciate an admin can work around any restriction, but it's really to limit accidental use of full 'yum update' by well intentioned admins.

Current approaches are to alias yum, move yum and write a shim in its place (to warn/redirect if yum update is called), or patch the yum package itself (which i'd like to avoid). Any other suggestions appreciated.

DP Community Member 25 points
16 January 2018 5:00 PM

why not creating a specific content-view for security patch purpose ?

In that content-view, you create a filter that filters only security updates.

In your patch management process, you can create a script that change on the fly the content-view of a host (or host-group) then apply security patches, and finally switching back to the original content-view (if you let to the admin the possibility to install additional programms if necessary).

hope this helps

RC Active Contributor 248 points
12 March 2018 2:25 PM

.

IN Newbie 14 points
15 August 2019 12:12 AM

Hi,

Is it necessary to reboot system after applying security updates ?

Marcus West's picture Red Hat Guru 2670 points
15 August 2019 1:17 AM

If it's a kernel update, you will have to. For other packages, it's recommended as to ensure that you are not still running the old libraries in memory. If you are just patching one particular independent service (ie, http), you can probably get away without a full system reboot.

More information can be found in the solution Which packages require a system reboot after the update? .

TH Newbie 5 points
10 March 2021 9:20 AM

I'd like to install patch for CVE-2021-3156

https://access.redhat.com/errata/RHSA-2021:0222

sudo-1.8.23-4.el7_7.3.x86_64.rpm

But it is not listed

[root~]# subscription-manager release
Release: 7.7
[root~]# yum updateinfo list security all | grep sudo
i RHSA-2017:3379              Moderate/Sec.  libsss_sudo-1.15.2-50.el7_4.8.x86_64
i RHSA-2018:3158              Low/Sec.       libsss_sudo-1.16.2-13.el7.x86_64
i RHSA-2019:2177              Moderate/Sec.  libsss_sudo-1.16.4-21.el7.x86_64
i RHSA-2016:2593              Low/Sec.       sudo-1.8.6p7-20.el7.x86_64
i RHSA-2016:2872              Moderate/Sec.  sudo-1.8.6p7-21.el7_3.x86_64
i RHSA-2017:1382              Important/Sec. sudo-1.8.6p7-22.el7_3.x86_64
i RHSA-2017:1574              Moderate/Sec.  sudo-1.8.6p7-23.el7_3.x86_64
i RHSA-2019:3197              Important/Sec. sudo-1.8.23-4.el7_7.1.x86_64
i RHSA-2020:0540              Important/Sec. sudo-1.8.23-4.el7_7.2.x86_64

It lists only previous and already installed version

sudo-1.8.23-4.el7_7.2.x86_64

What shall I do? Am I missing some step? Is the only option to download and install rpm manually? How does it works in general, when rpm becomes listed?

YL Community Member 37 points
15 March 2021 12:37 PM

I need to find the date for RHSA installed. yum updateinfo list security all - This command shows full list of installed patches without date details. But customer need with the date details when the patch was executed. They are not convinced with rpm -qa --last command.

Is there any command to get the list of errata installed for the particular date?

Pavel Moravec's picture Red Hat Guru 4365 points
29 March 2021 3:29 PM

Is there any command to get the list of errata installed for the particular date?

I am not aware of such command. You can parse the repository metadata to get that info, something like (modify per repository label accordingly):

zcat /var/cache/yum/x86_64/7Server/rhel-7-server-rpms/*-updateinfo.xml.gz | grep -e "<id>" -e "<issued"

and process further the output like:

    <id>RHBA-2020:3614</id>
    <issued date="2020-09-02 14:17:05 UTC" />
    <id>RHBA-2020:3255</id>
    <issued date="2020-07-30 20:14:34 UTC" />
Pavel Moravec's picture Red Hat Guru 4365 points
29 March 2021 3:25 PM

Hello, sory for later response.

Is the system registered to customer portal or to some Satellite? (if the later, was the relevant repo synced? promoted in CV to proper LE? synced to Capsule, if used?)

do you have proper subscription attached to the client system, and proper repo enabled? If you try subscription-manager refresh; yum clean all; yum list --showduplicates sudo, you should see all versions of sudo package installable to the system, with repo name as its source. Maybe that helps troubleshooting further..

TJ Newbie 7 points
6 May 2021 11:51 AM

Regarding 'To get a list of the currently installed security updates this command can be used:' for Redhat Enterprise Linux 8

Not sure at what dnf version this happened, but 'yum updateinfo list security installed' is not the correct syntax . 'yum updateinfo list security installed' actually runs ' yum updateinfo list security --available', the latter installed option is ignored

use: 'yum updateinfo list security --installed'

MA Newbie 7 points
24 August 2021 3:10 PM

Hi
Apologies for jumping onto an old thread but is it possible to translate yum update-minimal --security command into pure DNF and exclude any minor version upgrade kernel packages for RHEL8.3 boxes please? Without resorting to minor version specific repos in content-views?

Tried the following but getting dependency errors for kernel-modules:

dnf upgrade-minimal --security --exclude='kernel-*' --nobest

If the security updates/CVEs must be upgraded to newer kernel versions does RedHat support existence of minor version differences between distribution/os-release and kernel versions? Apologies for a NUBE question.

regards,

Min

CA Newbie 5 points
15 September 2021 8:11 PM

Is it possible to do a yum update --security and only apply patches released within the last month or by date?