Installing only security updates using yum in RHEL

Posted on by

[The contents mostly apply to Scientific Linux 6 as well. CentOS users should see the Notes below]

In Enterprise Linux, it is often desirable to minimize the number of updates to install. Many admins just want to apply security-related updates. This is easily done using yum security plugin. First, install the plugin:

yum install yum-plugin-security

To install only the security updates :

yum --security update

You’ll see something similar to:

===================================================================================
 Package           Arch        Version             Repository                 Size
===================================================================================
Updating:
 mysql             x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      907 k
 mysql-libs        x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      1.2 M
 mysql-server      x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      8.7 M

Transaction Summary
===================================================================================

That’s it. But there are many other things you can do. For example, yum updateinfo has some handy options. Try the following:

yum updateinfo summary
yum updateinfo list security
yum updateinfo list available
yum updateinfo list bugzillas

The first command may show:

Updates Information Summary: available
    3 Important Security notice(s)
    2 Bugfix notice(s)
updateinfo summary done

The second command will display the advisory info such as:

RHSA-2013:0772 Important/Sec. mysql-5.1.69-1.el6_4.x86_64

Then you can apply the update based on the advisory:

yum update --advisory RHSA-2013:0772

Notes for CentOS users
At the time of this writing, CentOS does not have the yum security feature implemented. This might change in a future. Stay tuned.

Notes for Scientific Linux users
Scientific Linux has been providing the package updates in two repositories, sl-security and sl-fastbugs. The sl-security repo contains security-related packages plus their dependencies and is shipped enabled by default. The sl-fastbugs repository is for non-security updates which is shipped disabled. Thus, applying security only updates is the default behavior.