On 03/01/2016 09:17 PM, Peter wrote:> On 02/03/16 15:57, Anthony K wrote: >> This command output is odd: >> >> yum update --security >> ... >> No packages needed for security; 118 packages available > ... >> Why does yum not consider this CESA a security update? > > Cherry-picking updates is not supported by CentOS, this is because each > package is built on a system with all previous updates applied and as > such each update that you install should have all previous updates > applied or there can be problems. > > As such CentOS does not support the --security option for yum, nor does > it support the yum-security plugin. You are expected to update your > entire system, not to do so will leave you with an unsupported system. > Also there will be other packages as well that have security issues that > need updating.RHEL does not support only security updates either .. they do have things like AUS / EAS .. but those things require all updates to be installed, not just all security updates. If you look at this update: https://access.redhat.com/errata/RHSA-2016:0303 Look in the *Solution* section: "Before applying this update, make sure all previously released errata relevant to your system have been applied." That does not say all security errata .. it says all errata. The same thing is on every Red Hat errata page. They expect that you are running whatever is an updated system. If you are running AUS or EUS, they still expect you to do all updates for that repo, not just security updates. BUt the security plugins do not work for CentOS and they never have, Peter is correct, you need to run yum update or call out the specific packages you want updated. You can look at the announce list to figure out which ones are SA or BA or EA .. but you want all of them, as they go together. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160301/9eab4e08/attachment-0001.sig>
On 03/01/2016 09:41 PM, Johnny Hughes wrote:> On 03/01/2016 09:17 PM, Peter wrote: >> On 02/03/16 15:57, Anthony K wrote: >>> This command output is odd: >>> >>> yum update --security >>> ... >>> No packages needed for security; 118 packages available >> ... >>> Why does yum not consider this CESA a security update? >> >> Cherry-picking updates is not supported by CentOS, this is because each >> package is built on a system with all previous updates applied and as >> such each update that you install should have all previous updates >> applied or there can be problems. >> >> As such CentOS does not support the --security option for yum, nor does >> it support the yum-security plugin. You are expected to update your >> entire system, not to do so will leave you with an unsupported system. >> Also there will be other packages as well that have security issues that >> need updating. > > RHEL does not support only security updates either .. they do have > things like AUS / EAS .. but those things require all updates to be > installed, not just all security updates. > > If you look at this update: > > https://access.redhat.com/errata/RHSA-2016:0303 > > Look in the *Solution* section: > > "Before applying this update, make sure all previously released errata > relevant to your system have been applied." > > That does not say all security errata .. it says all errata. The same > thing is on every Red Hat errata page. They expect that you are > running whatever is an updated system. If you are running AUS or EUS, > they still expect you to do all updates for that repo, not just security > updates. > > BUt the security plugins do not work for CentOS and they never have, > Peter is correct, you need to run yum update or call out the specific > packages you want updated. > > You can look at the announce list to figure out which ones are SA or BA > or EA .. but you want all of them, as they go together.Also, just installing the update is not enough, you also need to make sure SSLv2 is disabled on the appropriate services: http://red.ht/1pngpQ2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160301/a26a1233/attachment-0001.sig>
On Tue, 2016-03-01 at 21:58 -0600, Johnny Hughes wrote:> On 03/01/2016 09:41 PM, Johnny Hughes wrote: > > BUt the security plugins do not work for CentOS and they never have, > > Peter is correct, you need to run yum update or call out the specific > > packages you want updated. > >I totally understand the necessity of a full system update. However, this begs the question "Why code an option into yum that is of no use?" Was there a time when this option was functional? If yes, what caused its removal? Was it a system compromise at some big corporation and someone got sued/fired? What? Don't spare any gory details either! ak.