7.2. Using yum-plugin-security
The first new subcommand this adds is yum list-sec. This is similar to yum check-update, except that it also lists Red Hat’s advisory ID number and the classification of each update as “enhancement”, “bugfix”, or “security”:
| RHSA-2007:1128-6 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386 |
| RHSA-2007:1078-3 security cairo - 1.2.4-3.el5_1.i386 |
| RHSA-2007:1021-3 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| RHSA-2007:1021-3 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
If yum list-sec cves is used, the Red Hat advisory ID is replaced with the CVE IDs addressed by the update; if yum list-sec bzs is used, the advisory ID is replaced by the Red Hat Bugzilla IDs which are addressed by the update. If a package addresses multiple bugs in Bugzilla or CVE IDs, the package may be listed multiple times:
Example output of
yum list-sec bzs:
| 410031 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386 |
| 387431 security cairo - 1.2.4-3.el5_1.i386 |
| 345101 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| 345111 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| 345121 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| 345101 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
| 345111 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
| 345121 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
Example output of
yum list-sec cves:
| CVE-2007-5964 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386 |
| CVE-2007-5503 security cairo - 1.2.4-3.el5_1.i386 |
| CVE-2007-5393 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| CVE-2007-5392 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| CVE-2007-4352 security cups - 1:1.2.4-11.14.el5_1.3.i386 |
| CVE-2007-5393 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
| CVE-2007-5392 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
| CVE-2007-4352 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386 |
The second new subcommand added by the yum-plugin-security package is info-sec. This subcommand takes an advisory number, CVE, or Bugzilla ID as an argument, and returns detailed information on the advisory, including a brief text discussion of the nature of the issue or issues being addressed by the advisory.
In addition to these two new yum subcommands, new options are provided to the yum update command to help apply only security-related updates, or only updates associated with a particular advisory or bug.
To apply all security-related updates only:
To apply all updates related to bugzilla bug 410101:
To apply all updates related to the CVE ID CVE-2007-5707 and updates related to the Red Hat advisory ID RHSA-2007:1082-5:
yum update --cve CVE-2007-5707 --advisory RHSA-2007:1082-5 |
More information about these new capabilites is documented in the yum-plugin-security(8) man page.
