No security updates installed?

Support for security such as Firewalls and securing linux
Post Reply
shatnersbassoon
Posts: 5
Joined: 2022/08/18 17:05:38

No security updates installed?

Post by shatnersbassoon » 2022/10/07 11:21:45

Hi Everybody, I need to ensure a server is fully up to date with security patches.

I ran yum -y update twice over the last two days aiming to install all available updates assuming some security updates would be available.

This is the output from my yum history so my update commands did appear to work

Command Line : -y update
Transaction performed with:
Installed rpm-4.11.3-48.el7_9.x86_64 @updates
Installed yum-3.4.3-168.el7.centos.noarch @base
Installed yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch @base
Packages Altered:
Updated expat-2.1.0-14.el7_9.x86_64 @updates
Update 2.1.0-15.el7_9.x86_64 @updates
Updated expat-devel-2.1.0-14.el7_9.x86_64 @updates
Update 2.1.0-15.el7_9.x86_64 @updates
Updated tzdata-2022c-1.el7.noarch @updates
Update 2022d-1.el7.noarch @updates
Updated tzdata-java-2022c-1.el7.noarch @updates
Update 2022d-1.el7.noarch @updates
Return-Code : Success
Command Line : -y update
Transaction performed with:
Installed rpm-4.11.3-48.el7_9.x86_64 @updates
Installed yum-3.4.3-168.el7.centos.noarch @base
Installed yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch @base
Packages Altered:
Updated bind-export-libs-32:9.11.4-26.P2.el7_9.9.x86_64 @updates
Update 32:9.11.4-26.P2.el7_9.10.x86_64 @updates
Updated bind-libs-32:9.11.4-26.P2.el7_9.9.x86_64 @updates
Update 32:9.11.4-26.P2.el7_9.10.x86_64 @updates
Updated bind-libs-lite-32:9.11.4-26.P2.el7_9.9.x86_64 @updates
Update 32:9.11.4-26.P2.el7_9.10.x86_64 @updates
Updated bind-license-32:9.11.4-26.P2.el7_9.9.noarch @updates
Update 32:9.11.4-26.P2.el7_9.10.noarch @updates
Updated bind-utils-32:9.11.4-26.P2.el7_9.9.x86_64 @updates
Update 32:9.11.4-26.P2.el7_9.10.x86_64 @updates
Updated ca-certificates-2021.2.50-72.el7_9.noarch @updates
Update 2022.2.54-74.el7_9.noarch @updates
Updated libwbclient-4.10.16-19.el7_9.x86_64 @updates
Update 4.10.16-20.el7_9.x86_64 @updates
Updated nspr-4.32.0-1.el7_9.x86_64 @updates
Update 4.34.0-3.1.el7_9.x86_64 @updates
Updated nss-3.67.0-4.el7_9.x86_64 @updates
Update 3.79.0-4.el7_9.x86_64 @updates
Updated nss-softokn-3.67.0-3.el7_9.x86_64 @updates
Update 3.79.0-4.el7_9.x86_64 @updates
Updated nss-softokn-freebl-3.67.0-3.el7_9.x86_64 @updates
Update 3.79.0-4.el7_9.x86_64 @updates
Updated nss-sysinit-3.67.0-4.el7_9.x86_64 @updates
Update 3.79.0-4.el7_9.x86_64 @updates
Updated nss-tools-3.67.0-4.el7_9.x86_64 @updates
Update 3.79.0-4.el7_9.x86_64 @updates
Updated nss-util-3.67.0-1.el7_9.x86_64 @updates
Update 3.79.0-1.el7_9.x86_64 @updates
Updated samba-client-libs-4.10.16-19.el7_9.x86_64 @updates
Update 4.10.16-20.el7_9.x86_64 @updates
Updated samba-common-4.10.16-19.el7_9.noarch @updates
Update 4.10.16-20.el7_9.noarch @updates
Updated samba-common-libs-4.10.16-19.el7_9.x86_64 @updates
Update 4.10.16-20.el7_9.x86_64 @updates
Updated tuned-2.11.0-11.el7_9.noarch @updates
Update 2.11.0-12.el7_9.noarch @updates
Updated xfsdump-3.1.7-1.el7.x86_64 @base
Update 3.1.7-2.el7_9.x86_64 @updates

I've then checked for what security patches are installed but cannot see any

yum updateinfo list security installed
Loaded plugins: fastestmirror, langpacks, ps
Loading mirror speeds from cached hostfile
* base: ftp.heanet.ie
* updates: ftp.heanet.ie
updateinfo list done

Does this mean

1) No security patches are present on the box?
2) There are no security patches available for me to download?

