Description of problem: We would like to have a yum plugin that could do these: yum update -y --security yum update -y --cve X yum update -y --bz X" Other possibly useful things: yum update -y --advisory RHSA-2007:0099 yum update -y --advisory 2007:0099 Some way to have yum list give you a list of outstanding CVE's "show me what CVE's I'm vulnerable to unless I update" Version-Release number of selected component (if applicable): yum-3.0.1-5.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 152255 [details] yum security plugin python file This is just the first attempt at the python plugin code. So to install it you need to setup: % cat /etc/yum/pluginconf.d/security.conf [main] enabled=1 % egrep plugin /etc/yum.conf plugins=1 ...and then do... sudo cp yum-security-plugin.py /usr/lib/yum-plugins/security.py ...I think this is most of what everyone wanted, you can do (using not quite updated FC-6): yum --security update yum --cve CVE-2007-1667 update yum --bz 235374 --bz 234688 update yum --advisory FEDORA-2007-420 --advisory FEDORA-2007-346 update ...dito. above with "list updates" "info updates" or check-update. You can also do: yum sec-list yum sec-list bugzillas / yum sec-list bzs yum sec-list cves ...any more features anyone can think of, please reply soonish (no guarantees :). I'm guessing at this point we'll want to put it in an rpm, and ship it in FC-7/RHEL-5.1 ? I'll be working on doing that unless someone shouts, also some minimal documentation would be good I guess :).
One minor bug that should probably be fixed in some way for RHEL-5 is that: yum --bz 1 update ...displays a zero length transaction to the user, IMO this should be fixed in yum itself ... but I'm open to just whacking it in the plugin itself (although the UI might not be as nice). Also taking out of modified until we know where it's going, etc.
I've put the code in an rpm, and added a man page. You can get it from my people page here: http://people.redhat.com/jantill/yum-security/
*** Bug 220294 has been marked as a duplicate of this bug. ***
This is going out as part of yum-utils. This new package will require a Release note. man yum-security gives significant info. the summary is that installing the yum-security package extends yum to allow lists and updates to be limited using security relevant criteria.
% egrep '^.package' yum-utils.spec %package -n yum-updateonboot %package -n yum-changelog %package -n yum-fastestmirror %package -n yum-fedorakmod %package -n yum-protectbase %package -n yum-versionlock %package -n yum-tsflags %package -n yum-kernel-module %package -n yum-downloadonly %package -n yum-allowdowngrade %package -n yum-skip-broken %package -n yum-priorities %package -n yum-refresh-updatesd %package -n yum-merge-conf %package -n yum-security ...plus yum-utils itself: % rpm -ql yum-utils /usr/bin/package-cleanup /usr/bin/repo-graph /usr/bin/repo-rss /usr/bin/repoclosure /usr/bin/repomanage /usr/bin/repoquery /usr/bin/reposync /usr/bin/repotrack /usr/bin/yum-builddep /usr/bin/yumdownloader /usr/share/doc/yum-utils-1.0.3 /usr/share/doc/yum-utils-1.0.3/COPYING /usr/share/doc/yum-utils-1.0.3/README /usr/share/man/man1/package-cleanup.1.gz /usr/share/man/man1/repo-rss.1.gz /usr/share/man/man1/repoquery.1.gz /usr/share/man/man1/yum-builddep.1.gz /usr/share/man/man1/yum-changelog.1.gz /usr/share/man/man1/yumdownloader.1.gz
The major feature requested is "I want to apply only security updates, so as to minimize risk" and that can now be done by installing the yum-security plugin and doing: yum update --security ...I believe Steve also has some govt. std. that would like this behaviour.
adding to release notes: <quote> Users can now limit yum to install security updates only. To do so, simply install the yum-security plugin and run the following command: yum update --security </quote> please advise if any revisions are required. thanks!
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2007-0607.html