Re: [CentOS] Update only of security vulnerabilities?
On 04/09/2015 04:23 AM, Rafał Radecki wrote: > Thanks for the links, they are very informative. > > So as I see currently the only way to check if there are any security > updates available for Centos is to parse the errata info sent by email to > Centos Announce? :D > > Does anyone have another solution implemented? :) Any help will be very > appreciated :) CentOS absolutely does not support this. If you do not install all updates, then you may be creating a setup that adds problems (some of them security issues that you create). CentOS uses a staged build system, meaning packages built today rely on packages built yesterday, and so on. If you are using a glibc from 3 updates ago with other packages from now, you are not using a tested configuration and it is not at all clear what issues will be introduced. The only recommended install set it all updates installed. Doing anything else introduces risk. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update only of security vulnerabilities?
Thanks for the links, they are very informative. So as I see currently the only way to check if there are any security updates available for Centos is to parse the errata info sent by email to Centos Announce? :D Does anyone have another solution implemented? :) Any help will be very appreciated :) BR, Rafal. 2015-04-08 18:15 GMT+02:00 Jonathan Billings : > On Wed, Apr 08, 2015 at 03:54:18PM +0200, Rafał Radecki wrote: > > What is the best way to get a list of available security updates? > > I found several commands for that: > > 1) yum updateinfo list updates -q --security > > 2) yum list-security --security -q > > 3) yum --security check-update -q > > Based on the sample output below I think I can use any of the three with > > some awk to get a list of packages. > > Keep in mind: when using the yum-plugin-security package which > provides the --security option, you're only going to see security > updates in EPEL (which I see you have enabled) and not in CentOS's > repos. As of yet, there are no errata data in the CentOS repos. > > See previous discussion here: > http://lists.centos.org/pipermail/centos/2015-January/148839.html > and on centos-devel: > http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html > > So, --security is pretty much a no-op, even when there are packages > that fix security issues are available in the CentOS repos. > > -- > Jonathan Billings > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update only of security vulnerabilities?
On Wed, Apr 08, 2015 at 03:54:18PM +0200, Rafał Radecki wrote: > What is the best way to get a list of available security updates? > I found several commands for that: > 1) yum updateinfo list updates -q --security > 2) yum list-security --security -q > 3) yum --security check-update -q > Based on the sample output below I think I can use any of the three with > some awk to get a list of packages. Keep in mind: when using the yum-plugin-security package which provides the --security option, you're only going to see security updates in EPEL (which I see you have enabled) and not in CentOS's repos. As of yet, there are no errata data in the CentOS repos. See previous discussion here: http://lists.centos.org/pipermail/centos/2015-January/148839.html and on centos-devel: http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html So, --security is pretty much a no-op, even when there are packages that fix security issues are available in the CentOS repos. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update only of security vulnerabilities?
Am 08.04.2015 um 16:53 schrieb Les Mikesell : > On Wed, Apr 8, 2015 at 8:54 AM, Rafał Radecki wrote: >> Hi All :) >> >> What is the best way to get a list of available security updates? >> I found several commands for that: >> 1) yum updateinfo list updates -q --security >> 2) yum list-security --security -q >> 3) yum --security check-update -q >> Based on the sample output below I think I can use any of the three with >> some awk to get a list of packages. >> >> yum updateinfo list updates -q --security >> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 >> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 >> >> yum list-security --security -q >> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 >> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 >> >> yum --security check-update -q >> libyaml.x86_64 0.1.3-4.el6_6 >> updates >> >> Then I can add this to nagios or cron to get a notification about available >> security updates. >> >> Do you see any advantages/disadvantages in using one of the three choices? > > There are disadvantages to anything short of keeping your system > completely up to date with available updates. > >> How do you do this kind of task? What can you propose to get a notification >> about available security updates? > > Most/all updates within a minor version number will be to fix > something critical. And the big batches of updates that come at the > minor version releases are only tested together. While you can > cherry-pick individual package updates to install and in theory they > should run and pull in any other updates that are really needed via > rpm dependencies, you'll end up running a mix of things that no one > else has tried together. as stated by the advisories: "Before applying this update, make sure all previously released errata relevant to your system have been applied." the OP maybe want to be triggered only when the class of an update was rated as "important"? the packages el5: yum-downloadonly-1.1.16-21.el5.centos el6: yum-plugin-downloadonly-1.1.30-30.el6.noarch can help you to get notified in general. The "security" option is broken as i remember correctly, the meta informations needed are not provided by the repositories ... -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update only of security vulnerabilities?
On Wed, Apr 8, 2015 at 8:54 AM, Rafał Radecki wrote: > Hi All :) > > What is the best way to get a list of available security updates? > I found several commands for that: > 1) yum updateinfo list updates -q --security > 2) yum list-security --security -q > 3) yum --security check-update -q > Based on the sample output below I think I can use any of the three with > some awk to get a list of packages. > > yum updateinfo list updates -q --security > FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 > FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 > > yum list-security --security -q > FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 > FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 > > yum --security check-update -q > libyaml.x86_64 0.1.3-4.el6_6 > updates > > Then I can add this to nagios or cron to get a notification about available > security updates. > > Do you see any advantages/disadvantages in using one of the three choices? There are disadvantages to anything short of keeping your system completely up to date with available updates. > How do you do this kind of task? What can you propose to get a notification > about available security updates? Most/all updates within a minor version number will be to fix something critical. And the big batches of updates that come at the minor version releases are only tested together. While you can cherry-pick individual package updates to install and in theory they should run and pull in any other updates that are really needed via rpm dependencies, you'll end up running a mix of things that no one else has tried together. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Update only of security vulnerabilities?
Hi All :) What is the best way to get a list of available security updates? I found several commands for that: 1) yum updateinfo list updates -q --security 2) yum list-security --security -q 3) yum --security check-update -q Based on the sample output below I think I can use any of the three with some awk to get a list of packages. yum updateinfo list updates -q --security FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 yum list-security --security -q FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64 FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64 yum --security check-update -q libyaml.x86_64 0.1.3-4.el6_6 updates Then I can add this to nagios or cron to get a notification about available security updates. Do you see any advantages/disadvantages in using one of the three choices? How do you do this kind of task? What can you propose to get a notification about available security updates? BR, Rafal. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
