LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-11-2012, 01:33 PM   #1
lce411
Member
 
Registered: Jul 2012
Posts: 50

Rep: Reputation: Disabled
How to verify yum repo is updated


Can someone please tell me how to verify that yum repo's are getting updated lists? The results of running 'yum update' keep getting shorter and shorter, with some servers not getting pinged for any updates at all. Out of 20 RHEL servers, only 6 came back as needing updates installed (checked monthly).
 
Old 09-11-2012, 02:22 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,679
Blog Entries: 14

Rep: Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021
The repositories have many many packages but what YOU get in "yum update" are only those packages that are relevant for what you have installed before the update. That is to say if you do not have for example BIND installed then a yum update won't install any BIND updates even if there are a dozen of them and you really don't want it to do so.

Last edited by MensaWater; 09-11-2012 at 02:24 PM.
 
Old 09-11-2012, 02:28 PM   #3
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
The repositories have many many packages but what YOU get in "yum update" are only those packages that are relevant for what you have installed before the update. That is to say if you do not have BIND installed then a yum update won't install any BIND updates even if there are a dozen of them and you really don't want it to do so.
That makes sense. So when you run 'yum update' does it check a local list on the machine, or does it reach out to the repo's on the Internet, where it would download them from? We got a security warning the other day from our Customer about needing to upgrade httpd to 4.4. When I checked we only had 2.2 installed and running 'yum update' returned a 'No Packages marked for update'. That made me wonder if other packages were not being update and prompted this post. Your point above makes sense, but apparently 'yum update' isn't updating everything, because httpd was already installed but not marked for update
 
Old 09-11-2012, 02:42 PM   #4
dt64
Member
 
Registered: Sep 2012
Distribution: RHEL5/6, CentOS5/6
Posts: 216

Rep: Reputation: 38
Quote:
Originally Posted by lce411 View Post
We got a security warning the other day from our Customer about needing to upgrade httpd to 4.4. When I checked we only had 2.2 installed and running 'yum update' returned a 'No Packages marked for update'. That made me wonder if other packages were not being update and prompted this post. Your point above makes sense, but apparently 'yum update' isn't updating everything, because httpd was already installed but not marked for update
Have you checked online if your distribution and installed repositories actually provide httpd 4.4? Some of them do not necessarily have all the fancy new versions included but focus on stability. If your installation features httpd2.2 it might well be the case there was no need to fix a bug in httpd4.4.
I don't know about this httpd4.4 case, but I remember there were some security advises out there a while ago about cups, but e.g. RHEL just did not provide fixes/patches for these issues. In such a case you have two options: Stay with what's provided by your distro and trust the distro maintainer or install the patched/fixed version from another repo or compile it yourself. It always depends how critical your application is and where your focus is.
 
Old 09-11-2012, 02:56 PM   #5
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,679
Blog Entries: 14

Rep: Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021
The way RedHat does it is to use a certain base package (e.g. httpd 2.2) then to modify that base with bug and security fixes and put their own versioning on the result. Often these bug and security fixes are backported from higher base versions.

For example:

httpd-2.2.3-22.el5_3.2

Is based on upstream version 2.2.3 of httpd. RedHat then has modified this for RHEL5 (as noted by the el5) and everything after the 2.2.3- relates to RedHat's version. You could then check your version at RedHat's site to see exactly what bug and security fixes they may have incorporated into it. It may in fact have backported security fixes from httpd-4.x in it (but only if they're relevant to the 2.2.3 base).

Generally speaking scanning tools do NOT pay attention to RedHat's extended versioning so will often falsely report you are vulnerable even though you have the latest security and bug fixes. Usually it is best to simply modify things like httpd and php that get scanned so they do NOT report a version at all. It saves you much grief in the long run as you don't have to keep explaining that you ARE patched correctly.
 
Old 09-11-2012, 02:59 PM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,679
Blog Entries: 14

Rep: Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021
Quote:
Originally Posted by dt64 View Post
Have you checked online if your distribution and installed repositories actually provide httpd 4.4? Some of them do not necessarily have all the fancy new versions included but focus on stability. If your installation features httpd2.2 it might well be the case there was no need to fix a bug in httpd4.4.
The RHEL5 repositories won't have httpd 4.4 for the reasons noted in the post above. However, this does not mean a vulnerable version of httpd is being run again for the reasons noted above.
 
Old 09-11-2012, 06:55 PM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,258

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
I'd also query 'httpd 4.4'; exactly which httpd server is this supposed to be?
The default one on RHEL is Apache and they're only up to 2.4.3 https://httpd.apache.org/
 
Old 09-12-2012, 09:18 AM   #8
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,679
Blog Entries: 14

Rep: Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021Reputation: 1021
Quote:
Originally Posted by chrism01 View Post
I'd also query 'httpd 4.4'; exactly which httpd server is this supposed to be?
The default one on RHEL is Apache and they're only up to 2.4.3 https://httpd.apache.org/
But RHEL5 is NOT up to 2.4.3 as explained above. They only up to 2.2.3 (base). Typically RHEL doesn't change base versions until they change the RHEL major version. (For example RHEL6 uses a base of 2.2.15.)
 
Old 09-13-2012, 07:05 AM   #9
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,258

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
I know, I meant Apache is only up to 2.4.3. What I was querying was httpd 4.4 (!) ....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Does Debian have a better updated apt repo? bbmak Debian 16 11-12-2011 10:31 PM
some yum repo help please cwc Fedora 6 09-24-2009 08:35 PM
yum.conf - extract files from a DVD. How define repo location and what is yum command emuub Linux - Software 2 06-17-2007 08:28 AM
adding mirror to yum.repo.d/<any-repo> ashwin_cse Fedora 1 03-10-2005 04:49 PM
FC2 yum updated to 2.1.11 need new yum.conf? peregrine2 Linux - Newbie 1 12-02-2004 08:14 AM


All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration