diff --git a/sources/tech/20190527 How To Check Available Security Updates On Red Hat (RHEL) And CentOS System.md b/sources/tech/20190527 How To Check Available Security Updates On Red Hat (RHEL) And CentOS System.md new file mode 100644 index 0000000000..531612777a --- /dev/null +++ b/sources/tech/20190527 How To Check Available Security Updates On Red Hat (RHEL) And CentOS System.md @@ -0,0 +1,320 @@ +[#]: collector: (lujun9972) +[#]: translator: ( ) +[#]: reviewer: ( ) +[#]: publisher: ( ) +[#]: url: ( ) +[#]: subject: (How To Check Available Security Updates On Red Hat (RHEL) And CentOS System?) +[#]: via: (https://www.2daygeek.com/check-list-view-find-available-security-updates-on-redhat-rhel-centos-system/) +[#]: author: (Magesh Maruthamuthu https://www.2daygeek.com/author/magesh/) + +How To Check Available Security Updates On Red Hat (RHEL) And CentOS System? +====== + +As per your organization policy you may need to push only security updates due to varies reasons. + +In most cases, it could be an application compatibility issues. + +How to do that? Is it possible to limit yum to perform only security updates? + +Yes, it’s possible and can be done easily through yum package manager. + +In this article, we are not giving only the required information. + +Instead, we have added lot more commands that help you to gather many information about a given security package. + +This may give you an idea or opportunity to understand and fix the list of vulnerabilities, which you have it. + +If security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks on system. + +For RHEL/CentOS 6 systems, run the following **[Yum Command][1]** to install yum security plugin. + +``` +# yum -y install yum-plugin-security +``` + +The plugin is already a part of yum itself so, no need to install this on RHEL 7&8/CentOS 7&8. + +To list all available erratas (it includes Security, Bug Fix and Product Enhancement) without installing them. + +``` +# yum updateinfo list available +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, + : subscription-manager, verify, versionlock +RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64 +RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64 +RHBA-2015:0626 bugfix 389-ds-base-1.3.3.1-15.el7_1.x86_64 +RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64 +RHBA-2015:1554 bugfix 389-ds-base-1.3.3.1-20.el7_1.x86_64 +RHBA-2015:1960 bugfix 389-ds-base-1.3.3.1-23.el7_1.x86_64 +RHBA-2015:2351 bugfix 389-ds-base-1.3.4.0-19.el7.x86_64 +RHBA-2015:2572 bugfix 389-ds-base-1.3.4.0-21.el7_2.x86_64 +RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64 +RHBA-2016:0550 bugfix 389-ds-base-1.3.4.0-29.el7_2.x86_64 +RHBA-2016:1048 bugfix 389-ds-base-1.3.4.0-30.el7_2.x86_64 +RHBA-2016:1298 bugfix 389-ds-base-1.3.4.0-32.el7_2.x86_64 +``` + +To count the number of erratas, run the following command. + +``` +# yum updateinfo list available | wc -l +11269 +``` + +To list all available security updates without installing them. + +It used to display information about both installed and available advisories on your system. + +``` +# yum updateinfo list security all +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, + : subscription-manager, verify, versionlock + RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64 + RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64 + RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64 + RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64 + RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86_64 + RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64 + RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7_4.x86_64 + RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64 + RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64 + RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64 + RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7_5.x86_64 + RHSA-2018:3127 Moderate/Sec. 389-ds-base-1.3.8.4-15.el7.x86_64 + RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64 +``` + +To print all available advisories security packages (It prints all kind of packages like installed and not-installed). + +``` +# yum updateinfo list security all | grep -v "i" + + RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64 + RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64 + RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64 + RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64 + RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86_64 + RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64 + RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7_4.x86_64 + RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64 + RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64 + RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64 + RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7_5.x86_64 +``` + +To count the number of available security package, run the following command. + +``` +# yum updateinfo list security all | wc -l +3522 +``` + +It’s used to list all of the relevant errata notice information, from the updateinfo.xml data in yum. This includes bugzillas, CVEs, security updates and new. + +``` +# yum updateinfo list security + +or + +# yum updateinfo list sec + +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, + : subscription-manager, verify, versionlock + +RHSA-2018:3665 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch +RHSA-2018:3665 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-tui-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-wifi-1:1.12.0-8.el7_6.x86_64 +RHSA-2018:3665 Important/Sec. NetworkManager-wwan-1:1.12.0-8.el7_6.x86_64 +``` + +To display all updates that are security relevant, and get a return code on whether there are security updates. + +``` +# yum --security check-update +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock +rhel-7-server-rpms | 2.0 kB 00:00:00 +--> policycoreutils-devel-2.2.5-20.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo) +--> smc-raghumalayalam-fonts-6.0-7.el7.noarch from rhel-7-server-rpms excluded (updateinfo) +--> amanda-server-3.3.3-17.