Resolution

• Install the yum-security plugin

It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) using Red Hat Enterprise Linux 5,6, and 7. To do so, simply install the yum-security plugin:

For Red Hat Enterprise Linux 7
The plugin is already a part of yum itself, no need to install anything.

For Red Hat Enterprise Linux 6

# yum install yum-plugin-security

For Red Hat Enterprise Linux 5

# yum install yum-security

Alternatively, download the yum-security package from the Red Hat Network (RHN) and manually install it on the system.

For Red Hat Enterprise Linux 6 and 7

• Using yum-security plugin

• To list all available erratas without installing them, run:

# yum updateinfo list available

• To list all available security updates without installing them, run:

# yum updateinfo list security all
# yum updateinfo list sec

• To get a list of the currently installed security updates this command can be used:

# yum updateinfo list security installed

For Red Hat Enterprise Linux 5

• Using yum-security plugin

• To list all available erratas without installing them, run:

# yum list-sec

• To list all available security updates without installing them, run:

# yum list-security --security

For both Red Hat Enterprise Linux 5, 6, and 7

• To list all available security updates with verbose descriptions of the issues they apply to:

# yum info-sec

• Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:

# yum -y update --security

NOTE: It will install the last version available of any package with at least one security errata thus can install non-security erratas if they provide a more updated version of the package.

• To only install the packages that have a security errata use

# yum update-minimal --security -y

• yum-security also allows installing security updates based on the CVE reference of the issue. To install a security update using a CVE reference run:

# yum update --cve <CVE>

e.g.

# yum update --cve CVE-2008-0947

Viewing available advisories by severities:

# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

If you want to apply only one specific advisory:

# yum update --advisory=RHSA-2014:0159

However, if you would like to know more information about this advisory before to apply it:

# yum updateinfo RHSA-2014:0159

Similarly, you can view CVEs which affect the system with:

# yum updateinfo list cves
Loaded plugins: auto-update-debuginfo, product-id, search-disabled-repos, subscription-manager
 CVE-2017-1000380 Moderate/Sec. kernel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-devel-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-headers-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. kernel-tools-libs-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. perf-3.10.0-693.11.1.el7.x86_64
 CVE-2017-1000380 Moderate/Sec. python-perf-3.10.0-693.11.1.el7.x86_64
 CVE-2016-10002   Moderate/Sec. squid-7:3.5.20-2.el7_3.2.x86_64
updateinfo list done

For more commands consult the manual pages of yum-security with

# man yum-security

If you face any missing dependency issue while applying security patches on system then refer to yum update --security fails with missing dependency errors.