1

The question here is similar, but not identical, to my (broader) question, which is:

TLD;DR version

Are there any tools for CentOS 6 (preferably in the base or EPEL repos) which provide any or all of the following functionality:

  • list packages which need updating for security reasons
  • list packages which (1) need updating and have (2) been in CESAs / RHSAs recently (i.e. within the last two months). (This assumes that important security updates released earlier than that have already been tested, approved, and deployed)
  • list the associated RHSAs or CESAs associated with the above

Why?

The yum-plugin-security package alone and unmodified is not enough.

On CentOS, the yum-security plugin doesn't give complete results. Some installed packages which have had CESA + RHSA updates within the last week are not listed when running yum --security check-update, including updates to the kernel (!). Other packages- e.g. openssh and openssl- are listed.

While I could write a tool with the second two pieces of functionality within about a day or two by spidering the CentOS announce mailing list archives, I'd much rather work with / work on an existing tool rather than reinvent the wheel.

Community
  • 1
Parthian Shot
  • 1,155
  • 3
  • 16
  • 32
  • 2
    EPEL supports this currently. If you're willing to switch to Scientific Linux, SL6 & newer also support `yum-security`. See [Automatically check for Security Updates on CentOS or Scientific Linux?](https://serverfault.com/questions/369833/automatically-check-for-security-updates-on-centos-or-scientific-linux?rq=1) – Stefan Lasiewski Mar 30 '16 at 16:55

1 Answers1

1

RedHat curates its package updates for which ones are security related. There is nothing in the rpm spec that allows a packager to explicitly mark a package update as 'security', so RH has to (paid) work to maintain that. CentOs does not have a reliable equivalent.

Jason Martin
  • 4,865
  • 15
  • 24
  • `There is nothing in the rpm spec that allows a packager to explicitly mark a package update as 'security'` I never said there was. However, it's entirely possible to (for example) spider the CESA mailing list archives and match up package names. And if I spidered the CESA archives from the beginning of time until now, I could make the information as comprehensive as that provided by RH's subscription service. – Parthian Shot Mar 30 '16 at 17:57
  • Oh you probably could, but then you'd probably spend enough time on it making it reliable that you'd want to be paid for the time. OR, if its that easy, implement it and make it freely available and become a very popular CentOS supporter. – Jason Martin Mar 31 '16 at 14:52