Sep 042022

One of the nice features of Red Hat Enterprise Linux 9 (RHEL 9) OS is the ability to check, research and install only security updates from the command line.

As a systems administrator, there’s always a risk that installing an update might break something important in the enterprise and lead to undesirable consequences.

So tread carefully when it comes to change management of your enterprise servers.

At the same time, it’s good to know the security updates and get some details about them right from within the CLI.

RHEL 9 List & Install Security Updates in Red Hat 9

By the way, the ability to install only security updates in RHEL was available in some older versions of RHEL like RHEL 8 and 7 as well.

Four Security Tasks

In this post, we’ll consider four important security aspects in Red Hat 9:
1. How to List Only Security Updates in RHEL 9
2. How to List Already Installed Security Updates in RHEL 9
3. How to Install Only All Security Updates in RHEL 9
4. How to Research and Install Only a Single Security Update in RHEL 9

Task 1: List Only Security Updates
[jack@localhost ~]$ sudo dnf updateinfo list updates security

Updating Subscription Management repositories.
Red Hat Enterprise Linux 9 for x86_64 – BaseOS (RPMs) 16 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 – AppStream (RPMs) 21 kB/s | 4.1 kB 00:00
RHSA-2022:6157 Moderate/Sec. curl-7.76.1-14.el9_0.5.x86_64
RHSA-2022:6174 Important/Sec. firefox-91.13.0-1.el9_0.x86_64
RHSA-2022:6157 Moderate/Sec. libcurl-7.76.1-14.el9_0.5.x86_64
RHSA-2022:6181 Important/Sec. rsync-3.2.3-9.el9_0.2.x86_64

Task 2: List Security Updates already installed

You can also check for a list of security updates that you have already installed.

[jack@localhost ~]$ dnf updateinfo list security --installed

Not root, Subscription Management repositories not updated
Red Hat Enterprise Linux 9 for x86_64 – BaseOS (RPMs) 18 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 – AppStream (RPMs) 21 kB/s | 4.1 kB 00:00
RHSA-2022:4990 Important/Sec. cups-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-client-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-filesystem-1:2.3.3op2-13.el9_0.1.noarch
RHSA-2022:4990 Important/Sec. cups-ipptool-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-libs-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4873 Important/Sec. firefox-91.10.0-1.el9_0.x86_64
RHSA-2022:5481 Important/Sec. firefox-91.11.0-2.el9_0.x86_64
RHSA-2022:5767 Important/Sec. firefox-91.12.0-2.el9_0.x86_64
RHSA-2022:4590 Important/Sec. firefox-91.9.0-1.el9_0.x86_64
RHSA-2022:4765 Critical/Sec. firefox-91.9.1-1.el9_0.x86_64
RHSA-2022:5099 Important/Sec. grub2-common-1:2.06-27.el9_0.7.noarch
….[Output truncated]

Task 3. How to Install Only Security Updates

Now it’s time to consider the most important task of this post.

How do we install only ALL security updates on Red Hat Enterprise Linux 9?

[jack@localhost ~]$ sudo dnf update --security

[Output truncated]
Package Architecture Version Repository Size
kernel x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 595 k
bpftool x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 1.3 M
curl x86_64 7.76.1-14.el9_0.4 rhel-9-for-x86_64-baseos-rpms 300 k
expat x86_64 2.2.10-12.el9_0.2 rhel-9-for-x86_64-baseos-rpms 109 k
grafana x86_64 7.5.11-5.el9_0 rhel-9-for-x86_64-appstream-rpms 39 M
kernel-headers x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-appstream-rpms 2.2 M
kernel-tools x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 824 k
kernel-tools-libs x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 605 k
libarchive x86_64 3.5.3-2.el9_0 rhel-9-for-x86_64-baseos-rpms 392 k
[Output truncated]

Task 4. How to Research & Install Only a Single Security Update

RHEL 9 also lets you research and install a single security update out of many possible security updates.

For instance, Red Hat classified Firefox as an important security update.

Since the Firefox browser was a crucial element of my organization’s security policy I went ahead and installed it without researching it further.

[jack@localhost ~]$ sudo dnf install firefox-91.13.0-1.el9_0.x86_64

……[output truncated]

Dig Deeper

By the way, you can also dig deeper to research into a Red Hat security update recommendation from within the CLI itself.

When I found that Red Hat put up the rsync file copy and synchronize utility as an important security update I was curious to see what the issue was.

So I went back to Task 1 (see above) to get the Update ID for the rsync security update and then ran the below command.

[jack@localhost ~]$ sudo dnf updateinfo info RHSA-2022:6181

Update ID: RHSA-2022:6181
Type: security
Updated: 2022-08-24 13:06:01
Bugs: 2110928 – CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers
CVEs: CVE-2022-29154
Description: The rsync utility enables the users to copy and synchronize files locally or across a network.
…[Output truncated]

Now I know that the security hole in rsync relates to “remote arbitrary files write inside the directories of connecting peers.”

Depending on my organization’s security policy and requirements, I can then decide to either ignore or upgrade rsync.

Does Ubuntu offer the capability to list, research and install only security updates via the command line?

I doubt it.

But I have noticed that Linux Mint offers the ability to view and install only security updates via its GUI-based Update Manager.

Sorry, the comment form is closed at this time.