[SOLVED] How does yum-plugin-security work?

kbscores · 02-25-2014, 08:39 AM

I'm curious how yum-plugin-security works (not how to use it) Does it key off of pre-made groups within the repository?

The reason I ask is I'd like to create a package repository, however I'd only like to update security packages, but rather than cherry pick through 2k+ packages I only want security packages. Currently just trying to use the --security with yum on the custom repository does not work.

Centos is the distro.

unSpawn · 02-25-2014, 11:21 AM

IIRC (probably some CentOS ticket) yum-plugin-security relies on an XML file existing in the repo containing security-related nfo. CentOS doesn't have that AFAIK but RHEL / RHN does. If you can't find the nfo anywhere else then checking the YUM plugin source probably will reveal what is required.

szboardstretcher · 02-25-2014, 11:33 AM

It should be mentioned that EPEL does have security info of its own, and Scientific Linux relates the RHEL security updates to SL. This info is contained within the repo in a file called updateinfo.xml.gz.

(if you didnt read the post above, please note that Centos does not have its own security updates, nor does it use RedHats)

Examples of EPEL and SL:

Code:

# cat /etc/redhat-release
CentOS release 5.8 (Final)

# yum info-security varnish
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * base: centos.sonn.com

===============================================================================
  varnish-2.0.6-4.el5
===============================================================================
  Update ID : FEDORA-EPEL-2013-12157
    Release : Fedora EPEL 5
       Type : security
     Status : stable
     Issued : 2013-11-20 15:54:20
       Bugs : 1025129 - CVE-2013-4484 varnish: denial of service handling certain GET requests [epel-all]
Description : Backported a patch for CVE-2013-4484
info-security done

and scientific linux

Code:

# cat /etc/redhat-release
Scientific Linux release 6.5 (Carbon)

# yum info-security kernel
Loaded plugins: security

===============================================================================
  Important: kernel security update
===============================================================================
  Update ID : SLSA-2014:0159-1
    Release : Scientific Linux
       Type : security
     Status : final
     Issued : 2014-02-12 00:00:00
       Bugs : 1028148 - kernel: exec/ptrace: get_dumpable() incorrect tests
            : 1033600 - Kernel: qeth: buffer overflow in snmp ioctl
            : 1035875 - Kernel: net: leakage of uninitialized memory to user-space via recv syscalls

This is one reason why i am required to use SL6 instead of Centos.

kbscores · 02-25-2014, 12:30 PM

Thanks. Has anyone worked towards getting the plugin to work with Centos or is there some sort of proprietary aspect to it?

szboardstretcher · 02-25-2014, 12:33 PM

Centos is welcome to use the XML to create their own security patches, just as Scientific Linux does.

Perhaps with the acquisition of Centos by Redhat, things will change regarding this.

kbscores · 02-25-2014, 12:38 PM

Never mind - it is just a matter of the information being within the XML file and maintaining that file would be a fairly time consuming en devour with so many packages on a custom repository.