[CentOS] Update only of security vulnerabilities?

Wed Apr 8 15:53:43 UTC 2015
Leon Fauster <leonfauster at googlemail.com>

Am 08.04.2015 um 16:53 schrieb Les Mikesell <lesmikesell at gmail.com>:
> On Wed, Apr 8, 2015 at 8:54 AM, Rafał Radecki <radecki.rafal at gmail.com> wrote:
>> Hi All :)
>> 
>> What is the best way to get a list of available security updates?
>> I found several commands for that:
>> 1) yum updateinfo list updates -q --security
>> 2) yum list-security --security -q
>> 3) yum --security check-update -q
>> Based on the sample output below I think I can use any of the three with
>> some awk to get a list of packages.
>> 
>> yum updateinfo list updates -q --security
>> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64
>> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64
>> 
>> yum list-security --security -q
>> FEDORA-EPEL-2014-0525 security libyaml-0.1.5-1.el6.x86_64
>> FEDORA-EPEL-2014-0990 security libyaml-0.1.6-1.el6.x86_64
>> 
>> yum --security check-update -q
>> libyaml.x86_64                       0.1.3-4.el6_6
>> updates
>> 
>> Then I can add this to nagios or cron to get a notification about available
>> security updates.
>> 
>> Do you see any advantages/disadvantages in using one of the three choices?
> 
> There are disadvantages to anything short of keeping your system
> completely up to date with available updates.
> 
>> How do you do this kind of task? What can you propose to get a notification
>> about available security updates?
> 
> Most/all updates within a minor version number will be to fix
> something critical.   And the big batches of updates that come at the
> minor version releases are only tested together.   While you can
> cherry-pick individual package updates to install and in theory they
> should run and pull in any other updates that are really needed via
> rpm dependencies, you'll end up running a mix of things that no one
> else has tried together.



as stated by the advisories:

"Before applying this update, make sure all previously released 
errata relevant to your system have been applied." 

the OP maybe want to be triggered only when the class of an 
update was rated as "important"?

the packages 

el5: yum-downloadonly-1.1.16-21.el5.centos

el6: yum-plugin-downloadonly-1.1.30-30.el6.noarch

can help you to get notified in general. The "security" option 
is broken as i remember correctly, the meta informations needed 
are not provided by the repositories ... 


--
LF