atomic-penguin's blog

Musings on Linux, Opscode Chef, online gaming, and home cooking.

TIL: System Generated Errata List and Patch Changelog With Yum

I was looking for a way to create a system generated CVE, or errata, list for a production change request today. I recall this being easier on RHN (Red Hat Network) portal, in the past. That has changed so much, I don’t even know where to look, and apparently cannot list more than 10 errata issues per-page.

So as I searched for a way to generate this report, I came across two yum plugins I have overlooked in the past. The yum-security and yum-changelog plugins. Assuming you have a change request process involving two identical servers, test and production you can use these two plugins to generate change request documentation.

The yum-security plugin will generate a compact list of RedHat Bug/Security IDs, or even long-format issue reports, applicable to your production machine.

The yum-changelog plugin can generate a list of what issues were just patched on the test machine, and be submitted as part of the chnage request documentation for the production machine. The yum-changelog plugin needs the package python-dateutil for full functionality.

Install plugins

yum -y install yum-security yum-changelogi python-dateutil

Generate an errata list, or display issue reports.

Run yum list-sec to generate a short-format errata list. Some third party packages may not be included in the list as they are probably lacking necessary metadata.

[root@production]# yum list-sec
RHBA-2013:1040 bugfix   bash-3.2-32.el5_9.1.i386
RHSA-2013:0983 security curl-7.15.5-17.el5_9.i386
FEDORA-EPEL-2013-10647 bugfix   dkms-2.2.0.3-8.el5.noarch
FEDORA-EPEL-2013-10952 bugfix   dkms-2.2.0.3-14.el5.noarch
RHSA-2013:0981 security firefox-17.0.7-1.el5_9.i386
RHSA-2013:1140 security firefox-17.0.8-1.el5_9.i386
RHBA-2013:1039 bugfix   gnome-vfs2-2.16.2-12.el5_9.i386
RHBA-2013:1039 bugfix   gnome-vfs2-smb-2.16.2-12.el5_9.i386
RHSA-2013:1014 security java-1.6.0-openjdk-1:1.6.0.0-1.41.1.11.11.90.el5_9.i386
RHSA-2013:1014 security java-1.6.0-openjdk-devel-1:1.6.0.0-1.41.1.11.11.90.el5_9.i386
RHBA-2013:1123 bugfix   libxml2-2.6.26-2.1.21.el5_9.3.i386
RHBA-2013:1123 bugfix   libxml2-devel-2.6.26-2.1.21.el5_9.3.i386
RHBA-2013:1123 bugfix   libxml2-python-2.6.26-2.1.21.el5_9.3.i386
RHSA-2013:1135 security nspr-4.9.5-1.el5_9.i386
RHSA-2013:1135 security nss-3.14.3-6.el5_9.i386
RHSA-2013:1135 security nss-tools-3.14.3-6.el5_9.i386
RHBA-2013:1128 bugfix   poppler-0.5.4-19.el5_9.2.i386
RHBA-2013:1128 bugfix   poppler-utils-0.5.4-19.el5_9.2.i386
RHSA-2013:1121 security sos-1.7-9.62.el5_9.1.noarch
RHBA-2013:1091 bugfix   sqlite-3.3.6-7.i386
RHEA-2013:1025 enhancement tzdata-2013c-2.el5.i386
RHEA-2013:1025 enhancement tzdata-java-2013c-2.el5.i386
RHSA-2013:0981 security xulrunner-17.0.7-1.el5_9.i386
RHSA-2013:1140 security xulrunner-17.0.8-3.el5_9.i386
list-sec done

Run yum info-security to generate a long-format issue report. Here is a truncated output example.

