[CentOS] Update only of security vulnerabilities?

Wed Apr 8 14:53:35 UTC 2015
Les Mikesell <lesmikesell at gmail.com>

On Wed, Apr 8, 2015 at 8:54 AM, Rafał Radecki <radecki.rafal at gmail.com> wrote:
> Hi All :)
>
> What is the best way to get a list of available security updates?
> I found several commands for that:
> 1) yum updateinfo list updates -q --security
> 2) yum list-security --security -q
> 3) yum --security check-update -q
> Based on the sample output below I think I can use any of the three with
> some awk to get a list of packages.
>
> yum updateinfo list updates -q --security
> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64
> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64
>
> yum list-security --security -q
> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64
> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64
>
> yum --security check-update -q
> libyaml.x86_64                       0.1.3-4.el6_6
> updates
>
> Then I can add this to nagios or cron to get a notification about available
> security updates.
>
> Do you see any advantages/disadvantages in using one of the three choices?

There are disadvantages to anything short of keeping your system
completely up to date with available updates.

> How do you do this kind of task? What can you propose to get a notification
> about available security updates?

Most/all updates within a minor version number will be to fix
something critical.   And the big batches of updates that come at the
minor version releases are only tested together.   While you can
cherry-pick individual package updates to install and in theory they
should run and pull in any other updates that are really needed via
rpm dependencies, you'll end up running a mix of things that no one
else has tried together.

-- 
   Les Mikesell
     lesmikesell at gmail.com