Rate this page del.icio.us  Digg slashdot StumbleUpon

Tips and tricks: yum-security

by the editorial team

Contributed by Steve Bonneville

The yum-security package is a new feature of the Red Hat Enterprise Linux 5.1 update. If installed, the yum module provided by this package can be used to limit yum to retrieve only security-related updates. It can also be used to provide information about which Red Hat advisory, bug in Red Hat’s Bugzilla database, or CVE number from MITRE’s Common Vulnerabilities and Exposures directory is addressed by a package update.

Enabling these features is as simple as running ‘yum install yum-security’.

The first new subcommand this adds is ‘yum list-sec’. This is similar to ‘yum check-update’, except that it also lists Red Hat’s advisory ID number and the classification of each update as “enhancement”, “bugfix”, or “security”:

RHSA-2007:1128-6 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
RHSA-2007:1078-3 security cairo - 1.2.4-3.el5_1.i386
RHSA-2007:1021-3 security cups - 1:1.2.4-11.14.el5_1.3.i386
RHSA-2007:1021-3 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

If ‘yum list-sec cves’ is used, the Red Hat advisory ID is replaced with the CVE IDs addressed by the update; if ‘yum list-sec bzs’ is used, the advisory ID is replaced by the Red Hat Bugzilla IDs which are addressed by the update. If a package addresses multiple bugs in Bugzilla or CVE IDs, the package may be listed multiple times:

Example output of ‘yum list-sec bzs’:

410031 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
387431 security cairo - 1.2.4-3.el5_1.i386
345101 security cups - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups - 1:1.2.4-11.14.el5_1.3.i386
345101 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

Example output of ‘yum list-sec cves’:

CVE-2007-5964 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
CVE-2007-5503 security cairo - 1.2.4-3.el5_1.i386
CVE-2007-5393 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5393 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

The second new subcommand added by the yum-security package is ‘info-sec’. This subcommand takes an advisory number, CVE, or Bugzilla ID as an argument, and returns detailed information on the advisory, including a brief text discussion of the nature of the issue or issues being addressed by the advisory.

In addition to these two new yum subcommands, new options are provided to the ‘yum update’ command to help apply only security-related updates, or only updates associated with a particular advisory or bug.

To apply all security-related updates only:

yum update --security

To apply all updates related to bugzilla bug 410101:

yum update --bz 410101

To apply all updates related to the CVE ID CVE-2007-5707 and updates related to the Red Hat advisory ID RHSA-2007:1082-5:

yum update --cve CVE-2007-5707 --advisory RHSA-2007:1082-5

More information about these new capabilites is documented in the yum-security(8) man page.

For more information on Red Hat security updates, please visit the security updates page on redhat.com. For more information on CVE, please visit the CVE info page.

The information provided in this article is for your information only. The origin of this information may be internal or external to Red Hat. While Red Hat attempts to verify the validity of this information before it is posted, Red Hat makes no express or implied claims to its validity.

This entry was posted by the editorial team on Wednesday, January 16th, 2008 at 11:50 am and is filed under tips and tricks, technical. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

13 responses to “Tips and tricks: yum-security”

  1. Jan-Frode Myklebust says:
    January 17th, 2008 at 4:49 am

    Will this only work against rhn, or also with normal yum repositories ?

  2. Brian says:
    January 17th, 2008 at 3:36 pm

    Great Article! I never realized the full power of yum until this article. Being able to pull down updates by bugzilla id’s. Now that is granular updates…

  3. Troy Dawson says:
    January 17th, 2008 at 4:00 pm

    I have tested this against a non rhn repository (Scientific Linux) and it looks like this is for rhn only. But, I still think it is a good plugin for RHEL.

  4. Dulles says:
    January 17th, 2008 at 9:49 pm

    REDHAT HAS UPDATED YUM?

    That’s great news. Now the RHEL 5.1 account I just canceled might actually update my systems without a screen-full of yum “dependency” errors?

    You Redhat programmers are really good, and smart. My 5.0 version of “Software Updater” has absolutely no menu or features on the GUI (never did).

    This reminds me of the RHEL 4.5 “Print Manager” with no menu or features on the GUI. Redhat just lost another customer (since RH8), and it’s business as usual.

  5. Tom says:
    January 18th, 2008 at 5:05 am

    Does this work with Satellite?

  6. Γριφεγ Γθωαφ says:
    January 19th, 2008 at 1:51 am

    Any hope this will be available for Fedora?

  7. Rahul Sundaram says:
    January 23rd, 2008 at 8:05 am

    It has been available in Fedora for a while as part of yum-utils package FYI.

  8. Steve Bonneville says:
    January 23rd, 2008 at 11:11 am

    As Rahul mentioned, this has been in Fedora since about Fedora 7, so yes, it can work with yum repositories. The yum-security package is included in Fedora 8.

    However, when creating yum repositories, there are no tags in an RPM packages’s metadata that store the information about the CVEs / Advisories / Bugzilla bugs fixed by a package (or more likely, a SET of packages, which complicates the issue even more). So, you can’t regenerate this information automatically with createrepo. For Fedora, the updateinfo.xml.gz file which contains this information is managed, generated, and inserted into the updates repository by the open source system used by contributors to manage package updates, bodhi.

    The Scientific Linux repository Troy tested in his comment above probably doesn’t have an updateinfo.xml.gz file in their repository, so the information isn’t available.

  9. Γριφεγ Γθωαφ says:
    January 24th, 2008 at 1:16 am

    Thank you. I commented too early. I tried installing yum-security on Fedora, but this happened:

    [root@localhost ~]# yum install yum-security
    livna-development 100% |=========================| 2.1 kB 00:00
    adobe-linux-i386 100% |=========================| 951 B 00:00
    development 100% |=========================| 2.2 kB 00:00
    Setting up Install Process
    Parsing package install arguments
    No package yum-security available.
    Nothing to do
    [root@localhost ~]#

    But later on it worked. At first I thought it’s not available, but it must have been a glitch with a mirror.

  10. Indy says:
    January 28th, 2008 at 9:13 pm

    Why is this limited to RHEL 5 only? If you install the latest yum distro on RHEL 4 or 3 would it work? Is RH specifically limiting content to the RHEL 5 channels?

  11. covex says:
    March 3rd, 2008 at 10:07 am

    Is it possible to place this option somehow in yum.conf?

  12. ciphernaut says:
    March 3rd, 2008 at 6:18 pm

    @indy

    RHEL3 and 4 use up2date instead of yum.

  13. Indy says:
    March 16th, 2008 at 11:00 am

    I realize RHEL 3 and 4 don’t come stock w/ YUM but if you install YUM yourself on these versions what specifically prohibits you from using this there? Is it that RH doesn’t have the necessary content for those versions?

Leave a reply

Links

Tags

Archives