CentOS - Nov 2014 - yum-plugin-security

Hi all,

I have difficulties to understand the output of yum-plugin-security.

I am on a X86_64 machine and when I query for security updates, 
yum lists i686 packages, that I don't have installed.

--------------------
# yum check-update --security
Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.linuxwerk.com
 * epel: mirrors.n-ix.net
 * extras: centos.mirror.sharkservers.co.uk
 * updates: centos.mirror.sharkservers.co.uk
Limiting package lists to security relevant ones
No packages needed for security; 34 packages available

cyrus-sasl-devel.i686                          2.1.23-15.el6_6.1                
updates
cyrus-sasl-lib.i686                            2.1.23-15.el6_6.1                
updates
device-mapper-multipath-libs.i686              0.4.9-80.el6_6.1                 
updates
libXfont.i686                                  1.4.5-4.el6_6                    
updates
nss-softokn.i686                               3.14.3-18.el6_6                  
updates
nss-softokn-freebl.i686                        3.14.3-18.el6_6                  
updates
perl-libs.i686                                 4:5.10.1-136.el6_6.1             
updates
--------------------

I would have expected, that it will list no packages,
as it's statement is "No packages needed for security"

When I run the query with no filtering on security relevant packages,
it shows the X86_64 versions of the above listed packages.

Do we have a problem of inconsistent data in the repo?
Are only the i686 packages marked with "security-update" flag?

--------------------
# yum check-update 
Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.linuxwerk.com
 * epel: mirrors.n-ix.net
 * extras: centos.mirror.sharkservers.co.uk
 * updates: centos.mirror.sharkservers.co.uk

cyrus-sasl.x86_64                              2.1.23-15.el6_6.1                
updates
cyrus-sasl-devel.x86_64                        2.1.23-15.el6_6.1                
updates
cyrus-sasl-lib.x86_64                          2.1.23-15.el6_6.1                
updates
..
device-mapper-multipath-libs.x86_64            0.4.9-80.el6_6.1                 
updates
..
libXfont.x86_64                                1.4.5-4.el6_6                    
updates
..
nss-softokn.x86_64                             3.14.3-18.el6_6                  
updates
nss-softokn-freebl.x86_64                      3.14.3-18.el6_6                  
updates
..
perl-libs.x86_64                               4:5.10.1-136.el6_6.1             
updates
--------------------

Cheers and thanks for your explanation / instruction

Gabriele

This plugin does not work on CentOS, at least not yet, there were previous
discussions. e.g.
http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html

HTH

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Gabriele Pohl" <gp at dipohl.de>
> To: "CentOS mailing list" <centos at centos.org>
> Sent: Saturday, 22 November, 2014 11:49:19
> Subject: [CentOS] yum-plugin-security
> Hi all,
> 
> I have difficulties to understand the output of yum-plugin-security.
> 
> I am on a X86_64 machine and when I query for security updates,
> yum lists i686 packages, that I don't have installed.
> 
> --------------------
> # yum check-update --security
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
> * base: centos.mirror.linuxwerk.com
> * epel: mirrors.n-ix.net
> * extras: centos.mirror.sharkservers.co.uk
> * updates: centos.mirror.sharkservers.co.uk
> Limiting package lists to security relevant ones
> No packages needed for security; 34 packages available
> 
> cyrus-sasl-devel.i686                          2.1.23-15.el6_6.1
> updates
> cyrus-sasl-lib.i686                            2.1.23-15.el6_6.1
> updates
> device-mapper-multipath-libs.i686              0.4.9-80.el6_6.1
> updates
> libXfont.i686                                  1.4.5-4.el6_6
> updates
> nss-softokn.i686                               3.14.3-18.el6_6
> updates
> nss-softokn-freebl.i686                        3.14.3-18.el6_6
> updates
> perl-libs.i686                                 4:5.10.1-136.el6_6.1
> updates
> --------------------
> 
> I would have expected, that it will list no packages,
> as it's statement is "No packages needed for security"
> 
> When I run the query with no filtering on security relevant packages,
> it shows the X86_64 versions of the above listed packages.
> 
> Do we have a problem of inconsistent data in the repo?
> Are only the i686 packages marked with "security-update" flag?
> 
> --------------------
> # yum check-update
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
> * base: centos.mirror.linuxwerk.com
> * epel: mirrors.n-ix.net
> * extras: centos.mirror.sharkservers.co.uk
> * updates: centos.mirror.sharkservers.co.uk
> 
> cyrus-sasl.x86_64                              2.1.23-15.el6_6.1
> updates
> cyrus-sasl-devel.x86_64                        2.1.23-15.el6_6.1
> updates
> cyrus-sasl-lib.x86_64                          2.1.23-15.el6_6.1
> updates
> ..
> device-mapper-multipath-libs.x86_64            0.4.9-80.el6_6.1
> updates
> ..
> libXfont.x86_64                                1.4.5-4.el6_6
> updates
> ..
> nss-softokn.x86_64                             3.14.3-18.el6_6
> updates
> nss-softokn-freebl.x86_64                      3.14.3-18.el6_6
> updates
> ..
> perl-libs.x86_64                               4:5.10.1-136.el6_6.1
> updates
> --------------------
> 
> Cheers and thanks for your explanation / instruction
> 
> Gabriele
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
> Hi all,
> 
> I have difficulties to understand the output of yum-plugin-security.
> 
> I am on a X86_64 machine and when I query for security updates, 
> yum lists i686 packages, that I don't have installed.
> 
> --------------------
> # yum check-update --security
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
>  * base: centos.mirror.linuxwerk.com
>  * epel: mirrors.n-ix.net
>  * extras: centos.mirror.sharkservers.co.uk
>  * updates: centos.mirror.sharkservers.co.uk
> Limiting package lists to security relevant ones
> No packages needed for security; 34 packages available
> 
> cyrus-sasl-devel.i686                          2.1.23-15.el6_6.1           
updates
> cyrus-sasl-lib.i686                            2.1.23-15.el6_6.1           
updates
> device-mapper-multipath-libs.i686              0.4.9-80.el6_6.1            
updates
> libXfont.i686                                  1.4.5-4.el6_6               
updates
> nss-softokn.i686                               3.14.3-18.el6_6             
updates
> nss-softokn-freebl.i686                        3.14.3-18.el6_6             
updates
> perl-libs.i686                                 4:5.10.1-136.el6_6.1        
updates
> --------------------
> 
> I would have expected, that it will list no packages,
> as it's statement is "No packages needed for security"
> 
> When I run the query with no filtering on security relevant packages,
> it shows the X86_64 versions of the above listed packages.
> 
> Do we have a problem of inconsistent data in the repo?
> Are only the i686 packages marked with "security-update" flag?
> 
> --------------------
> # yum check-update 
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
>  * base: centos.mirror.linuxwerk.com
>  * epel: mirrors.n-ix.net
>  * extras: centos.mirror.sharkservers.co.uk
>  * updates: centos.mirror.sharkservers.co.uk
> 
> cyrus-sasl.x86_64                              2.1.23-15.el6_6.1           
updates
> cyrus-sasl-devel.x86_64                        2.1.23-15.el6_6.1           
updates
> cyrus-sasl-lib.x86_64                          2.1.23-15.el6_6.1           
updates
> ..
> device-mapper-multipath-libs.x86_64            0.4.9-80.el6_6.1            
updates
> ..
> libXfont.x86_64                                1.4.5-4.el6_6               
updates
> ..
> nss-softokn.x86_64                             3.14.3-18.el6_6             
updates
> nss-softokn-freebl.x86_64                      3.14.3-18.el6_6             
updates
> ..
> perl-libs.x86_64                               4:5.10.1-136.el6_6.1        
updates
CentOS only tests that things work when doing all updates ... it does
not test any other grouping of packages.

In reality that is also true for upstream support as well ... see the
first line in any upstream update in the solutions section.  Here is an
example:

https://rhn.redhat.com/errata/RHSA-2014-1870.html

First line in Solution Section:

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

That does not say pick and choose errata or only install security
errata.  In reality, one should only NOT install an update if that
update causes problems.  That is any Errata update, not just security
updates.

The reason, all updates are built on a staged system.  Any updates built
today are built on / linked against the updates from yesterday.

If you use a perl package (that is an example name, could be any
package) built against today's update set on 6.3 .. it may or may not
work at all, or work correctly.  It also could possibly introduce
security issues never tested for because that combination is unique to
your install.

I might work fine, it might be horrible.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20141122/ae0e400f/attachment-0001.sig>

On Sat, 22 Nov 2014 12:44:57 +0000 (GMT)
Nux! <nux at li.nux.ro> wrote:
> This plugin does not work on CentOS, at least not yet, there were previous
discussions. e.g.
>
http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html
> 
> HTH
yes it helped thanks!

Although the state of the thing itself is not very helpful :(

My intention was to automatically get warned,
when there are pending security updates.
I therefore reworked the "yum" plugin of Munin [1]

But as I see now, this will not work for CentOS
as long as the data (a working updateinfo.xml)
is not existent in the repos..

I will add a note in the Munin yum plugin to
inform other CentOS users about this #fail.

It would be good to add such a hint also in the 
CentOS package of the yum-plugin-security. 
Until now there is no info about the no-op 
nor in the man page neither under /usr/share/doc.

Shall I create a bug report addressing the missing doc?
Or will it get answered with "won't fix" as the fix
would need to fork an own CentOS version of the plugin,
so no longer simply copy the package from upstream (rh)

# rpm -ql yum-plugin-security
/etc/yum/pluginconf.d/security.conf
/usr/lib/yum-plugins/security.py
/usr/lib/yum-plugins/security.pyc
/usr/lib/yum-plugins/security.pyo
/usr/share/doc/yum-plugin-security-1.1.30
/usr/share/doc/yum-plugin-security-1.1.30/COPYING
/usr/share/man/man8/yum-security.8.gz

Cheers,

Gabriele



[1]
https://github.com/munin-monitoring/munin/commits/devel/plugins/node.d.linux/yum.in

On Sat, 22 Nov 2014 08:00:50 -0600
Johnny Hughes <johnny at centos.org> wrote:
> On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
> > I have difficulties to understand the output of yum-plugin-security.
> > 
> > # yum check-update --security
> 
> CentOS only tests that things work when doing all updates ... it does
> not test any other grouping of packages.
when I install the updates 
I usually install all pending updates btw.

As written in my other mail, the intention is
to get triggered when security updates are pending.

fyi and cheers,

Gabriele