Getting Centos Security Updates as in 2016

sylye asked:

I have been searching around in the net and in StackExchange as well, and found out yum-plugin-security although can be installed but it is actually not functioning for Centos-base repositories, back to 2013 and 2014. Referring to this and this.

I have tested again myself with my Centos 6.6 and found out as in 2016 now, yum-plugin-security is still not functioning. This can be tested using the latest most heat issue of the DROWN attack of openssl.

First get the version of openssl installed:

4977-20[13:59:19 [email protected] ~]# rpm -qa openssl

Then find any updates available for openssl:

4978-21[14:09:37 [email protected] ~]# yum list updates openssl*
Loaded plugins: security
Updated Packages
openssl.x86_64    1.0.1e-42.el6_7.4      updates

Ok, so there is one. Then find it with yum-plugin-security tools updateinfo:

4979-22[14:09:42 [email protected] ~]# yum updateinfo list security
Loaded plugins: security
updateinfo list done
4980-23[14:09:46 [email protected] ~]#

So there is none shown by ‘updateinfo’. (If using yum --security check-update it will list out all updates available, which is not functioning so well).

I wish to know is it true there is NO WAY we can get the Security Updates by using yum commands ? or there is a way and I did something wrong ?

My purpose is to only update Centos with security related updates. At the moment what I can do is manually subscribe to Centos-announce mailing list and look for those thread with keyword Security Update, such as this for the openssl DROWN attack.

My answer:

Just use the --security option.

# yum --security update
Loaded plugins: etckeeper, fastestmirror, security
Setting up Update Process
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Resolving Dependencies
Limiting packages to security relevant ones
No packages needed for security; 1 packages available

But keep in mind that:

  • CentOS repos do not tag any updates as security updates.
  • If you use third party repos, they might not tag all of their security updates as such.

So you may need to apply additional updates.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.