1.6 Using the Yum Security Plugin

The security plugin is integrated with yum in Oracle Linux 7 and allows you to obtain a list of all of the errata that are available for your system, including security updates. You can also use Oracle Enterprise Manager 12c Cloud Control or management tools such as Katello, Pulp, Red Hat Satellite, Spacewalk, and SUSE Manager to extract and display information about errata.

To list the errata that are available for your system, enter:

# yum updateinfo list
ELBA-2018-2000 bugfix         NetworkManager-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-adsl-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-config-server-1:1.10.2-16.el7_5.noarch
ELBA-2018-2000 bugfix         NetworkManager-glib-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-libnm-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-ppp-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-team-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-tui-1:1.10.2-16.el7_5.x86_64
ELBA-2018-2000 bugfix         NetworkManager-wifi-1:1.10.2-16.el7_5.x86_64
ELBA-2018-1994 bugfix         binutils-2.27-28.base.el7_5.1.x86_64
ELBA-2018-1980 bugfix         control-center-1:3.26.2-9.el7_5.x86_64
ELBA-2018-1980 bugfix         control-center-filesystem-1:3.26.2-9.el7_5.x86_64
ELBA-2018-4142 bugfix         dracut-033-535.0.2.el7.x86_64
ELBA-2018-4142 bugfix         dracut-config-rescue-033-535.0.2.el7.x86_64
ELBA-2018-4142 bugfix         dracut-network-033-535.0.2.el7.x86_64
ELEA-2018-0838 enhancement    filesystem-3.2-25.el7.x86_64
ELSA-2018-2113 Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
...

The output from the command sorts the available errata in order of their IDs, and it also specifies whether each erratum is a security patch (severity/Sec.), a bug fix (bugfix), or a feature enhancement (enhancement). Security patches are listed by their severity: Important, Moderate, or Low.

You can use the --sec-severity option to filter the security errata by severity, for example:

# yum updateinfo list --sec-severity=Moderate
ELSA-2018-1852 Moderate/Sec. kernel-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec. kernel-devel-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec. kernel-headers-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec. kernel-tools-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec. kernel-tools-libs-3.10.0-862.3.3.el7.x86_64
ELSA-2018-2123 Moderate/Sec. python-2.7.5-69.0.1.el7_5.x86_64
ELSA-2018-2123 Moderate/Sec. python-libs-2.7.5-69.0.1.el7_5.x86_64
ELSA-2018-1852 Moderate/Sec. python-perf-3.10.0-862.3.3.el7.x86_64
...

To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument:

# yum updateinfo list cves
 CVE-2017-7762    Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12359   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12363   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12364   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12366   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-5156    Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-5188    Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-6126    Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12360   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12362   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12365   Critical/Sec.  firefox-60.1.0-4.0.1.el7_5.x86_64
 CVE-2018-12020   Important/Sec. gnupg2-2.0.22-5.el7_5.x86_64
 CVE-2018-3665    Moderate/Sec.  kernel-3.10.0-862.3.3.el7.x86_64
 CVE-2018-3639    Important/Sec. kernel-3.10.0-862.6.3.el7.x86_64
 CVE-2017-11600   Important/Sec. kernel-3.10.0-862.6.3.el7.x86_64
...

Similarly, the keywords bugfix, enhancement, and security filter the list for all bug fixes, enhancements, and security errata.

You can use the --cve option to display the errata that correspond to a specified CVE, for example:

# yum updateinfo list --cve CVE-2018-3665
ELSA-2018-1852 Moderate/Sec.  kernel-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec.  kernel-devel-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec.  kernel-headers-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec.  kernel-tools-3.10.0-862.3.3.el7.x86_64
ELSA-2018-1852 Moderate/Sec.  kernel-tools-libs-3.10.0-862.3.3.el7.x86_64
ELSA-2018-4144 Important/Sec. kernel-uek-firmware-4.1.12-124.16.4.el7uek.noarch
ELSA-2018-1852 Moderate/Sec.  python-perf-3.10.0-862.3.3.el7.x86_64
updateinfo list done

To display more information, specify info instead of list, for example:

# yum updateinfo info --cve CVE-2018-3665
===============================================================================
   kernel security update
===============================================================================
  Update ID : ELSA-2018-1852
    Release : Oracle Linux 7
       Type : security
     Status : final
     Issued : 2018-06-14
       CVEs : CVE-2018-3665
Description : [3.10.0-862.3.3.OL7]
            : - Oracle Linux certificates (Alexey Petrenko)
            : - Oracle Linux RHCK Module Signing Key was
            :   compiled into kernel
            :   (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)
            : - Update x509.genkey [bug 24817676]
            : 
            : [3.10.0-862.3.3]
            : - [x86] always enable eager FPU by default on
            :   non-AMD processors (Paolo Bonzini) [1589051
            :   1589048] {CVE-2018-3665}
   Severity : Moderate

===============================================================================
  Unbreakable Enterprise kernel security update
===============================================================================
  Update ID : ELSA-2018-4144
    Release : Oracle Linux 7
       Type : security
     Status : final
     Issued : 2018-06-15
       CVEs : CVE-2018-3665
Description : [4.1.12-124.16.4]
            : - x86/fpu: Make eager FPU default (Mihai Carabas)
            :   [Orabug: 28135099]  {CVE-2018-3665}
   Severity : Important
updateinfo info done

To update all packages for which security-related errata are available to the latest versions of the packages, even if those packages include bug fixes or new features but not security errata, enter:

# yum --security update

To update all packages to the latest versions that contain security errata, ignoring any newer packages that do not contain security errata, enter:

# yum --security update-minimal

To update all kernel packages to the latest versions that contain security errata, enter:

# yum --security update-minimal kernel*

You can also update only those packages that correspond to a CVE or erratum, for example:

# yum update --cve CVE-2018-3665

# yum update --advisory ELSA-2018-4144
Note

Some updates might require you to reboot the system. By default, the boot manager will automatically enable the most recent kernel version.

For more information, see the yum-security(8) manual page.