Jamyy's Weblog

YUM 指令備忘: 只安裝安全性更新的套件

by Jamyy on 九月.22, 2016, under Linux

# yum update

Transaction Summary
===============================================================================
Install      15 Package(s)
Upgrade     308 Package(s)

Total download size: 295 M
Is this ok [y/N]:

# yum update-minimal

Transaction Summary
===============================================================================
Install       5 Package(s)
Upgrade       9 Package(s)

Total download size: 27 M
Is this ok [y/N]:

CentOS 5
# yum install yum-security
# yum list-security

FEDORA-EPEL-2016-87e1edcb31 enhancement GeoIP-GeoLite-data-2016.07-1.el5.noarch
FEDORA-EPEL-2016-87e1edcb31 enhancement GeoIP-GeoLite-data-extra-2016.07-1.el5.noarch
FEDORA-EPEL-2015-97f22fb7f6 enhancement cpulimit-1:0.2-1.20151118gitf4d2682.el5.x86_64
FEDORA-EPEL-2015-0837 bugfix   denyhosts-2.6-6.el5.noarch
FEDORA-EPEL-2016-ccce288563 bugfix   lighttpd-1.4.39-3.el5.x86_64
FEDORA-EPEL-2016-ccce288563 bugfix   lighttpd-fastcgi-1.4.39-3.el5.x86_64
FEDORA-EPEL-2015-0903 newpackage tnef-1.4.12-2.el5.x86_64
list-security done

# yum info-security

.
.
.
===============================================================================
  denyhosts-2.6-6.el5
===============================================================================
  Update ID : FEDORA-EPEL-2015-0837
    Release : Fedora EPEL 5
       Type : bugfix
     Status : stable
     Issued : 2015-02-19 09:33:23
       Bugs : 1184037 - denyhosts out of date, does not catch ssh brute force attacks against root
Description : Fix bad patch for CVE-2013-6890.
      Files : denyhosts-2.6-6.el5.noarch.rpm

===============================================================================
  lighttpd-1.4.39-3.el5
===============================================================================
  Update ID : FEDORA-EPEL-2016-ccce288563
    Release : Fedora EPEL 5
       Type : bugfix
     Status : stable
     Issued : 2016-03-17 16:03:06
       Bugs : 1310036 - Wrong Server_root
Description : Restore defaultconf patch.
      Files : lighttpd-mod_geoip-1.4.39-3.el5.i386.rpm
            : lighttpd-mod_mysql_vhost-1.4.39-3.el5.i386.rpm
            : lighttpd-1.4.39-3.el5.i386.rpm
            : lighttpd-fastcgi-1.4.39-3.el5.i386.rpm
            : lighttpd-debuginfo-1.4.39-3.el5.i386.rpm
            : lighttpd-1.4.39-3.el5.x86_64.rpm
            : lighttpd-mod_geoip-1.4.39-3.el5.x86_64.rpm
            : lighttpd-debuginfo-1.4.39-3.el5.x86_64.rpm
            : lighttpd-fastcgi-1.4.39-3.el5.x86_64.rpm
            : lighttpd-mod_mysql_vhost-1.4.39-3.el5.x86_64.rpm

===============================================================================
  tnef-1.4.12-2.el5
===============================================================================
  Update ID : FEDORA-EPEL-2015-0903
    Release : Fedora EPEL 5
       Type : newpackage
     Status : stable
     Issued : 2015-02-21 19:51:23
       Bugs : 1193160 - tnef not in EPEL5
Description : First successful build for EL5. Removes the optional GUI sub-
            : package tnef-dolphin which was needed because EL5
            : was too early for the dolphin file manager.
            : Added new branch for EL7. Same package content as
            : EL6 and Fedora current releases; includes the
            : tnef-dolphin context sensitive extract menu sub-
            : package.    This won't be pushed to stable until
            : the required Karma is received from actual EL5 or
            : EL7 users.
      Files : tnef-nautilus-1.4.12-2.el5.x86_64.rpm
            : tnef-debuginfo-1.4.12-2.el5.x86_64.rpm
            : tnef-1.4.12-2.el5.x86_64.rpm
            : tnef-debuginfo-1.4.12-2.el5.i386.rpm
            : tnef-nautilus-1.4.12-2.el5.i386.rpm
            : tnef-1.4.12-2.el5.i386.rpm
info-security done

# yum update-minimal

Resolving Dependencies
--> Running transaction check
---> Package GeoIP-GeoLite-data-extra.noarch 0:2016.07-1.el5 set to be updated
---> Package lighttpd.x86_64 0:1.4.39-3.el5 set to be updated
---> Package GeoIP-GeoLite-data.noarch 0:2016.07-1.el5 set to be updated
---> Package tnef.x86_64 0:1.4.12-2.el5 set to be updated
---> Package denyhosts.noarch 0:2.6-6.el5 set to be updated
---> Package lighttpd-fastcgi.x86_64 0:1.4.39-3.el5 set to be updated
---> Package cpulimit.x86_64 1:0.2-1.20151118gitf4d2682.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================================
 Package                                    Arch                     Version                                            Repository              Size
=====================================================================================================================================================
Updating:
 GeoIP-GeoLite-data                         noarch                   2016.07-1.el5                                      epel                   505 k
 GeoIP-GeoLite-data-extra                   noarch                   2016.07-1.el5                                      epel                    32 M
 cpulimit                                   x86_64                   1:0.2-1.20151118gitf4d2682.el5                     epel                    14 k
 denyhosts                                  noarch                   2.6-6.el5                                          epel                    97 k
 lighttpd                                   x86_64                   1.4.39-3.el5                                       epel                   351 k
 lighttpd-fastcgi                           x86_64                   1.4.39-3.el5                                       epel                    46 k
 tnef                                       x86_64                   1.4.12-2.el5                                       epel                    52 k

