The dnf command has a --security option that targets only packages with security fixes when updating packages, such as with dnf upgrade.
DNF Command Reference — dnf latest documentation
dnf [options] upgrade Updates each package to the latest version that is both available and resolvable.
DNF Command Reference — dnf latest documentation
--security Includes packages that provide a fix for a security issue. Applicable for the upgrade command.
However, this option is available on Red Hat Enterprise Linux but not on CentOS. CentOS does not have security metadata, so it cannot be used.
CentOS errata : bug and security fixes - CentOS
There is no security metadata in the CentOS yum repos which means that running yum --security update does nothing useful. However, just running yum update applies all outstanding patches including those released for security purposes.
So the answer is: just run yum update
yum list-security vs yum yum --security list updates - CentOS
I'm surprised that either of them work - security information is provided by Redhat only and there is no equivalent CentOS feed for it so the yum-security plugin is a no-op on CentOS.
No see packages informations - Page 2 - CentOS
We do not supply security metadata for ANY CentOS version. Not CentOS 8 or 7 or 6 or 5...
Reminder: CentOS automatic security updates DO NOT WORK | AWS Consulting | Casey Labs
Why doesn’t it work on CentOS? The updateinfo.xml in the CentOS repositories do not include classifications for security patches. So when you run yum upgrade –security on a CentOS box, CentOS can’t find any security-only updates, and hence thinks everything is up to date.
When I actually specify the --security option, even if there is a package update with a security fix, "No security update is required" is displayed.
$ sudo dnf check-update --security
Final confirmation of metadata expiration: 0:35:It was held 24 hours ago on April 26, 2020 at 22:25:21.
No security updates required, 8 updates available
$ sudo dnf --security upgrade
Final confirmation of metadata expiration: 0:35:It was held 31 hours ago on April 26, 2020 at 22:25:21.
No security updates required, 8 updates available
The dependency has been resolved.
There is nothing to do.
Has completed!
In reality, the package with the security fix may have been updated, so it is necessary to update without specifying the --security option (in some situations, it may be necessary to update the package individually instead of all of them. unknown).
$ sudo dnf check-update
Final confirmation of metadata expiration: 0:35:It was held 46 hours ago on April 26, 2020 at 22:25:21.
git.x86_64 2.18.2-2.el8_1 AppStream
git-core.x86_64 2.18.2-2.el8_1 AppStream
git-core-doc.noarch 2.18.2-2.el8_1 AppStream
java-1.8.0-openjdk.x86_64 1:1.8.0.252.b09-2.el8_1 AppStream
java-1.8.0-openjdk-headless.x86_64 1:1.8.0.252.b09-2.el8_1 AppStream
java-11-openjdk.x86_64 1:11.0.7.10-1.el8_1 AppStream
java-11-openjdk-headless.x86_64 1:11.0.7.10-1.el8_1 AppStream
perl-Git.noarch 2.18.2-2.el8_1 AppStream
$ sudo dnf upgrade
Final confirmation of metadata expiration: 0:35:It was held 56 hours ago on April 26, 2020 at 22:25:21.
The dependency has been resolved.
========================================================================================================================
Package architecture version repository size
========================================================================================================================
upgrade:
git x86_64 2.18.2-2.el8_1 AppStream 186 k
git-core x86_64 2.18.2-2.el8_1 AppStream 5.0 M
git-core-doc noarch 2.18.2-2.el8_1 AppStream 2.3 M
java-1.8.0-openjdk x86_64 1:1.8.0.252.b09-2.el8_1 AppStream 320 k
java-1.8.0-openjdk-headless x86_64 1:1.8.0.252.b09-2.el8_1 AppStream 33 M
java-11-openjdk x86_64 1:11.0.7.10-1.el8_1 AppStream 247 k
java-11-openjdk-headless x86_64 1:11.0.7.10-1.el8_1 AppStream 40 M
perl-Git noarch 2.18.2-2.el8_1 AppStream 77 k
Transaction overview
========================================================================================================================
Upgrade 8 package
Total download size: 81 M
Is this okay? [y/N]: y
In this example, the version 1.8.0.252.b09-2.el8_1 of the java-1.8.0-openjdk package is a security fix package update, but it is no longer subject to update even with the --security option. ..
Information that this package is subject to security fixes can be found on RedHat's Security Advisory site.
RHSA -2020: 1515 -Security Advisory -Red Hat Customer Portal
Important: java-1.8.0-openjdk security update
java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64.rpm
$ cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
Recommended Posts