1.6 Using DNF Security Options

DNF includes integrated options to handle any requirement for managing security and errata updates that are available for packages installed in Oracle Linux 8.

List the errata that are available for your system as follows:

# dnf updateinfo list
...

The output from the command sorts the available errata in order of their IDs, and it also specifies whether each erratum is a security patch (severity/Sec.), a bug fix (bugfix), or a feature enhancement (enhancement). Security patches are listed by their severity: Important, Moderate, or Low.

You can use the --sec-severity option to filter the security errata by severity, for example:

# dnf updateinfo list --sec-severity=Moderate
...

To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument:

# dnf updateinfo list cves
...

Similarly, the keywords bugfix, enhancement, and security filter the list for all bug fixes, enhancements, and security errata.

You can use the --cve option to display the errata that correspond to a specified CVE, for example:

# dnf updateinfo list --cve CVE-2020-4000

To display more information, specify info instead of list, for example:

# dnf updateinfo info --cve CVE-2020-4000

To update all of the packages for which security-related errata are available to the latest versions of the packages, even if those packages that include bug fixes or new features but not security errata, use the following command:

# dnf --security update

To update all packages to the latest versions that contain security errata, ignoring any newer packages that do not contain security errata, use the following command:

# dnf --security upgrade-minimal

To update all kernel packages to the latest versions that contain security errata, use the following command:

# dnf --security upgrade-minimal kernel*

To update only those packages that correspond to a CVE or erratum, use the following command:

# dnf update --cve CVE-2020-4000
# dnf update --advisory ELSA-2020-4010
Note

Some updates might require that you reboot the system. By default, the boot manager automatically enables the most recent kernel version.

For more information, see the dnf(8) manual page.