Selective RHEL Server update

Starting with RHEL 5.1, RedHat finally introduced a very usefull selective update system for servers. To install, run : yum install yum-security.

The first new subcommand this adds is ‘yum list-sec’. This is similar to ‘yum check-update’, except that it also lists Red Hat’s advisory ID number and the classification of each update as “enhancement”, “bugfix”, or “security”:

RHSA-2007:1128-6 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
RHSA-2007:1078-3 security cairo - 1.2.4-3.el5_1.i386
RHSA-2007:1021-3 security cups - 1:1.2.4-11.14.el5_1.3.i386
RHSA-2007:1021-3 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

If ‘yum list-sec cves’ is used, the Red Hat advisory ID is replaced with the CVE IDs addressed by the update; if ‘yum list-sec bzs’ is used, the advisory ID is replaced by the Red Hat Bugzilla IDs which are addressed by the update. If a package addresses multiple bugs in Bugzilla or CVE IDs, the package may be listed multiple times:

Example output of ‘yum list-sec bzs’:

410031 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
387431 security cairo - 1.2.4-3.el5_1.i386
345101 security cups - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups - 1:1.2.4-11.14.el5_1.3.i386
345101 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

Example output of ‘yum list-sec cves’:

CVE-2007-5964 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
CVE-2007-5503 security cairo - 1.2.4-3.el5_1.i386
CVE-2007-5393 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5393 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

The second new subcommand added by the yum-security package is ‘info-sec’. This subcommand takes an advisory number, CVE, or Bugzilla ID as an argument, and returns detailed information on the advisory, including a brief text discussion of the nature of the issue or issues being addressed by the advisory.

In addition to these two new yum subcommands, new options are provided to the ‘yum update’ command to help apply only security-related updates, or only updates associated with a particular advisory or bug.

To apply all security-related updates only:

yum update --security

To apply all updates related to bugzilla bug 410101:

yum update --bz 410101

To apply all updates related to the CVE ID CVE-2007-5707 and updates related to the Red Hat advisory ID RHSA-2007:1082-5:

yum update --cve CVE-2007-5707 --advisory RHSA-2007:1082-5

More information about these new capabilites is documented in the yum-security(8) man page.

IMPORTANT : This post is from RedHat Magazine