[CentOS] Upgrade security relevant packages

Wed Dec 16 21:43:28 UTC 2015
Johnny Hughes <johnny at centos.org>

On 12/15/2015 06:12 AM, Chris wrote:
> Hello,
> I'm looking for a solution to automatically yum update security relevant
> packages on a couple hundred Centos6/7 servers. The deployment/trigger would
> be Ansible.
> I looked into the "yum-plugin-security" and tested it on a CentOS 6
> installation but always found no security relevant updates (yum
> list-security/yum --security update) where there should be at least a couple
> ones. I read around it and found that this solution is not working for
> CentOS (can you please confirm). What is the best practice to upgrade
> security relevant packages on live systems without service interruption?

I will do the obligatory point out that JUST installing security updates
and NOT also installing all the other updates that the security updates
were built against is NOT supported in either CentOS or RHEL.

For example, look at this errata :


Read the Solution section, where it says:

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

This does not say all previous security errata or some selected group of
packages .. it says 'all previously released errata'.  That means all
Bugfix, Enhancement, and Security updates that were released before this
errata was released .. and that means run a 'yum update' and install all

If you are picking only security updates and all not all updates, then
that is not a tested secure solution.

The only supported and tested solution is all updates.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20151216/8c97cc0c/attachment-0005.sig>