Transaction Summary
=====================================================================================================================================================
Install      0 Package(s)         
Update       7 Package(s)         
Remove       0 Package(s)         

Total download size: 33 M
Is this ok [y/N]:



CentOS 6
# yum install yum-security
# yum updateinfo summary

Updates Information Summary: updates
    1 New Package notice(s)
    2 Security notice(s)
    7 Bugfix notice(s)
    3 Enhancement notice(s)
updateinfo summary done

# yum updateinfo list

FEDORA-EPEL-2015-5815       bugfix      GeoIP-1.6.5-1.el6.x86_64
FEDORA-EPEL-2015-7681       enhancement docker-io-1.7.1-2.el6.x86_64
FEDORA-EPEL-2012-13390      bugfix      epel-release-6-8.noarch
FEDORA-EPEL-2015-71a66aaf59 bugfix      fail2ban-0.9.3-1.el6.1.noarch
FEDORA-EPEL-2016-905a05c10e security    lighttpd-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security    lighttpd-fastcgi-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security    lighttpd-mod_geoip-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security    lighttpd-mod_mysql_vhost-1.4.41-1.el6.x86_64
FEDORA-EPEL-2015-95ac9954aa enhancement lua-lxc-1.0.8-1.el6.x86_64
FEDORA-EPEL-2015-95ac9954aa enhancement lxc-1.0.8-1.el6.x86_64
FEDORA-EPEL-2015-95ac9954aa enhancement lxc-libs-1.0.8-1.el6.x86_64
FEDORA-EPEL-2015-5697       enhancement ncdu-1.11-1.el6.x86_64
FEDORA-EPEL-2011-2930       newpackage  perl-Convert-TNEF-0.17-10.el6.noarch
FEDORA-EPEL-2015-1c4ea8c668 bugfix      perl-Mail-IMAPClient-3.37-1.el6.noarch
FEDORA-EPEL-2013-0901       bugfix      perl-Mail-SPF-2.8.0-2.el6.noarch
FEDORA-EPEL-2016-7ebf8bd1b5 bugfix      perl-Net-CIDR-0.18-1.el6.noarch
FEDORA-EPEL-2015-8027       security    php-mcrypt-5.3.3-4.el6.x86_64
FEDORA-EPEL-2015-0905       bugfix      tnef-1.4.12-2.el6.x86_64
FEDORA-EPEL-2015-0905       bugfix      tnef-dolphin-1.4.12-2.el6.x86_64
FEDORA-EPEL-2015-0905       bugfix      tnef-nautilus-1.4.12-2.el6.x86_64
updateinfo list done

# yum updateinfo security

FEDORA-EPEL-2016-905a05c10e security lighttpd-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security lighttpd-fastcgi-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security lighttpd-mod_geoip-1.4.41-1.el6.x86_64
FEDORA-EPEL-2016-905a05c10e security lighttpd-mod_mysql_vhost-1.4.41-1.el6.x86_64
FEDORA-EPEL-2015-8027       security php-mcrypt-5.3.3-4.el6.x86_64
updateinfo list done

# yum updateinfo info

.
.
.
===============================================================================
  php-extras-5.3.3-4.el6
===============================================================================
  Update ID : FEDORA-EPEL-2015-8027
    Release : Fedora EPEL 6
       Type : security
     Status : stable
     Issued : 2015-10-02 20:54:30
Description : Backport mcrypt upstream security fix from EPEL7

===============================================================================
  tnef-1.4.12-2.el6
===============================================================================
  Update ID : FEDORA-EPEL-2015-0905
    Release : Fedora EPEL 6
       Type : bugfix
     Status : stable
     Issued : 2015-02-23 14:24:40
Description : Update to 1.4.12, a release which resolves an issue in
            : extracting multi-value fields from the tnef
            : archive.
updateinfo info done

只安裝 update-minimal 範圍裡標示為 security 的套件
# yum --security update-minimal

特別說明:

本例包含 enhancement (效能增強) 的 docker-io 套件, 更新此套件會讓運行中的 container 掛掉 (docker ps --all, STATUS: Dead), 因此舉例 yum --security update-minimal 只更新標示為 security (安全性更新) 的套件, 用以表示 update-minimal 執行時可以選擇更新的對象, 並在此提醒更新套件存有風險, docker-io 更新前應先結束所有 container 的運行. 若不幸更新到 docker-io 套件造成 container 掛點, 可以先 service docker stop 並刪除 /var/lib/docker/containers/ 裡面所有內容, 再於 service docker start 之後重新啟動 container 即可。



註:

  1. 也可以在 CentOS 6 執行 yum list-securityyum info-security
    yum list-security 效果等同 yum updateinfo list
    yum info-security 效果等同 yum updateinfo info
  2. CentOS 7 的 yum 套件已經內建 yum-plugin-security, 可直接操作相關指令



Ref: Is it possible to limit yum so that it lists or installs only security updates? - Red Hat Customer Portal



:,