Red Hat 6 or CentOS 6: Yum Tips – Lock Package Versions and Only Apply Security Updates

By | 2013/03/18

In Red Hat 6 or CentOS 6, it is possible to selectively pin or mask a particular package version to keep it from updating. It is also possible to list and apply pending security updates as opposed to security and bug fixes.

This is ideal for environments that only want to push out security fixes and perhaps want to also pin down a particular package version. I’ll show you some tips!


Pin or Mask Packages with yum-plugin-versionlock

1. First, the easiest way to pin or mask a package to a particular version is to use yum-plugin-versionlock. Install the yum plugin as follows:

$ sudo yum install yum-plugin-versionlock


2. Next, add the package you wish to pin or mask.

Here I am going to mask the current version of openldap that is installed:

$ sudo yum versionlock add openldap

Loaded plugins: security, versionlock
Adding versionlock on: 0:openldap-2.4.23-31.el6
versionlock added: 1

You can also use wildcards. Here I am locking any currently installed php* packages to their versions:

$ sudo yum versionlock add php*
Loaded plugins: security, versionlock
Adding versionlock on: 0:php-common-5.3.3-22.el6
Adding versionlock on: 0:php-5.3.3-22.el6
Adding versionlock on: 0:php-cli-5.3.3-22.el6
versionlock added: 3


3. Now performing a yum update on the entire system, versionlock packages are left the same and the rest of the system is up-to-date.

$ sudo yum update
...
Setting up Update Process
No Packages marked for Update


To see packages held in versionlock, use list:

$ sudo yum versionlock list
Loaded plugins: security, versionlock
0:openldap-2.4.23-31.el6.*
0:php-common-5.3.3-22.el6.*
0:php-5.3.3-22.el6.*
0:php-cli-5.3.3-22.el6.*
versionlock list done


To remove an entry from version lock, use delete:

$ sudo yum versionlock delete 0:openldap-2.4.23-31.el6.*
Loaded plugins: security, versionlock
Deleting versionlock for: 0:openldap-2.4.23-31.el6.*
versionlock deleted: 1


Selectively install security updates with yum-plugin-security

Now that you have pinned down packages you do not wish to update, here are some tips to selectively check for only security updates that may need to be applied.

1. This package should be installed as default, but just in case:

$ sudo yum install yum-security

2. As of Red Hat 6, the yum-plugin-security now has an updateinfo command. Use the following command to check and list any pending security updates:

$ sudo yum updateinfo list security
Loaded plugins: security, versionlock
CVE-2013-1619 security gnutls-2.8.5-10.el6_4.1.x86_64
CVE-2013-1493 security java-1.6.0-openjdk-1:1.6.0.0-1.57.1.11.9.el6_4.x86_64
CVE-2013-0809 security java-1.6.0-openjdk-1:1.6.0.0-1.57.1.11.9.el6_4.x86_64
CVE-2013-0268 security kernel-uek-2.6.39-400.17.2.el6uek.x86_64
CVE-2013-0268 security kernel-uek-firmware-2.6.39-400.17.2.el6uek.noarch
CVE-2012-4929 security openssl-1.0.0-27.el6_4.2.x86_64
CVE-2013-0166 security openssl-1.0.0-27.el6_4.2.x86_64
CVE-2013-0169 security openssl-1.0.0-27.el6_4.2.x86_64
updateinfo list done

For Red Hat or CentOS 5, use the following command:

$ sudo yum list updates --security


3. Install only pending security updates with:

$ sudo yum update --security

Here is the example output:

$ sudo yum update --security
Loaded plugins: security, versionlock
Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
5 package(s) needed (+0 related) for security, out of 17 available
--> Running transaction check
---> Package gnutls.x86_64 0:2.8.5-10.el6 will be updated
---> Package gnutls.x86_64 0:2.8.5-10.el6_4.1 will be an update
---> Package java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.56.1.11.8.el6_3 will be updated
---> Package java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.57.1.11.9.el6_4 will be an update
---> Package kernel-uek.x86_64 0:2.6.39-400.17.2.el6uek will be installed
---> Package kernel-uek-firmware.noarch 0:2.6.39-400.17.2.el6uek will be installed
---> Package openssl.x86_64 0:1.0.0-27.el6 will be updated
---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be an update
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel-uek.x86_64 0:2.6.39-300.17.3.el6uek will be erased
---> Package kernel-uek-firmware.noarch 0:2.6.39-300.17.3.el6uek will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch   Version                       Repository       Size
================================================================================
Installing:
 kernel-uek          x86_64 2.6.39-400.17.2.el6uek        ol6_UEK_latest   27 M
 kernel-uek-firmware noarch 2.6.39-400.17.2.el6uek        ol6_UEK_latest  3.5 M
Updating:
 gnutls              x86_64 2.8.5-10.el6_4.1              ol6_latest      345 k
 java-1.6.0-openjdk  x86_64 1:1.6.0.0-1.57.1.11.9.el6_4   ol6_latest       25 M
 openssl             x86_64 1.0.0-27.el6_4.2              ol6_latest      1.4 M
Removing:
 kernel-uek          x86_64 2.6.39-300.17.3.el6uek        @ol6_UEK_latest  99 M
 kernel-uek-firmware noarch 2.6.39-300.17.3.el6uek        @ol6_UEK_latest 5.0 M

Transaction Summary
================================================================================
Install       2 Package(s)
Upgrade       3 Package(s)
Remove        2 Package(s)

Total download size: 57 M
Is this ok [y/N]: 

Hack on,