Limiting Yum To Security Only Updates

July 17th, 2009 Leave a comment Go to comments

Enterprises are often looking for a method of applying security only updates to systems as there may be requirements to pin the overall machine to a particular version of an application whilst keeping the rest of the machine secure. Until now there’s not really been an appropriate answer to this question.A package named yum-security has been around in Fedora for a while but it seems to have quietly slipped into the RHEL tree as part of packages made available in Red Hat Enterprise Linux 5 Update 1. It adds the very functionality that a lot of companies have desired for some time. So what does it do?

What Is yum-security

The yum-security package is a plugin to the standard yum program shipped in Fedora and RHEL 5. It’s specific aim is to be able to give system administrators the ability to only pull down security related patches and apply them to the machine. It also has the ability to provide information on packages in regards to what Red Hat Advisory ID, Bugzilla ID or Common Vulnerabilities and Exposures (CVE) they apply to.

This is immensely handy as often you may find the bug/security issue you want to rectify listed only as a Bugzilla ID or a CVE number and it can take a bit of searching to find the appropriate package to update. The yum-security plugin allows the easy location of the package requiring the update as well as installing it with appropriate dependencies fulfilled.

Within Red Hat package updates for RHEL and Fedora are given one of three labels:

  • Enhancement – Generally implies a newer release of the software or other changes to it that are not viewed as system impacting bugs or security issues.
  • Bugfix – Package contains code fixes for system impacting bugs. Could be newer version of the software, applied patches or even backported patch.
  • Security – Package contains a code fix for a potentially exploitable bug (either local or remote). A package of this kind will almost always map to a CVE and like the bugfix type could imply a newer version of the software, an appropriate patch or even a backported patch.

The list above is in order of importance from least to highest. In a lot of stable enterprise environments system administrators may only want to apply packages labelled security only in order to preserve the security of the machine but not introduce unexpected changes onto the system without first testing them on development. As such they will generally want to skip enhancement and bugfix updates until they have been tested. The yum-security plugin allows this.

Installing yum-security

This is as easy as you would expect. Simply run:

yum install yum-security

The plugin will be installed and is ready for immediate use.

Gathering Information With yum-security

The first major use of the yum-security plugin is to list available updates in terms of what Red Hat Advisory ID they match, what label they have been given and the specific package that will update. To do this you pass the list-sec parameter to yum. Below is the output from a test RHEL 5 machine:

[root@test ~]# yum list-sec
Loading “security” plugin
Loading “installonlyn” plugin
Loading “rhnplugin” plugin
Setting up repositories
rhel-i386-server-5 100% |=========================| 1.4 kB 00:00
Reading repository metadata in from local files
RHBA-2008:0099-2 bugfix autofs – 1:5.0.1-0.rc2.55.el5.3.i386
RHSA-2008:0157-5 security cups – 1:1.2.4-11.14.el5_1.4.i386
RHSA-2008:0157-5 security cups-libs – 1:1.2.4-11.14.el5_1.4.i386
RHBA-2008:0050-4 bugfix device-mapper-multipath – 0.4.7-12.el5_1.2.i386
RHSA-2008:0003-5 security e2fsprogs – 1.39-10.el5_1.1.i386
RHSA-2008:0003-5 security e2fsprogs-libs – 1.39-10.el5_1.1.i386

But what if you want to see what Bugzilla ID’s the match? That’s simple enough by adding the bzs option:

[root@test ~]# yum list-sec bzs
Loading “security” plugin
Loading “installonlyn” plugin
Loading “rhnplugin” plugin
Setting up repositories
rhel-i386-server-5 100% |=========================| 1.4 kB 00:00
Reading repository metadata in from local files
429163 bugfix autofs – 1:5.0.1-0.rc2.55.el5.3.i386
433758 security cups – 1:1.2.4-11.14.el5_1.4.i386
433758 security cups-libs – 1:1.2.4-11.14.el5_1.4.i386
426287 bugfix device-mapper-multipath – 0.4.7-12.el5_1.2.i386
428338 bugfix device-mapper-multipath – 0.4.7-12.el5_1.2.i386
403441 security e2fsprogs – 1.39-10.el5_1.1.i386
403441 security e2fsprogs-libs – 1.39-10.el5_1.1.i386

Note how if a update matches more than one Bugzilla ID it lists a separate line for each one.

