Contributed by Steve Bonneville

The yum-security package is a new feature of the Red Hat Enterprise Linux 5.1 update. If installed, the yum module provided by this package can be used to limit yum to retrieve only security-related updates. It can also be used to provide information about which Red Hat advisory, bug in Red Hat’s Bugzilla database, or CVE number from MITRE’s Common Vulnerabilities and Exposures directory is addressed by a package update.

Enabling these features is as simple as running ‘yum install yum-security’.

The first new subcommand this adds is ‘yum list-sec’. This is similar to ‘yum check-update’, except that it also lists Red Hat’s advisory ID number and the classification of each update as “enhancement”, “bugfix”, or “security”:

RHSA-2007:1128-6 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
RHSA-2007:1078-3 security cairo - 1.2.4-3.el5_1.i386
RHSA-2007:1021-3 security cups - 1:1.2.4-11.14.el5_1.3.i386
RHSA-2007:1021-3 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

If ‘yum list-sec cves’ is used, the Red Hat advisory ID is replaced with the CVE IDs addressed by the update; if ‘yum list-sec bzs’ is used, the advisory ID is replaced by the Red Hat Bugzilla IDs which are addressed by the update. If a package addresses multiple bugs in Bugzilla or CVE IDs, the package may be listed multiple times:

Example output of ‘yum list-sec bzs’:

410031 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
387431 security cairo - 1.2.4-3.el5_1.i386
345101 security cups - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups - 1:1.2.4-11.14.el5_1.3.i386
345101 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345111 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
345121 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

Example output of ‘yum list-sec cves’:

CVE-2007-5964 security autofs - 1:5.0.1-0.rc2.55.el5.1.i386
CVE-2007-5503 security cairo - 1.2.4-3.el5_1.i386
CVE-2007-5393 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5393 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-5392 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386
CVE-2007-4352 security cups-libs - 1:1.2.4-11.14.el5_1.3.i386

The second new subcommand added by the yum-security package is ‘info-sec’. This subcommand takes an advisory number, CVE, or Bugzilla ID as an argument, and returns detailed information on the advisory, including a brief text discussion of the nature of the issue or issues being addressed by the advisory.

In addition to these two new yum subcommands, new options are provided to the ‘yum update’ command to help apply only security-related updates, or only updates associated with a particular advisory or bug.

To apply all security-related updates only:

yum update --security

To apply all updates related to bugzilla bug 410101:

yum update --bz 410101

To apply all updates related to the CVE ID CVE-2007-5707 and updates related to the Red Hat advisory ID RHSA-2007:1082-5:

yum update --cve CVE-2007-5707 --advisory RHSA-2007:1082-5

More information about these new capabilites is documented in the yum-security(8) man page.

For more information on Red Hat security updates, please visit the security updates page on redhat.com. For more information on CVE, please visit the CVE info page.

The information provided in this article is for your information only. The origin of this information may be internal or external to Red Hat. While Red Hat attempts to verify the validity of this information before it is posted, Red Hat makes no express or implied claims to its validity.

原文链接: http://www.redhatmagazine.com/2008/01/16/tips-and-tricks-yum-security/