[root@production]# yum info-security
===============================================================================
bash bug fix update
===============================================================================
  Update ID : RHBA-2013:1040
    Release : 
       Type : bugfix
     Status : final
     Issued : 2013-07-10 00:00:00
    Summary : Updated bash packages that fix one bug are now available for Red
            : Hat Enterprise Linux 5.
Description : The GNU Bourne Again shell (Bash) is a shell and command
            : language interpreter compatible with the Bourne
            : shell (sh). Bash is the default shell for Red Hat
            : Enterprise Linux.
            : 
            : This update fixes the following bug:
            : 
            : * When a trap handler was invoked while running
            :   another trap handler, which was invoked during a
            :   pipeline call, bash was unresponsive. With this
            :   update, pipeline calls are saved and
            :   subsequently restored in this scenario, and bash
            :   responds normally. (BZ#978840)
            : 
            : Users of bash are advised to upgrade to these
            : updated packages, which fix this bug.
   Solution : Before applying this update, make sure all previously-released
            : errata relevant to your system have been applied.
            : 
            : This update is available via the Red Hat Network.
            : Details on how to use the Red Hat Network to apply
            : this update are available at
            : https://access.redhat.com/site/articles/11258
     Rights : Copyright 2013 Red Hat Inc

Generate a changelog after patching the test system.

According to my /var/log/yum.log let us say I last patched this system on 2013-7-18. I would generate a changelog of installed patches on the test machine since that date, as follows.

[root@test]# yum -y upgrade
...
[root@test]# yum changelog 2013-7-18 installed
Listing changelogs since 2013-07-18

==================== Installed Packages ====================
libxml2-2.6.26-2.1.21.el5_9.3.i386       installed
* Tue Jul 23 18:00:00 2013 Daniel Veillard - 2.6.26-2.1.21.el5_9.3
- fixed one regexp bug and added a (rhbz#987321)
- Another small change on the algorithm for the elimination of epsilon (rhbz#987321)

poppler-0.5.4-19.el5_9.2.i386            installed
* Tue Jul 30 18:00:00 2013 Marek Kasik - 0.5.4-19.el5_9.2
- Initialize variables correctly before their use
- Resolves: #990097
* Tue Jul 30 18:00:00 2013 Marek Kasik - 0.5.4-19.el5_9.1
- Decode encoded streams before using them
- Resolves: #990096

nss-3.14.3-6.el5_9.i386                  installed
* Tue Jul 23 18:00:00 2013 Elio Maldonado - 3.14.3-6
- Resolves: rhbz#986969 - nssutil_ReadSecmodDB() leaks memory

firefox-17.0.8-1.el5_9.i386              installed
* Wed Jul 31 18:00:00 2013 Martin Stransky - 17.0.8-1
- Update to 17.0.8 ESR

dkms-2.2.0.3-14.el5.noarch               installed
* Mon Jul 22 08:00:00 2013 Simone Caronni - 2.2.0.3-14
- Remove systemd / SysV conversion as per new packaging guidelines.
- Add patch for #986887 to force tarball creation.
* Mon Jul 22 08:00:00 2013 Simone Caronni - 2.2.0.3-13
- Add fix for #986887; do not use lib64 for storing data as it was in 2.2.0.3-5.
* Sun Jul 21 08:00:00 2013 Simone Caronni - 2.2.0.3-12
- Add patch for #986557.

xulrunner-17.0.8-3.el5_9.i386            installed
* Tue Aug  6 18:00:00 2013 Martin Stransky - 17.0.8-3
- Update to 17.0.8 ESR Build 2
- Disable strict aliasing - mozbz#821502
* Thu Aug  1 18:00:00 2013 Martin Stransky - 17.0.8-2
- Added fix for rhbz#990921 - firefox does not build with.
  required nss/nspr
* Wed Jul 31 18:00:00 2013 Martin Stransky - 17.0.8-1
- Update to 17.0.8 ESR

sos-1.7-9.62.el5_9.1.noarch              installed
* Mon Jul 22 18:00:00 2013 Bryn M. Reeves - 1.7-9.62.el5_9.1
- Remove anaconda-ks.cfg collection from general plug-in
- Resolves: bz965807

changelog stats. 951 pkgs, 947 source pkgs, 12 changelogs

Conclusion

Even if you do not work in an environment with strict change control procedures. The yum-security plugin can be helpful to see what known bugs and security issues exist in your RHEL environment. While the yum-changelog also allows you to thoroughly examine what changes you just made to your system.

Comments