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo) +--> 389-ds-base-libs-1.3.4.0-26.el7_2.x86_64 from rhel-7-server-rpms excluded (updateinfo) +--> 1:cups-devel-1.6.3-26.el7.i686 from rhel-7-server-rpms excluded (updateinfo) +--> openwsman-client-2.6.3-3.git4391e5c.el7.i686 from rhel-7-server-rpms excluded (updateinfo) +--> 1:emacs-24.3-18.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo) +--> augeas-libs-1.4.0-2.el7_4.2.i686 from rhel-7-server-rpms excluded (updateinfo) +--> samba-winbind-modules-4.2.3-10.el7.i686 from rhel-7-server-rpms excluded (updateinfo) +--> tftp-5.2-11.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo) +. +. +35 package(s) needed for security, out of 115 available +NetworkManager.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-config-server.noarch 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-glib.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms +``` + +To list all available security updates with verbose descriptions of the issues. + +``` +# yum info-sec +. +. +=============================================================================== + tzdata bug fix and enhancement update +=============================================================================== + Update ID : RHBA-2019:0689 + Release : 0 + Type : bugfix + Status : final + Issued : 2019-03-28 19:27:44 UTC +Description : The tzdata packages contain data files with rules for various + : time zones. + : + : The tzdata packages have been updated to version + : 2019a, which addresses recent time zone changes. + : Notably: + : + : * The Asia/Hebron and Asia/Gaza zones will start + : DST on 2019-03-30, rather than 2019-03-23 as + : previously predicted. + : * Metlakatla rejoined Alaska time on 2019-01-20, + : ending its observances of Pacific standard time. + : + : (BZ#1692616, BZ#1692615, BZ#1692816) + : + : Users of tzdata are advised to upgrade to these + : updated packages. + Severity : None +``` + +If you would like to know more information about the given advisory, run the following command. + +``` +# yum updateinfo RHSA-2019:0163 + +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock +rhel-7-server-rpms | 2.0 kB 00:00:00 +=============================================================================== + Important: kernel security, bug fix, and enhancement update +=============================================================================== + Update ID : RHSA-2019:0163 + Release : 0 + Type : security + Status : final + Issued : 2019-01-29 15:21:23 UTC + Updated : 2019-01-29 15:23:47 UTC Bugs : 1641548 - CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions + : 1641878 - CVE-2018-18559 kernel: Use-after-free due to race condition in AF_PACKET implementation + CVEs : CVE-2018-18397 + : CVE-2018-18559 +Description : The kernel packages contain the Linux kernel, the core of any + : Linux operating system. + : + : Security Fix(es): + : + : * kernel: Use-after-free due to race condition in + : AF_PACKET implementation (CVE-2018-18559) + : + : * kernel: userfaultfd bypasses tmpfs file + : permissions (CVE-2018-18397) + : + : For more details about the security issue(s), + : including the impact, a CVSS score, and other + : related information, refer to the CVE page(s) + : listed in the References section. + : + : Bug Fix(es): + : + : These updated kernel packages include also + : numerous bug fixes and enhancements. Space + : precludes documenting all of the bug fixes in this + : advisory. See the descriptions in the related + : Knowledge Article: + : https://access.redhat.com/articles/3827321 + Severity : Important +updateinfo info done +``` + +Similarly, you can view CVEs which affect the system using the following command. + +``` +# yum updateinfo list cves + +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, + : subscription-manager, verify, versionlock +CVE-2018-15688 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch +CVE-2018-15688 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64 +CVE-2018-15688 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64 +``` + +Similarly, you can view the packages which is belongs to bugfixs by running the following command. + +``` +# yum updateinfo list bugfix | less + +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, + : subscription-manager, verify, versionlock +RHBA-2018:3349 bugfix NetworkManager-1:1.12.0-7.el7_6.x86_64 +RHBA-2019:0519 bugfix NetworkManager-1:1.12.0-10.el7_6.x86_64 +RHBA-2018:3349 bugfix NetworkManager-adsl-1:1.12.0-7.el7_6.x86_64 +RHBA-2019:0519 bugfix NetworkManager-adsl-1:1.12.0-10.el7_6.x86_64 +RHBA-2018:3349 bugfix NetworkManager-bluetooth-1:1.12.0-7.el7_6.x86_64 +RHBA-2019:0519 bugfix NetworkManager-bluetooth-1:1.12.0-10.el7_6.x86_64 +RHBA-2018:3349 bugfix NetworkManager-config-server-1:1.12.0-7.el7_6.noarch +RHBA-2019:0519 bugfix NetworkManager-config-server-1:1.12.0-10.el7_6.noarch +``` + +To get a summary of advisories, which needs to be installed on your system. + +``` +# yum updateinfo summary +Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock +rhel-7-server-rpms | 2.0 kB 00:00:00 +Updates Information Summary: updates + 13 Security notice(s) + 9 Important Security notice(s) + 3 Moderate Security notice(s) + 1 Low Security notice(s) + 35 Bugfix notice(s) + 1 Enhancement notice(s) +updateinfo summary done +``` + +To print only specific pattern of security advisories, run the following command. Similarly, you can check Important or Moderate security advisories info alone. + +``` +# yum updateinfo list sec | grep -i "Low" + +RHSA-2019:0201 Low/Sec. libgudev1-219-62.el7_6.3.x86_64 +RHSA-2019:0201 Low/Sec. systemd-219-62.el7_6.3.x86_64 +RHSA-2019:0201 Low/Sec. systemd-libs-219-62.el7_6.3.x86_64 +RHSA-2019:0201 Low/Sec. systemd-sysv-219-62.el7_6.3.x86_64 +``` + +-------------------------------------------------------------------------------- + +via: https://www.2daygeek.com/check-list-view-find-available-security-updates-on-redhat-rhel-centos-system/ + +作者:[Magesh Maruthamuthu][a] +选题:[lujun9972][b] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://www.2daygeek.com/author/magesh/ +[b]: https://github.com/lujun9972 +[1]: https://www.2daygeek.com/yum-command-examples-manage-packages-rhel-centos-systems/