Installing only security updates with yum

When you run yum check-update it will show you all available updates relevant to the system. However on a production system you normally would want to install only necessary security updates first allowing you to address the other updates when you deem them necessary.

Enter the yum security plugin. The yum security plugin allows you to filter the updates to only security related updates.

You install the plugin by executing:

yum install yum-plugin-security

Note: on RHEL 5 / CentOS 5 the package is called yum-security

Now some examples straight from the yum-security man page:

* To list all updates that are security relevant, and get a return code on whether there are security updates use:

yum –security check-update

* To upgrade packages that have security errata (upgrades to the latest available package) use:

yum –security update

* To upgrade packages that have security errata (upgrades to the last security errata package) use:

yum –security update-minimal

Please notice the difference between update and update-minimal. Upgrading to the latest available package instead of the latest security errata package could introduce non-security related changes (new features, other bugfixes) that may impact your environment.

Now some real world examples from my fedora Minecraft server. First the results of a “normal” yum update.

 Package                    Arch      Version                       Repository  Size
 bind-libs-lite             x86_64    32:9.9.3-3.P1.fc17            updates    669 k
 bind-license               noarch    32:9.9.3-3.P1.fc17            updates     75 k
 dhclient                   x86_64    12:4.2.5-2.fc17               updates    265 k
 dhcp-common                x86_64    12:4.2.5-2.fc17               updates    166 k
 dhcp-libs                  x86_64    12:4.2.5-2.fc17               updates    118 k
 gnutls                     x86_64    2.12.23-2.fc17                updates    387 k
 java-1.7.0-openjdk         x86_64    1:      updates     25 M
 openjpeg-libs              x86_64    1.4-15.fc17                   updates     85 k
 perl-threads               x86_64    1.87-1.fc17                   updates     48 k
 polkit                     x86_64    0.104-7.fc17                  updates    136 k
 selinux-policy             noarch    3.10.0-170.fc17               updates    200 k
 selinux-policy-targeted    noarch    3.10.0-170.fc17               updates    3.8 M

Transaction Summary
Upgrade  12 Packages

Total download size: 31 M

Let’s compare this with a yum –security update.

 Package                Arch       Version                         Repository   Size
 gnutls                 x86_64     2.12.23-2.fc17                  updates     387 k
 java-1.7.0-openjdk     x86_64     1:        updates      25 M
 openjpeg-libs          x86_64     1.4-15.fc17                     updates      85 k

Transaction Summary
Upgrade  3 Packages

Total download size: 25 M

That is quite a difference.

A yum updateinfo will show you a nice summary regarding the updates.

# yum updateinfo
Loaded plugins: security
Updates Information Summary: available
    3 Security notice(s)
    5 Bugfix notice(s)
updateinfo summary done

A yum updateinfo list will show more detailed info:

# yum updateinfo list
Loaded plugins: security
FEDORA-2013-10100 bugfix   bind-libs-lite-32:9.9.3-3.P1.fc17.x86_64
FEDORA-2013-10100 bugfix   bind-license-32:9.9.3-3.P1.fc17.noarch
FEDORA-2013-10100 bugfix   dhclient-12:4.2.5-2.fc17.x86_64
FEDORA-2013-10100 bugfix   dhcp-common-12:4.2.5-2.fc17.x86_64
FEDORA-2013-10100 bugfix   dhcp-libs-12:4.2.5-2.fc17.x86_64
FEDORA-2013-9799  security gnutls-2.12.23-2.fc17.x86_64
FEDORA-2013-10398 bugfix   java-1.7.0-openjdk-1:
FEDORA-2013-11281 security java-1.7.0-openjdk-1:
FEDORA-2013-8953  security openjpeg-libs-1.4-15.fc17.x86_64
FEDORA-2013-9705  bugfix   perl-threads-1.87-1.fc17.x86_64
FEDORA-2013-9641  bugfix   polkit-0.104-7.fc17.x86_64
FEDORA-2013-10302 bugfix   selinux-policy-3.10.0-170.fc17.noarch
FEDORA-2013-10302 bugfix   selinux-policy-targeted-3.10.0-170.fc17.noarch
updateinfo list done

This concludes my quick intro into the yum-security plugin. You can get a lot more information if you take a look at the man page of yum-security:

man yum-security