Updateinfo: A yum repository with CentOS Errata information
This site hosts a yum repository which includes CentOS Errata information (CESA, CEEA, CEBA).
It will allow you to see which vulnerabilities exist and which updates fix them.
News
Usage
cat > /etc/yum.repos.d/updates_cefs.repo <<EOF [updates_cefs] name=CentOS-\$releasever - Updates (from CEFS) baseurl=https://you%40example.com:PASSWORD@updateinfo.cefs.steve-meier.de/\$releasever/updates/\$basearch/ gpgcheck=1 repo_gpgcheck=0 enabled=1 EOF
yum install yum-security
Once the repository is set up successfully you can run yum -q updateinfo list to get a list of available errata to be installed.
Example output:
CEBA-2017:1604 bugfix chkconfig-1.7.2-1.el7_3.1.x86_64 CEBA-2017:1613 bugfix dracut-033-463.el7_3.2.x86_64 CEBA-2017:1613 bugfix dracut-config-rescue-033-463.el7_3.2.x86_64 CEBA-2017:1613 bugfix dracut-network-033-463.el7_3.2.x86_64 CEBA-2017:1618 bugfix gawk-4.0.2-4.el7_3.1.x86_64 CESA-2017:1481 Important/Sec. glibc-2.17-157.el7_3.4.x86_64 CESA-2017:1481 Important/Sec. glibc-common-2.17-157.el7_3.4.x86_64 CESA-2017:1481 Important/Sec. glibc-devel-2.17-157.el7_3.4.x86_64 CESA-2017:1481 Important/Sec. glibc-headers-2.17-157.el7_3.4.x86_64 CESA-2017:1484 Important/Sec. kernel-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. kernel-3.10.0-514.26.1.el7.x86_64 CESA-2017:1484 Important/Sec. kernel-devel-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. kernel-devel-3.10.0-514.26.1.el7.x86_64 CESA-2017:1484 Important/Sec. kernel-headers-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. kernel-headers-3.10.0-514.26.1.el7.x86_64 CESA-2017:1484 Important/Sec. kernel-tools-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. kernel-tools-3.10.0-514.26.1.el7.x86_64 CESA-2017:1484 Important/Sec. kernel-tools-libs-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. kernel-tools-libs-3.10.0-514.26.1.el7.x86_64 CESA-2017:1484 Important/Sec. python-perf-3.10.0-514.21.2.el7.x86_64 CESA-2017:1615 Important/Sec. python-perf-3.10.0-514.26.1.el7.x86_64 CEBA-2017:1607 bugfix xfsprogs-4.5.0-10.el7_3.x86_64
You can now install security updates only by running yum -q update --security
Example output:
=================================================================================================================== Package Arch Version Repository Size =================================================================================================================== Installing: kernel x86_64 3.10.0-514.26.1.el7 updates 37 M kernel-devel x86_64 3.10.0-514.26.1.el7 updates 13 M Updating: glibc x86_64 2.17-157.el7_3.4 updates 3.6 M glibc-common x86_64 2.17-157.el7_3.4 updates 11 M glibc-devel x86_64 2.17-157.el7_3.4 updates 1.1 M glibc-headers x86_64 2.17-157.el7_3.4 updates 669 k kernel-headers x86_64 3.10.0-514.26.1.el7 updates 4.8 M kernel-tools x86_64 3.10.0-514.26.1.el7 updates 4.0 M kernel-tools-libs x86_64 3.10.0-514.26.1.el7 updates 3.9 M python-perf x86_64 3.10.0-514.26.1.el7 updates 4.0 M Removing: kernel x86_64 3.10.0-514.2.2.el7 @updates 148 M kernel-devel x86_64 3.10.0-514.2.2.el7 @updates 34 M Transaction Summary =================================================================================================================== Install 2 Packages Upgrade 8 Packages Remove 2 Packages Is this ok [y/d/N]:
You can also install updates selectively by referencing a specific advisory: yum update --advisory=CESA-2017:1481
Example output:
[... output omitted ...] 4 package(s) needed (+0 related) for security, out of 20 available Resolving Dependencies --> Running transaction check ---> Package glibc.x86_64 0:2.17-157.el7_3.2 will be updated ---> Package glibc.x86_64 0:2.17-157.el7_3.4 will be an update ---> Package glibc-common.x86_64 0:2.17-157.el7_3.2 will be updated ---> Package glibc-common.x86_64 0:2.17-157.el7_3.4 will be an update ---> Package glibc-devel.x86_64 0:2.17-157.el7_3.2 will be updated ---> Package glibc-devel.x86_64 0:2.17-157.el7_3.4 will be an update ---> Package glibc-headers.x86_64 0:2.17-157.el7_3.2 will be updated ---> Package glibc-headers.x86_64 0:2.17-157.el7_3.4 will be an update --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================== Updating: glibc x86_64 2.17-157.el7_3.4 updates 3.6 M glibc-common x86_64 2.17-157.el7_3.4 updates 11 M glibc-devel x86_64 2.17-157.el7_3.4 updates 1.1 M glibc-headers x86_64 2.17-157.el7_3.4 updates 669 k Transaction Summary ==================================================================================================================================== Upgrade 4 Packages Total download size: 17 M Is this ok [y/d/N]:
