Hi all, I have difficulties to understand the output of yum-plugin-security. I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed. -------------------- # yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.linuxwerk.com * epel: mirrors.n-ix.net * extras: centos.mirror.sharkservers.co.uk * updates: centos.mirror.sharkservers.co.uk Limiting package lists to security relevant ones No packages needed for security; 34 packages available cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates libXfont.i686 1.4.5-4.el6_6 updates nss-softokn.i686 3.14.3-18.el6_6 updates nss-softokn-freebl.i686 3.14.3-18.el6_6 updates perl-libs.i686 4:5.10.1-136.el6_6.1 updates -------------------- I would have expected, that it will list no packages, as it's statement is "No packages needed for security" When I run the query with no filtering on security relevant packages, it shows the X86_64 versions of the above listed packages. Do we have a problem of inconsistent data in the repo? Are only the i686 packages marked with "security-update" flag? -------------------- # yum check-update Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.linuxwerk.com * epel: mirrors.n-ix.net * extras: centos.mirror.sharkservers.co.uk * updates: centos.mirror.sharkservers.co.uk cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates .. device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates .. libXfont.x86_64 1.4.5-4.el6_6 updates .. nss-softokn.x86_64 3.14.3-18.el6_6 updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates .. perl-libs.x86_64 4:5.10.1-136.el6_6.1 updates -------------------- Cheers and thanks for your explanation / instruction Gabriele
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html HTH -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "Gabriele Pohl" <gp at dipohl.de> > To: "CentOS mailing list" <centos at centos.org> > Sent: Saturday, 22 November, 2014 11:49:19 > Subject: [CentOS] yum-plugin-security> Hi all, > > I have difficulties to understand the output of yum-plugin-security. > > I am on a X86_64 machine and when I query for security updates, > yum lists i686 packages, that I don't have installed. > > -------------------- > # yum check-update --security > Loaded plugins: changelog, fastestmirror, security > Loading mirror speeds from cached hostfile > * base: centos.mirror.linuxwerk.com > * epel: mirrors.n-ix.net > * extras: centos.mirror.sharkservers.co.uk > * updates: centos.mirror.sharkservers.co.uk > Limiting package lists to security relevant ones > No packages needed for security; 34 packages available > > cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 > updates > cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 > updates > device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 > updates > libXfont.i686 1.4.5-4.el6_6 > updates > nss-softokn.i686 3.14.3-18.el6_6 > updates > nss-softokn-freebl.i686 3.14.3-18.el6_6 > updates > perl-libs.i686 4:5.10.1-136.el6_6.1 > updates > -------------------- > > I would have expected, that it will list no packages, > as it's statement is "No packages needed for security" > > When I run the query with no filtering on security relevant packages, > it shows the X86_64 versions of the above listed packages. > > Do we have a problem of inconsistent data in the repo? > Are only the i686 packages marked with "security-update" flag? > > -------------------- > # yum check-update > Loaded plugins: changelog, fastestmirror, security > Loading mirror speeds from cached hostfile > * base: centos.mirror.linuxwerk.com > * epel: mirrors.n-ix.net > * extras: centos.mirror.sharkservers.co.uk > * updates: centos.mirror.sharkservers.co.uk > > cyrus-sasl.x86_64 2.1.23-15.el6_6.1 > updates > cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 > updates > cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 > updates > .. > device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 > updates > .. > libXfont.x86_64 1.4.5-4.el6_6 > updates > .. > nss-softokn.x86_64 3.14.3-18.el6_6 > updates > nss-softokn-freebl.x86_64 3.14.3-18.el6_6 > updates > .. > perl-libs.x86_64 4:5.10.1-136.el6_6.1 > updates > -------------------- > > Cheers and thanks for your explanation / instruction > > Gabriele > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On 11/22/2014 05:49 AM, Gabriele Pohl wrote:> Hi all, > > I have difficulties to understand the output of yum-plugin-security. > > I am on a X86_64 machine and when I query for security updates, > yum lists i686 packages, that I don't have installed. > > -------------------- > # yum check-update --security > Loaded plugins: changelog, fastestmirror, security > Loading mirror speeds from cached hostfile > * base: centos.mirror.linuxwerk.com > * epel: mirrors.n-ix.net > * extras: centos.mirror.sharkservers.co.uk > * updates: centos.mirror.sharkservers.co.uk > Limiting package lists to security relevant ones > No packages needed for security; 34 packages available > > cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates > cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates > device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates > libXfont.i686 1.4.5-4.el6_6 updates > nss-softokn.i686 3.14.3-18.el6_6 updates > nss-softokn-freebl.i686 3.14.3-18.el6_6 updates > perl-libs.i686 4:5.10.1-136.el6_6.1 updates > -------------------- > > I would have expected, that it will list no packages, > as it's statement is "No packages needed for security" > > When I run the query with no filtering on security relevant packages, > it shows the X86_64 versions of the above listed packages. > > Do we have a problem of inconsistent data in the repo? > Are only the i686 packages marked with "security-update" flag? > > -------------------- > # yum check-update > Loaded plugins: changelog, fastestmirror, security > Loading mirror speeds from cached hostfile > * base: centos.mirror.linuxwerk.com > * epel: mirrors.n-ix.net > * extras: centos.mirror.sharkservers.co.uk > * updates: centos.mirror.sharkservers.co.uk > > cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates > cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates > cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates > .. > device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates > .. > libXfont.x86_64 1.4.5-4.el6_6 updates > .. > nss-softokn.x86_64 3.14.3-18.el6_6 updates > nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates > .. > perl-libs.x86_64 4:5.10.1-136.el6_6.1 updatesCentOS only tests that things work when doing all updates ... it does not test any other grouping of packages. In reality that is also true for upstream support as well ... see the first line in any upstream update in the solutions section. Here is an example: https://rhn.redhat.com/errata/RHSA-2014-1870.html First line in Solution Section: "Before applying this update, make sure all previously released errata relevant to your system have been applied." That does not say pick and choose errata or only install security errata. In reality, one should only NOT install an update if that update causes problems. That is any Errata update, not just security updates. The reason, all updates are built on a staged system. Any updates built today are built on / linked against the updates from yesterday. If you use a perl package (that is an example name, could be any package) built against today's update set on 6.3 .. it may or may not work at all, or work correctly. It also could possibly introduce security issues never tested for because that combination is unique to your install. I might work fine, it might be horrible. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20141122/ae0e400f/attachment-0001.sig>
On Sat, 22 Nov 2014 12:44:57 +0000 (GMT) Nux! <nux at li.nux.ro> wrote:> This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. > http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html > > HTHyes it helped thanks! Although the state of the thing itself is not very helpful :( My intention was to automatically get warned, when there are pending security updates. I therefore reworked the "yum" plugin of Munin [1] But as I see now, this will not work for CentOS as long as the data (a working updateinfo.xml) is not existent in the repos.. I will add a note in the Munin yum plugin to inform other CentOS users about this #fail. It would be good to add such a hint also in the CentOS package of the yum-plugin-security. Until now there is no info about the no-op nor in the man page neither under /usr/share/doc. Shall I create a bug report addressing the missing doc? Or will it get answered with "won't fix" as the fix would need to fork an own CentOS version of the plugin, so no longer simply copy the package from upstream (rh) # rpm -ql yum-plugin-security /etc/yum/pluginconf.d/security.conf /usr/lib/yum-plugins/security.py /usr/lib/yum-plugins/security.pyc /usr/lib/yum-plugins/security.pyo /usr/share/doc/yum-plugin-security-1.1.30 /usr/share/doc/yum-plugin-security-1.1.30/COPYING /usr/share/man/man8/yum-security.8.gz Cheers, Gabriele [1] https://github.com/munin-monitoring/munin/commits/devel/plugins/node.d.linux/yum.in
On Sat, 22 Nov 2014 08:00:50 -0600 Johnny Hughes <johnny at centos.org> wrote:> On 11/22/2014 05:49 AM, Gabriele Pohl wrote: > > I have difficulties to understand the output of yum-plugin-security. > > > > # yum check-update --security > > CentOS only tests that things work when doing all updates ... it does > not test any other grouping of packages.when I install the updates I usually install all pending updates btw. As written in my other mail, the intention is to get triggered when security updates are pending. fyi and cheers, Gabriele