It is possible to limit yum to install only security updates. This feature is provided by yum-security plugin which is a part of yum itself.
To list all available erratas without installing them, run:
[root@sectest ~]# yum updateinfo list available
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
CL-EA-2014:1364 enhancement python-rhsm-1.13.2-1.el6.x86_64
CL-BA-2014:1735 bugfix python-rhsm-1.13.2-2.el6.x86_64
updateinfo list done
To list all available security updates without installing them, run:
[root@sectest ~]# yum updateinfo list security all
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
i CL-SA-2011:0779 security avahi-libs-0.6.25-11.el6.x86_64
i CL-SA-2014:1293 security bash-4.1.2-15.el6_5.1.x86_64
i CL-SA-2014:1306 security bash-4.1.2-15.el6_5.2.x86_64
i CL-SA-2010:0975 security bind-libs-32:9.7.0-5.P2.el6_0.1.x86_64
i CL-SA-2011:0845 security bind-libs-32:9.7.3-2.el6_1.P1.1.x86_64
i CL-SA-2011:0926 security bind-libs-32:9.7.3-2.el6_1.P3.2.x86_64
i CL-SA-2011:1458 security bind-libs-32:9.7.3-2.el6_1.P3.3.x86_64
-----------------------------------------------------------------
-----------------------------------------------------------------
To get a list of the currently installed security updates use:
[root@sectest ~]# yum updateinfo list security installed
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
CL-SA-2011:0779 security avahi-libs-0.6.25-11.el6.x86_64
CL-SA-2014:1293 security bash-4.1.2-15.el6_5.1.x86_64
CL-SA-2014:1306 security bash-4.1.2-15.el6_5.2.x86_64
CL-SA-2010:0975 security bind-libs-32:9.7.0-5.P2.el6_0.1.x86_64
CL-SA-2011:0845 security bind-libs-32:9.7.3-2.el6_1.P1.1.x86_64
CL-SA-2011:0926 security bind-libs-32:9.7.3-2.el6_1.P3.2.x86_64
CL-SA-2011:1458 security bind-libs-32:9.7.3-2.el6_1.P3.3.x86_64
CL-SA-2012:0716 security bind-libs-32:9.7.3-8.P3.el6_2.3.x86_64
CL-SA-2012:1123 security bind-libs-32:9.8.2-0.10.rc1.el6_3.2.x86_64
CL-SA-2012:1268 security bind-libs-32:9.8.2-0.10.rc1.el6_3.3.x86_64
CL-SA-2012:1363 security bind-libs-32:9.8.2-0.10.rc1.el6_3.5.x86_64
-----------------------------------------------------------------
-----------------------------------------------------------------
Run the following command to download and apply all available security updates from Red Hat Satellite:
# yum -y update --security
yum-security also allows installing security updates based on the CVE reference of the issue.
To install a security update using a CVE reference run:
# yum update --cve <CVE>
For example:
# yum update --cve CVE-2012-0814
You can also check vulnerabilities addressed in the currently installed version of an rpm via its changelog.
# rpm -q PACKAGE --changelog | grep CVE
For example:
[root@sectest ~]# rpm -q openssh --changelog | grep CVE | more
- prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653
- ignore environment variables with embedded '=' or '\0' characters CVE-2014-2532
- change default value of MaxStartups - CVE-2010-5107 - #908707
- fixed audit log injection problem (CVE-2007-3102)
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
To list all available erratas without installing them, run:
[root@sectest ~]# yum updateinfo list available
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
CL-EA-2014:1364 enhancement python-rhsm-1.13.2-1.el6.x86_64
CL-BA-2014:1735 bugfix python-rhsm-1.13.2-2.el6.x86_64
updateinfo list done
To list all available security updates without installing them, run:
[root@sectest ~]# yum updateinfo list security all
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
i CL-SA-2011:0779 security avahi-libs-0.6.25-11.el6.x86_64
i CL-SA-2014:1293 security bash-4.1.2-15.el6_5.1.x86_64
i CL-SA-2014:1306 security bash-4.1.2-15.el6_5.2.x86_64
i CL-SA-2010:0975 security bind-libs-32:9.7.0-5.P2.el6_0.1.x86_64
i CL-SA-2011:0845 security bind-libs-32:9.7.3-2.el6_1.P1.1.x86_64
i CL-SA-2011:0926 security bind-libs-32:9.7.3-2.el6_1.P3.2.x86_64
i CL-SA-2011:1458 security bind-libs-32:9.7.3-2.el6_1.P3.3.x86_64
-----------------------------------------------------------------
-----------------------------------------------------------------
To get a list of the currently installed security updates use:
[root@sectest ~]# yum updateinfo list security installed
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
CL-SA-2011:0779 security avahi-libs-0.6.25-11.el6.x86_64
CL-SA-2014:1293 security bash-4.1.2-15.el6_5.1.x86_64
CL-SA-2014:1306 security bash-4.1.2-15.el6_5.2.x86_64
CL-SA-2010:0975 security bind-libs-32:9.7.0-5.P2.el6_0.1.x86_64
CL-SA-2011:0845 security bind-libs-32:9.7.3-2.el6_1.P1.1.x86_64
CL-SA-2011:0926 security bind-libs-32:9.7.3-2.el6_1.P3.2.x86_64
CL-SA-2011:1458 security bind-libs-32:9.7.3-2.el6_1.P3.3.x86_64
CL-SA-2012:0716 security bind-libs-32:9.7.3-8.P3.el6_2.3.x86_64
CL-SA-2012:1123 security bind-libs-32:9.8.2-0.10.rc1.el6_3.2.x86_64
CL-SA-2012:1268 security bind-libs-32:9.8.2-0.10.rc1.el6_3.3.x86_64
CL-SA-2012:1363 security bind-libs-32:9.8.2-0.10.rc1.el6_3.5.x86_64
-----------------------------------------------------------------
-----------------------------------------------------------------
Run the following command to download and apply all available security updates from Red Hat Satellite:
# yum -y update --security
yum-security also allows installing security updates based on the CVE reference of the issue.
To install a security update using a CVE reference run:
# yum update --cve <CVE>
For example:
# yum update --cve CVE-2012-0814
You can also check vulnerabilities addressed in the currently installed version of an rpm via its changelog.
# rpm -q PACKAGE --changelog | grep CVE
For example:
[root@sectest ~]# rpm -q openssh --changelog | grep CVE | more
- prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653
- ignore environment variables with embedded '=' or '\0' characters CVE-2014-2532
- change default value of MaxStartups - CVE-2010-5107 - #908707
- fixed audit log injection problem (CVE-2007-3102)
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
No comments:
Post a Comment