Last, but not least, you can also install updates linked to CVEs: yum update --cve CVE-2016-8399
Example output
[... output omitted ...] Resolving Dependencies --> Running transaction check ---> Package kernel.x86_64 0:3.10.0-693.5.2.el7 will be installed ---> Package kernel-headers.x86_64 0:3.10.0-693.2.2.el7 will be updated ---> Package kernel-headers.x86_64 0:3.10.0-693.5.2.el7 will be an update ---> Package kernel-tools.x86_64 0:3.10.0-693.2.2.el7 will be updated ---> Package kernel-tools.x86_64 0:3.10.0-693.5.2.el7 will be an update ---> Package kernel-tools-libs.x86_64 0:3.10.0-693.2.2.el7 will be updated ---> Package kernel-tools-libs.x86_64 0:3.10.0-693.5.2.el7 will be an update ---> Package python-perf.x86_64 0:3.10.0-693.2.2.el7 will be updated ---> Package python-perf.x86_64 0:3.10.0-693.5.2.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================== Installing: kernel x86_64 3.10.0-693.5.2.el7 updates 43 M Updating: kernel-headers x86_64 3.10.0-693.5.2.el7 updates 6.0 M kernel-tools x86_64 3.10.0-693.5.2.el7 updates 5.1 M kernel-tools-libs x86_64 3.10.0-693.5.2.el7 updates 5.0 M python-perf x86_64 3.10.0-693.5.2.el7 updates 5.1 M Transaction Summary ================================================================================================================================== Install 1 Package Upgrade 4 Packages Total download size: 64 M Is this ok [y/d/N]:
Frequently Asked Questions (FAQ)
Please check your Spam folder. If you can't find it there either, send me an email or a message on Patreon.
That's a good question.
My repository contains exactly the same packages as the official CentOS mirrors do.
As mirrors also have the same trust issue, yum performs signature verification on all packages before installation.
If I modified a package, yum would warn you about the incorrect signature and you would (hopefully) abort the installation.
I could remove packages from this repository (e.g. kernel updates) but your system would still learn about them through the default repositories.
So, yes, it's safe to add the repository but you should always be careful about any warnings popping up and not dismiss them easily.
6.x and 7.x, as older versions have reached end of support.
Support for CentOS 8.x is in beta status.
This repository is for Patrons only. If you are a Patron of this project you will receive a username and password by email which will allow you to get access.
Yes. As long as you are a Patron, I don't care wether you use the repository on one or a dozen servers. If you have a really big installation please consider using a proxy to conserve my bandwidth.
When I started a previous project I had a lot of hope that people would recognize the value and give back something. Unfortunately, that's not the case. Although downloaded by big corporations and even three-letter agencies, I did not receive enough donations to pay for the site, let alone buy myself a cold beer. That's why I rely on Patreon for this project.
I wish they did and still hope they ultimately will. You'll have to ask them yourself.
This is due to a change I made in October and intentional. On clients, yum will merge the updateinfo from my repository with the packages from the default update repository. This simplifies things. If you want to create a mirror or sync of my repository, please change the URL from /6/... to /6-sync/... and /7/... to /7-sync/... respectively. Sorry if this has caused any inconvenience.
No.
You can send me an email and I will try to answer as my time permits.
Feedback
I would like to hear how this tool works for you. You can contact me via email:
email (at) steve (dash) meier (dot) de