NAME¶

yum security plugin

SYNOPSIS¶

yum [options] [command] [package ...]

DESCRIPTION¶

This plugin extends yum to allow lists and updates to be limited using security relevant criteria

added yum commands are:
yum update-minimal

This works like the update command, but if you have the package foo-1 installed and have foo-2 (bugfix) and foo-3 (enhancement) available with updateinfo.xml then update-minimal --bugfixes will update you to foo-2.

yum updateinfo
yum updateinfo info
yum updateinfo list
yum updateinfo summary

all of the last three take these sub-commands:
yum updateinfo * all
yum updateinfo * available
yum updateinfo * installed
yum updateinfo * updates

and then:
* <advisory> [advisory...]
* <package>
* bugzillas
* cves
* enhancement
* security
* new-packages

* updates Is used to display information about advisories for packages that can be updated. This is the default.
* installed Is used to display information only about installed advisories.
* available Is used to display information about advisories for packages available for updating or installation.
* all Is used to display information about both installed and available advisories.

<advisory> [advisory...]

Is used to display information about one or more advisories.

<package> [package...]

Is used to display information about one or more packages.

list

Is used to list all of the relevant errata notice information, from the updateinfo.xml data in yum. This includes bugzillas, CVEs, security updates and new.

info

Is used to show all the errata notice information, from the updateinfo.xml data in yum. This includes bugzillas, CVEs, security updates and new.

summary

Is used to show the summary of errata notice information, from the updateinfo.xml data in yum. This includes bugzillas, CVEs, security updates and new.

bugzillas / bzs

Is the subset of the updateinfo information, pertaining to the bugzillas.

cves

Is the subset of the updateinfo information, pertaining to the CVEs.

security / sec

Is the subset of the updateinfo information, pertaining to security.

bugfix

Is the subset of the updateinfo information, pertaining to bugfixes.

enhancement

Is the subset of the updateinfo information, pertaining to enhancements.

recommended

Is the subset of the updateinfo information, pertaining to recommended updates.

new-packages

Is the subset of the updateinfo information, pertaining to new packages. These are packages which weren't available at the initial release of your distribution.

GENERAL OPTIONS¶

There are four options added to yum that are available in the "list updates", "info updates", "check-update" and "update" commands. They are:

--advisory

This option includes packages corresponding to the advisory ID, Eg. FEDORA-2201-123.

--bz

This option includes packages that say they fix a Bugzilla ID, Eg. 123.

--cve

This option includes packages that say they fix a CVE - Common Vulnerabilities and Exposures ID (http://cve.mitre.org/about/), Eg. CVE-2201-0123.

--bugfixes

This option includes packages that say they fix a bugfix issue.

--security

This option includes packages that say they fix a security issue.

--sec-severity

This option includes security relevant packages of the specified severity.

EXAMPLES¶

To list all updates that are security relevant, and get a return code on whether there are security updates use:

yum --security check-update

To upgrade packages that have security errata (upgrades to the latest available package) use:

yum --security update

To upgrade packages that have security errata (upgrades to the last security errata package) use:

yum --security update-minimal

To install the minimal update necessary to satisfy the advisory FEDORA-2707-7654 use:

yum update-minimal --advisory FEDORA-2707-7654

To update all the packages listed in the advisory FEDORA-2707-7654 to their latest versions use:

yum update --advisory FEDORA-2707-7654

To get a list of all BZs that are fixed for packages you have installed use:

yum updateinfo list bugzillas

To get a list of all security advisories, including the ones you have already installed use:

yum updateinfo list all security

To get the information on advisory FEDORA-2707-4567 use:

yum updateinfo info FEDORA-2707-4567

To update packages to the latest version which contain fixes for Bugzillas 123, 456 and 789; and all security updates use:

yum --bz 123 --bz 456 --bz 789 --security update

To update to the packages which just update Bugzillas 123, 456 and 789; and all security updates use:

yum --bz 123 --bz 456 --bz 789 --security update-minimal

To get an info list of the latest packages which contain fixes for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories FEDORA-2707-4567 and FEDORA-2707-7654 use:

yum --bz 123 --cve CVE-2207-0123 --cve CVE-2207-3210 --advisory FEDORA-2707-4567 --advisory FEDORA-2707-7654 info updates

To get a list of packages which are "new".

yum updateinfo list new

To get a summary of advisories you haven't installed yet use:

yum updateinfo summary

SEE ALSO¶

yum (8)
yum.conf (5)

AUTHORS¶

James Antill <james.antill@redhat.com>.

BUGS¶

The update-minimal command ignores the --obsoletes flag.

The update-minimal command can only directly affect things atm., so if you update pkgA minimally but that requires an update to pkgB then pkgB will be updated to the newest version by the depsolver. Also the above will happen even if you've also minimally updated pkgB, if either the direct (minimal) update for pkgB happens after or if the minimal update for pkgB doesn't satisfy the requirements of pkgA.

The main "problem" is that if the data is not correct the plugin cannot work correctly. For instance "--bz 123" will not fix BZ 123 if a package is updated to fix that BZ without referencing that it does so in the updateinfo.xml.