[CentOS] Yum-security

Tue Apr 28 22:03:16 UTC 2009
jacob at aers.ca <jacob at aers.ca>

Since yum-security doesn't seem to work I've created a very rough
version of it on my own. It requires expect and yum-changelog to be
installed on a machine. It makes the assumption that the CVE number will
be in the changelog data for any package with a security patch applied.
I have my own rsync'd copy of the 5.3 repository that it check's against
(I have around 2 dozen machines that need updating when security patch's
come out) so I don't do any serious abuse to someone else's repo.

##################################################################
#!/bin/bash

# Get a complete list of packages requiring updates, remove junk lines 
#and strip them down to the package.arch name. Loop once for each
package.
for PKG in `yum check-update | grep -v ^Loaded\ plugins | grep -v
^Loading\ mirror | grep -v \* | grep -v ^$ | awk '{print $1}'`; do

# get the changelog delta for this package, XXXxxx is a record separator
#that isn't likely to exists allowing awk to process the entire result
as
#one record and return an unknown number of lines
  UPDATE=`expect -c  "set timeout -1; spawn /usr/bin/yum --changelog
update $PKG; expect \"Is this ok\"; send \"N\"" | awk -v RS="XXXxxx"
-F"Changes in packages about to be updated:" '{print $2}' | awk -v
RS="XXXxxx" -F"Dependencies Resolved" '{print $1}'`

# check for the existence of "CVE" in the returned changelog, if it
exists #echo it to STDOUT
  echo ${UPDATE} | grep CVE > /dev/null
  if [ $? -eq 0 ]
  then
    echo "#### Changelog Delta's for $PKG and it's dependancies ####"
    echo "${UPDATE}"
  fi
done

##################################################################

Comments, suggestions. Am I recreating the wheel? If I run it against an
online repo it takes about 15-20 minutes to return and makes entirely to
many calls to yum. Using my own repo it only takes about 3 minutes and
doesn't cost me any extra bandwidth.

--------------------------------------------- 
 
Jacob Bresciani, Systems Administrator
Advanced E-commerce Research Systems Inc.
2307-4464 Markham Street
Victoria, BC
CANADA  V8Z 7X8
+1 250 418 5412 (mobile)
+1 250 483 3271 (FAX)
www.terapeak.com - eBay Marketplace Research
www.aers.ca - Advanced E-commerce Analytics

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Kwan Lowe
Sent: Tuesday, April 28, 2009 2:45 PM
To: CentOS mailing list
Subject: Re: [CentOS] Yum Update issues

On Tue, Apr 28, 2009 at 5:10 PM, Ron Blizzard <rb4centos at gmail.com>
wrote:
> Has anyone else run into this issue when running yum update?
>
>
> I've already run yum clear all, but the problem came back when I ran
yum
> update again. Firefox and xulrunner were also being "held up," but I
was
> able to update them by running yum update firefox.
>
> As far as I can see there is no yum-complete-transaction command.
>

yum-complete-transaction is part of yum-utils.

I've seen that error if using third-party repositories or the mirror
isn't fully updated
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos