Installing security updates only with CentOS yum

UPDATE: I haven’t used CentOS in several years, and from the comment in the Comments section below, it appears that the approach I wrote about in this tutorial (several years ago) no longer works. I’m keeping the original contents here only to provide some context. Please see this CentOS forum link for current information.

 

*** everything below here is out of date ***

If you want to install only security-related updates to your CentOS Linux installation using the yum command, it looks like the yum-plugin-security plugin might be a good option. (I’m having a few problems with it at the moment, so I can’t say that this is the absolute solution.) I found it on this page and this page.

A short version of the commands shown on the second page are this:

# install the security plugin
yum -y install yum-plugin-security

# display all security-related updates
yum --security check-update

# list all bugs fixed
yum updateinfo list bugzillas

# summary of advisories
yum updateinfo summary

# upgrade all packages with security info to latest available package
yum --security update

# upgrade all packages with security info to last security update
# (as opposed to the latest possible update)
yum --security update-minimal

# help
man 8 yum-security

See the first link (the Red Hat URL) for more detailed commands.

The beginning of the yum-security man page look like this:

NAME
     yum security plugin

SYNOPSIS
     yum [options] [command] [package ...]

DESCRIPTION
   This plugin extends yum to allow lists and updates to be limited using security relevant criteria

   added yum commands are:

      yum update-minimal

   This  works  like  the  update  command,  but if you have the the package foo-1 installed and 
   have foo-2 and foo-3 available with updateinfo.xml then update-minimal will update you to foo-3.

      yum updateinfo info
      yum updateinfo list
      yum updateinfo summary

   all of the last three take these sub-commands:

      yum updateinfo * all
      yum updateinfo * available
      yum updateinfo * installed
      yum updateinfo * updates

   and then:

      * <advisory> [advisory...]
      * <package>
      * bugzillas
      * cves
      * enhancement
      * security
      * new-packages

In summary, if you want to install only security-related updates to your CentOS Linux installation, I hope this article has been a good starting point.

Comments

Permalink

Hello Alvin,

this information is not correct, yum update --security does not work in CentOS, see for example the last post from CentOS Team Mebmber TrevorH:

https://www.centos.org/forums/viewtopic.php?t=59369

Shankardeo: just because they do not fail does not mean they do anything useful. The necessary metadata needed for yum-plugin-security to function - i.e. to know what patches fix what - is missing entirely from the CentOS supplied yum repos. This renders yum-plugin-security a noop and if you use yum update --security then it will always tell you that nothing from CentOS needs an update thus giving you a false sense of security as the reason it doesn't is because it lacks the knowledge to know that such-and-such a patch is a security update.

The EPEL yum repo does have this metadata and yum-plugin-security will work for those packages but it will not do anything for the 6700 packages in base or the 500 packages in the updates repo.

Add new comment

Anonymous format

  • Allowed HTML tags: <em> <strong> <cite> <code> <ul type> <ol start type> <li> <pre>
  • Lines and paragraphs break automatically.