Tuesday, August 18, 2009

RHEL / CentOS: yum Lists / Installs Only Security Updates

SkyHi @ Tuesday, August 18, 2009
How do I only list or install only security updates under RHEL 5.x or CentOS Linux server? How do I find out security updates descriptions such as CVE, bugs, issued date and type for each patch?

You can easily find out security patches related information using yum-security plugin. This plugin adds the options --security, --cve, --bz and --advisory flags to yum and the list-security and info-security commands. The options make it possible to limit list/upgrade of packages to specific security relevant ones. The commands give you the security information.
Install Plugin

Type the following command:
# yum install yum-security
How Do I Display Available Security Updates?

Type the following command:
# yum list-security
Sample Outputs:

Loaded plugins: rhnplugin, security
RHSA-2009:1148-1 security httpd-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security httpd-devel-2.2.3-22.el5_3.2.i386
RHSA-2009:1148-1 security httpd-manual-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security mod_ssl-1:2.2.3-22.el5_3.2.x86_64
list-security done

To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:
# yum --security check-update
To get a list of all BZs that are fixed for packages you have installed use:
# yum list-security bugzillas
To get the information on advisory RHSA-2009:1148-1 use:
# yum info-security RHSA-2009:1148-1
Sample Outputs:

Loaded plugins: rhnplugin, security

Update ID : RHSA-2009:1148-1
Release :
Type : security
Status : final
Issued : 2009-07-08 23:00:00
Bugs : 509125 - None
: 509375 - None
CVEs : CVE-2009-1890
: CVE-2009-1891
Description : Important: httpd security update \The Apache HTTP Server is a
: popular Web server. A denial of service flaw was
: found in the Apache mod_proxy module when it was
: used as a reverse proxy. A remote attacker could
: use this flaw to force a proxy process to consume
: large amounts of CPU time. (CVE-2009-1890) A
: denial of service flaw was found in the Apache
: mod_deflate module. This module continued to
: compress large files until compression was
: complete, even if the network connection that
: requested the content was closed before
: compression completed. This would cause
: mod_deflate to consume large amounts of CPU if
: mod_deflate was enabled for a large file.
: (CVE-2009-1891) All httpd users should upgrade to
: these updated packages, which contain backported
: patches to correct these issues. After installing
: the updated packages, the httpd daemon must be
: restarted for the update to take effect.
Files : mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
: httpd-devel-2.2.3-22.el5_3.2.i386.rpm
: httpd-2.2.3-22.el5_3.2.x86_64.rpm
: httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
: httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
: mod_ssl-2.2.3-22.el5_3.2.i386.rpm
: httpd-2.2.3-22.el5_3.2.i386.rpm
: httpd-manual-2.2.3-22.el5_3.2.i386.rpm
info-security done

To get an info list of the latest packages which contain fixes for Bugzilla 3595; CVE # CVE-2009-1890 and advisories RHSA-2009:1148-1, use:
# yum --bz 3595 --cve CVE-2009-1890 --advisory RHSA-2009:1148-1 info updates
How Do I Install All The Security Updates Only?

Type the following command to download and install all the available security updates:
# yum update --security

Reference: http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/