CentOS Linux release 7.9.2009 (Core) is the release I'm working with.

Thanks

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: No security updates installed?

Post by tunk » 2022/10/07 11:36:34

I think this still is true, CentOS does not have security metadata:
viewtopic.php?t=59369#p251143

What's the output of this, if it looks something like this, then
you should be up to date:
$ rpm -qa --last | more
bind-export-libs-9.11.4-26.P2.el7_9.10.x86_64 Wed 05 Oct 2022 18:27:44 CEST
nss-util-3.79.0-1.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nss-tools-3.79.0-4.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nss-sysinit-3.79.0-4.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nss-softokn-freebl-3.79.0-4.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nss-softokn-3.79.0-4.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nss-3.79.0-4.el7_9.x86_64 Wed 05 Oct 2022 18:27:43 CEST
bind-utils-9.11.4-26.P2.el7_9.10.x86_64 Wed 05 Oct 2022 18:27:43 CEST
bind-license-9.11.4-26.P2.el7_9.10.noarch Wed 05 Oct 2022 18:27:43 CEST
bind-libs-lite-9.11.4-26.P2.el7_9.10.x86_64 Wed 05 Oct 2022 18:27:43 CEST
bind-libs-9.11.4-26.P2.el7_9.10.x86_64 Wed 05 Oct 2022 18:27:43 CEST
nspr-4.34.0-3.1.el7_9.x86_64 Wed 05 Oct 2022 18:27:42 CEST
scap-security-guide-0.1.63-1.el7.centos.noarch Sat 24 Sep 2022 16:03:42 CEST
xfsdump-3.1.7-2.el7_9.x86_64 Sat 24 Sep 2022 16:03:36 CEST
tuned-2.11.0-12.el7_9.noarch Sat 24 Sep 2022 16:03:36 CEST
samba-libs-4.10.16-20.el7_9.x86_64 Sat 24 Sep 2022 16:03:36 CEST
samba-client-4.10.16-20.el7_9.x86_64 Sat 24 Sep 2022 16:03:36 CEST
.....
kernel-3.10.0-1160.76.1.el7.x86_64 Wed 17 Aug 2022 13:59:08 CEST
.....

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: No security updates installed?

Post by TrevorH » 2022/10/07 12:09:54

yum updateinfo list security installed
The yum-security plugin does nothing useful on CentOS as there is no security related metadata in the yum repos to allow it to work. In fact, as you've discovered, it's positively dangerous to try as it will always tell you there are no security updates pending (since it doesn't know what they are). This can give a false sense of security since there may be gaping holes in packages that yum knows nothing about.

The correct answer is yum update.

You can also subscribe to the centos-announce mailing list and receive mails telling you about updates as they are released. These contain a link to the RH errata page for each update telling you what they are and what they fix and their severity.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

shatnersbassoon
Posts: 5
Joined: 2022/08/18 17:05:38

Re: No security updates installed?

Post by shatnersbassoon » 2022/10/07 13:29:14

Hi, yes, I get output similar to yours.

If there are no updates available to download can I assume my system is up to date with security patches?

Thanks for your help.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: No security updates installed?

Post by TrevorH » 2022/10/07 15:30:01

If there are no updates available to download can I assume my system is up to date with security patches?
Only if you are running yum update with no mention of security or CVE or any of the other security related parameters. Running yum update --security will only apply security related patches from the EPEL repo (which does have the required metadata). It will completely ignore any security related packages from the CentOS repos since it will not know they are security related.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: No security updates installed?

Post by jlehtone » 2022/10/07 15:39:51

Yes, if the plain yum update reports nothing to do, then you already have what is available in repository*.


*Caveats:
  • The latest post in centos-announce lists for example package open-vm-tools-11.0.5-3.el7_9.4.x86_64.rpm
    If the output of yum list open-vm-tools does not show that version, then the mirror of the repo that you do use is not up to date.
  • If you have added exclude rules to yum config, then yum skips the excluded packages.

Post Reply