Is it possible to limit yum so that it lists or installs only security updates?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.1 and later
  • Red Hat Network Hosted
  • Red Hat Satellite

Issue

  • Is it possible to limit yum so that it lists or installs only security updates?
  • How to update a system using yum and only apply security errata?
  • Wanted to update security patches with out modifying OS version. How can we do that?
  • How to patch the system only with security erratas ?

Resolution

  • Install the yum-security plugin

It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) using Red Hat Enterprise Linux 5,6, and 7. To do so, simply install the yum-security plugin:

For Red Hat Enterprise Linux 7
The plugin is already a part of yum itself, no need to install anything.

For Red Hat Enterprise Linux 6

# yum install yum-plugin-security

For Red Hat Enterprise Linux 5

# yum install yum-security

Alternatively, download the yum-security package from the Red Hat Network (RHN) and manually install it on the system.

For Red Hat Enterprise Linux 6 and 7

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum updateinfo list available
  • To list all available security updates without installing them, run:
# yum updateinfo list security all
# yum updateinfo list sec
  • To get a list of the currently installed security updates this command can be used:
# yum updateinfo list security installed

For Red Hat Enterprise Linux 5

  • Using yum-security plugin

  • To list all available erratas without installing them, run:

# yum list-sec
  • To list all available security updates without installing them, run:
# yum list-security --security

For both Red Hat Enterprise Linux 5, 6, and 7

  • To list all available security updates with verbose descriptions of the issues they apply to:
# yum info-sec
  • Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:
# yum -y update --security

NOTE: It will install the last version available of any package with at least one security errata thus can install non-security erratas if they provide a more updated version of the package.

  • To only install the packages that have a security errata use
# yum update-minimal --security -y
  • yum-security also allows installing security updates based on the CVE reference of the issue. To install a security update using a CVE reference run:
# yum update --cve <CVE>

e.g.

# yum update --cve CVE-2008-0947

Viewing available advisories by severities:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

If you want to apply only one specific advisory:

# yum update --advisory=RHSA-2014:0159

However, if you would like to know more information about this advisory before to apply it:

# yum updateinfo RHSA-2014:0159

For more commands consult the manual pages of yum-security with

# man yum-security

If you face any missing dependency issue while applying security patches on system then refer to yum update --security fails with missing dependency errors.

  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.