In Red Hat 6 or CentOS 6, it is possible to selectively pin or mask a particular package version to keep it from updating. It is also possible to list and apply pending security updates as opposed to security and bug fixes.
This is ideal for environments that only want to push out security fixes and perhaps want to also pin down a particular package version. I’ll show you some tips!
Pin or Mask Packages with yum-plugin-versionlock
1. First, the easiest way to pin or mask a package to a particular version is to use yum-plugin-versionlock. Install the yum plugin as follows:
$ sudo yum install yum-plugin-versionlock
2. Next, add the package you wish to pin or mask.
Here I am going to mask the current version of openldap that is installed:
$ sudo yum versionlock add openldap Loaded plugins: security, versionlock Adding versionlock on: 0:openldap-2.4.23-31.el6 versionlock added: 1
You can also use wildcards. Here I am locking any currently installed php* packages to their versions:
$ sudo yum versionlock add php* Loaded plugins: security, versionlock Adding versionlock on: 0:php-common-5.3.3-22.el6 Adding versionlock on: 0:php-5.3.3-22.el6 Adding versionlock on: 0:php-cli-5.3.3-22.el6 versionlock added: 3
3. Now performing a yum update on the entire system, versionlock packages are left the same and the rest of the system is up-to-date.
$ sudo yum update ... Setting up Update Process No Packages marked for Update
To see packages held in versionlock, use list:
$ sudo yum versionlock list Loaded plugins: security, versionlock 0:openldap-2.4.23-31.el6.* 0:php-common-5.3.3-22.el6.* 0:php-5.3.3-22.el6.* 0:php-cli-5.3.3-22.el6.* versionlock list done
To remove an entry from version lock, use delete:
$ sudo yum versionlock delete 0:openldap-2.4.23-31.el6.* Loaded plugins: security, versionlock Deleting versionlock for: 0:openldap-2.4.23-31.el6.* versionlock deleted: 1
Selectively install security updates with yum-plugin-security
Now that you have pinned down packages you do not wish to update, here are some tips to selectively check for only security updates that may need to be applied.
1. This package should be installed as default, but just in case:
$ sudo yum install yum-security
2. As of Red Hat 6, the yum-plugin-security now has an updateinfo command. Use the following command to check and list any pending security updates:
$ sudo yum updateinfo list security Loaded plugins: security, versionlock CVE-2013-1619 security gnutls-2.8.5-10.el6_4.1.x86_64 CVE-2013-1493 security java-1.6.0-openjdk-1:1.6.0.0-1.57.1.11.9.el6_4.x86_64 CVE-2013-0809 security java-1.6.0-openjdk-1:1.6.0.0-1.57.1.11.9.el6_4.x86_64 CVE-2013-0268 security kernel-uek-2.6.39-400.17.2.el6uek.x86_64 CVE-2013-0268 security kernel-uek-firmware-2.6.39-400.17.2.el6uek.noarch CVE-2012-4929 security openssl-1.0.0-27.el6_4.2.x86_64 CVE-2013-0166 security openssl-1.0.0-27.el6_4.2.x86_64 CVE-2013-0169 security openssl-1.0.0-27.el6_4.2.x86_64 updateinfo list done
For Red Hat or CentOS 5, use the following command:
$ sudo yum list updates --security
3. Install only pending security updates with:
$ sudo yum update --security
Here is the example output:
$ sudo yum update --security Loaded plugins: security, versionlock Setting up Update Process Resolving Dependencies Limiting packages to security relevant ones 5 package(s) needed (+0 related) for security, out of 17 available --> Running transaction check ---> Package gnutls.x86_64 0:2.8.5-10.el6 will be updated ---> Package gnutls.x86_64 0:2.8.5-10.el6_4.1 will be an update ---> Package java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.56.1.11.8.el6_3 will be updated ---> Package java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.57.1.11.9.el6_4 will be an update ---> Package kernel-uek.x86_64 0:2.6.39-400.17.2.el6uek will be installed ---> Package kernel-uek-firmware.noarch 0:2.6.39-400.17.2.el6uek will be installed ---> Package openssl.x86_64 0:1.0.0-27.el6 will be updated ---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be an update --> Finished Dependency Resolution --> Running transaction check ---> Package kernel-uek.x86_64 0:2.6.39-300.17.3.el6uek will be erased ---> Package kernel-uek-firmware.noarch 0:2.6.39-300.17.3.el6uek will be erased --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: kernel-uek x86_64 2.6.39-400.17.2.el6uek ol6_UEK_latest 27 M kernel-uek-firmware noarch 2.6.39-400.17.2.el6uek ol6_UEK_latest 3.5 M Updating: gnutls x86_64 2.8.5-10.el6_4.1 ol6_latest 345 k java-1.6.0-openjdk x86_64 1:1.6.0.0-1.57.1.11.9.el6_4 ol6_latest 25 M openssl x86_64 1.0.0-27.el6_4.2 ol6_latest 1.4 M Removing: kernel-uek x86_64 2.6.39-300.17.3.el6uek @ol6_UEK_latest 99 M kernel-uek-firmware noarch 2.6.39-300.17.3.el6uek @ol6_UEK_latest 5.0 M Transaction Summary ================================================================================ Install 2 Package(s) Upgrade 3 Package(s) Remove 2 Package(s) Total download size: 57 M Is this ok [y/N]:
Hack on,
