How to check available security updates on Red Hat (RHEL) and CentOS system

Based on your organization policy you may need to push only security updates due to various reasons. In most cases, it could be an application compatibility issues.

Is it possible to limit yum to perform only security updates?

Yes, it’s possible and can be done easily through yum package manager.

In this article, we will give some detailed information about this .

We have added lot more commands that help you to gather many information about a given security package.

This may give you an idea or opportunity to understand and fix the list of vulnerabilities, which you face.

If security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks on system.

For RHEL/CentOS 6 systems, run the following Yum Command to install yum security plugin.

# yum -y install yum-plugin-security

The plugin is  part of yum.So, no need to install this on RHEL 7&8/CentOS 7&8.

To list all available erratas (it includes Security, Bug Fix and Product Enhancement) without installing them.

# yum updateinfo list available
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
RHBA-2015:0626 bugfix         389-ds-base-1.3.3.1-15.el7_1.x86_64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
RHBA-2015:1554 bugfix         389-ds-base-1.3.3.1-20.el7_1.x86_64
RHBA-2015:1960 bugfix         389-ds-base-1.3.3.1-23.el7_1.x86_64
RHBA-2015:2351 bugfix         389-ds-base-1.3.4.0-19.el7.x86_64
RHBA-2015:2572 bugfix         389-ds-base-1.3.4.0-21.el7_2.x86_64
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
RHBA-2016:0550 bugfix         389-ds-base-1.3.4.0-29.el7_2.x86_64
RHBA-2016:1048 bugfix         389-ds-base-1.3.4.0-30.el7_2.x86_64
RHBA-2016:1298 bugfix         389-ds-base-1.3.4.0-32.el7_2.x86_64

To count the number of erratas, run the following command.

# yum updateinfo list available | wc -l
11269

To list all available security updates without installing them.

It used to display information about both installed and available advisories on your system.

# yum updateinfo list security all
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock
  RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
  RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
  RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
  RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
  RHSA-2016:2594 Moderate/Sec.  389-ds-base-1.3.5.10-11.el7.x86_64
  RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
  RHSA-2017:2569 Moderate/Sec.  389-ds-base-1.3.6.1-19.el7_4.x86_64
  RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
  RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
  RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
  RHSA-2018:2757 Moderate/Sec.  389-ds-base-1.3.7.5-28.el7_5.x86_64
  RHSA-2018:3127 Moderate/Sec.  389-ds-base-1.3.8.4-15.el7.x86_64
  RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64

To print all available advisories security packages (It prints all kind of packages like installed and not-installed).

# yum updateinfo list security all | grep -v "i"

  RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
  RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
  RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
  RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
  RHSA-2016:2594 Moderate/Sec.  389-ds-base-1.3.5.10-11.el7.x86_64
  RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
  RHSA-2017:2569 Moderate/Sec.  389-ds-base-1.3.6.1-19.el7_4.x86_64
  RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
  RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
  RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
  RHSA-2018:2757 Moderate/Sec.  389-ds-base-1.3.7.5-28.el7_5.x86_64

To count the number of available security package, run the following command.

# yum updateinfo list security all | wc -l
3522

It’s used to list all of the relevant errata notice information, from the updateinfo.xml data in yum. This includes bugzillas, CVEs, security updates and new.

# yum updateinfo list security

or

# yum updateinfo list sec

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock

RHSA-2018:3665 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
RHSA-2018:3665 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-tui-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-wifi-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-wwan-1:1.12.0-8.el7_6.x86_64

To display all updates that are security relevant, and get a return code on whether there are security updates.

# yum --security check-update
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms                                                                                                                            | 2.0 kB  00:00:00
--> policycoreutils-devel-2.2.5-20.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> smc-raghumalayalam-fonts-6.0-7.el7.noarch from rhel-7-server-rpms excluded (updateinfo)
--> amanda-server-3.3.3-17.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> 389-ds-base-libs-1.3.4.0-26.el7_2.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> 1:cups-devel-1.6.3-26.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> openwsman-client-2.6.3-3.git4391e5c.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> 1:emacs-24.3-18.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> augeas-libs-1.4.0-2.el7_4.2.i686 from rhel-7-server-rpms excluded (updateinfo)
--> samba-winbind-modules-4.2.3-10.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> tftp-5.2-11.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
.
.
35 package(s) needed for security, out of 115 available
NetworkManager.x86_64                        1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-adsl.x86_64                   1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-bluetooth.x86_64              1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-config-server.noarch          1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-glib.x86_64                   1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-libnm.x86_64                  1:1.12.0-10.el7_6            rhel-7-server-rpms
NetworkManager-ppp.x86_64                    1:1.12.0-10.el7_6            rhel-7-server-rpms

To list all available security updates with verbose descriptions of the issues.