It is also possible to list packages and the CVE’s they apply to by using the cves option:

[root@test ~]# yum list-sec cves
Loading “security” plugin
Loading “installonlyn” plugin
Loading “rhnplugin” plugin
Setting up repositories
rhel-i386-server-5 100% |=========================| 1.4 kB 00:00
Reading repository metadata in from local files
CVE-2008-0882 security cups – 1:1.2.4-11.14.el5_1.4.i386
CVE-2008-0882 security cups-libs – 1:1.2.4-11.14.el5_1.4.i386
CVE-2007-5497 security e2fsprogs – 1.39-10.el5_1.1.i386
CVE-2007-5497 security e2fsprogs-libs – 1.39-10.el5_1.1.i386

Note how it only lists those packages with relevant CVE’s and how they are all labelled security.

But what if you want some really verbose information on the updates? Well by using the info-sec parameter you get not only the information on the Red Hat Advisory ID, Bugzilla ID and CVE reference but also a more verbose description of the issue(s) resolved in the update. For example:

[root@test ~]# yum info-sec
Loading “security” plugin
Loading “installonlyn” plugin
Loading “rhnplugin” plugin
Setting up repositories
Reading repository metadata in from local files
autofs – 1:5.0.1-0.rc2.55.el5.3.i386
ID RHBA-2008:0099-2
Type bugfix
Issued 2008-02-01 00:00:00
References
BZ 429163 – http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=429163
Description
autofs bug fix update The autofs utility controls the operation of
the automount daemon. The automount daemon automatically mounts file
systems when you use them, and unmounts them when they are not busy.
This updated autofs package fixes a bug where reloading autofs maps, by
sending a HUP signal to the daemon or using “service autofs reload”,
incorrectly removes all direct mount map entries from the internal map
entry cache. This causes the direct mount map entries to no longer
function until autofs is restarted. With this fix, autofs no longer
removes all direct mount map entries from the internal map entry cache.
Users are advised to upgrade to this updated autofs package, which
resolves this issue.

cups – 1:1.2.4-11.14.el5_1.4.i386
ID RHSA-2008:0157-5
Type security
Issued 2008-02-21 00:00:00
References
CVE CVE-2008-0882
BZ 433758 – http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=433758
Description
Important: cups security update The Common UNIX Printing System
(CUPS) provides a portable printing layer for UNIX(R) operating
systems. The Internet Printing Protocol (IPP) is a standard network
protocol for remote printing, as well as managing print jobs. A flaw
was found in the way CUPS handles the addition and removal of remote
shared printers via IPP. A remote attacker could send malicious UDP IPP
packets causing the CUPS daemon to crash. (CVE-2008-0882) Note: the
default configuration of CUPS on Red Hat Enterprise Linux 5 will only
accept requests of this type from the local subnet. This issue did not
affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3
or 4. All cups users are advised to upgrade to these updated packages,
which contain a backported patch to resolve this issue.

I have cut the above output short but it does show an entry for each item in the update list.

Applying Updates With yum-security

So now that you have a good idea of what updates are available for your system, what they resolve and the possible impacts of not applying those patches you can move onto updating the specific packages that you want to. There are a number of ways to acheive this with the yum-security plugin.

The first of these is to simply instruct yum to apply all updates labeled as security fixes and their dependencies. This is achieved by running:

yum update –security

However you may wish to narrow the field a little by only updating those packages that have been labeled as fix for a specific Red Hat Advisory ID, Bugzilla ID or CVE reference. Each is possible by using the –advisory, –bz and –cve options respectively. Using the above examples we could do any of the following to update the cups package:

yum update –advisory RHSA-2008:0157-5

yum update –bz 433758

yum update –cve CVE-2008-0882

As you can see this is a very handy tool for the average systems administrator and I am personally very happy that this plugin is now part of the RHEL tree.

Like it? Share it!
  • Twitter
  • Digg
  • Facebook
  • del.icio.us
  • StumbleUpon
  • Google Bookmarks
  • Technorati
  • Reddit
  • PDF
  • Print
  1. No comments yet.
  1. No trackbacks yet.