# yum info-sec
.
.
===============================================================================
  tzdata bug fix and enhancement update
===============================================================================
  Update ID : RHBA-2019:0689
    Release : 0
       Type : bugfix
     Status : final
     Issued : 2019-03-28 19:27:44 UTC
Description : The tzdata packages contain data files with rules for various
            : time zones.
            :
            : The tzdata packages have been updated to version
            : 2019a, which addresses recent time zone changes.
            : Notably:
            :
            : * The Asia/Hebron and Asia/Gaza zones will start
            :   DST on 2019-03-30, rather than 2019-03-23 as
            :   previously predicted.
            : * Metlakatla rejoined Alaska time on 2019-01-20,
            :   ending its observances of Pacific standard time.
            :
            : (BZ#1692616, BZ#1692615, BZ#1692816)
            :
            : Users of tzdata are advised to upgrade to these
            : updated packages.
   Severity : None

If you would like to know more information about the given advisory, run the following command.

# yum updateinfo RHSA-2019:0163

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms                                                                                                                            | 2.0 kB  00:00:00
===============================================================================
  Important: kernel security, bug fix, and enhancement update
===============================================================================
  Update ID : RHSA-2019:0163
    Release : 0
       Type : security
     Status : final
     Issued : 2019-01-29 15:21:23 UTC
    Updated : 2019-01-29 15:23:47 UTC       Bugs : 1641548 - CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
            : 1641878 - CVE-2018-18559 kernel: Use-after-free due to race condition in AF_PACKET implementation
       CVEs : CVE-2018-18397
            : CVE-2018-18559
Description : The kernel packages contain the Linux kernel, the core of any
            : Linux operating system.
            :
            : Security Fix(es):
            :
            : * kernel: Use-after-free due to race condition in
            :   AF_PACKET implementation (CVE-2018-18559)
            :
            : * kernel: userfaultfd bypasses tmpfs file
            :   permissions (CVE-2018-18397)
            :
            : For more details about the security issue(s),
            : including the impact, a CVSS score, and other
            : related information, refer to the CVE page(s)
            : listed in the References section.
            :
            : Bug Fix(es):
            :
            : These updated kernel packages include also
            : numerous bug fixes and enhancements. Space
            : precludes documenting all of the bug fixes in this
            : advisory. See the descriptions in the related
            : Knowledge Article:
            : https://access.redhat.com/articles/3827321
   Severity : Important
updateinfo info done

Similarly, you can viewlist of  CVEs which affects the system by using the following command.

# yum updateinfo list cves

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock
CVE-2018-15688 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
CVE-2018-15688 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64

Similarly, you can view the packages which is belongs to bugfixs by running the following command.

# yum updateinfo list bugfix | less

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock
RHBA-2018:3349 bugfix NetworkManager-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-adsl-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-adsl-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-bluetooth-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-bluetooth-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-config-server-1:1.12.0-7.el7_6.noarch
RHBA-2019:0519 bugfix NetworkManager-config-server-1:1.12.0-10.el7_6.noarch

To get a summary of advisories, which needs to be installed on your system.

# yum updateinfo summary
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms                                                                                                                            | 2.0 kB  00:00:00
Updates Information Summary: updates
    13 Security notice(s)
         9 Important Security notice(s)
         3 Moderate Security notice(s)
         1 Low Security notice(s)
    35 Bugfix notice(s)
     1 Enhancement notice(s)
updateinfo summary done

To print only specific pattern of security advisories, run the following command. Similarly, you can filter Important or Moderate security advisories info alone.

# yum updateinfo list sec | grep -i "Low"

RHSA-2019:0201 Low/Sec.       libgudev1-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec.       systemd-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec.       systemd-libs-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec.       systemd-sysv-219-62.el7_6.3.x86_64

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *