I know that official CentOS 6 (even 7) update repositories does not provide security information. The consequence is thatyum-plugin-security plugin and yum check-update --security command does not list any updates like on RHEL or OEL distros.
There is a nice script generate_updateinfo which is able to inject missing piece of security information into local yum repository. The plugin will then work even on CentOS.
Unfortunately, I have a small issue with it. I'm not sure if the problem is with the script or with how yum is working.
How to reproduce the issue (tested on CentOS 6.8, x86_64, but IMO, previous/newer versions suffer from the same issue):
- first, let's clean everything to start with clean table
yum clean all
- let's see what security updates are available (the system is not up-to-date)
yum check-update --security ... 56 package(s) needed for security, out of 28 available kernel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-devel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-firmware.noarch 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-headers.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates libtiff.x86_64 3.9.4-21.el6_8 local-centos-6-x86_64-updates openssl.x86_64 1.0.1e-48.el6_8.4 local-centos-6-x86_64-updates sudo.x86_64 1.8.6p3-25.el6_8 local-centos-6-x86_64-updates
- now, let's install e.g.
squidpackage
yum install -y squid ... Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Installing: squid x86_64 7:3.1.23-16.el6_8.6 lp-centos-6-x86_64-updates 1.8 M Transaction Summary ==================================================================================================================== Install 1 Package(s) Total download size: 1.8 M Installed size: 6.3 M Downloading Packages: squid-3.1.23-16.el6_8.6.x86_64.rpm | 1.8 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : 7:squid-3.1.23-16.el6_8.6.x86_64 1/1 Verifying : 7:squid-3.1.23-16.el6_8.6.x86_64 1/1 Installed: squid.x86_64 7:3.1.23-16.el6_8.6 Complete!
- I would like to test update of the package so let's try to downgrade it first
yum downgrade -y squid ... Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.1.23-16.el6_8.5 will be a downgrade ---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be erased --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Downgrading: squid x86_64 7:3.1.23-16.el6_8.5 lp-centos-6-x86_64-updates 1.8 M Transaction Summary ==================================================================================================================== Downgrade 1 Package(s) Total download size: 1.8 M Downloading Packages: squid-3.1.23-16.el6_8.5.x86_64.rpm | 1.8 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 7:squid-3.1.23-16.el6_8.5.x86_64 1/2 Cleanup : 7:squid-3.1.23-16.el6_8.6.x86_64 2/2 Verifying : 7:squid-3.1.23-16.el6_8.5.x86_64 1/2 Verifying : 7:squid-3.1.23-16.el6_8.6.x86_64 2/2 Removed: squid.x86_64 7:3.1.23-16.el6_8.6 Installed: squid.x86_64 7:3.1.23-16.el6_8.5 Complete!
- let's rather double-check what it is installed
rpm -qa | grep -i squid squid-3.1.23-16.el6_8.5.x86_64
- at this moment, I would expect that when I check security updates again the
squidpackage should be newly listed but it isn't
yum check-update --security ... 56 package(s) needed for security, out of 28 available kernel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-devel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-firmware.noarch 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-headers.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates libtiff.x86_64 3.9.4-21.el6_8 local-centos-6-x86_64-updates openssl.x86_64 1.0.1e-48.el6_8.4 local-centos-6-x86_64-updates sudo.x86_64 1.8.6p3-25.el6_8 local-centos-6-x86_64-updates
- let's see what squid errata are installed on the system. This is somehow weird. From the above, I can see the squid was downgraded to
squid-3.1.23-16.el6_8.5.x86_64(CEBA_2016__1412 bugfix) butsquid-3.1.23-16.el6_8.6.x86_64(CESA_2016__1573) seems to be still marked as installed
yum updateinfo list all | grep squid-3 i CESA_2011__1791 Moderate/Sec. squid-3.1.10-1.el6_2.1.x86_64 i CEBA_2012__0122 bugfix squid-3.1.10-1.el6_2.2.x86_64 i CEBA_2012__0470 bugfix squid-3.1.10-1.el6_2.3.x86_64 i CEBA_2012__0557 bugfix squid-3.1.10-1.el6_2.4.x86_64 i CEBA_2012__1290 bugfix squid-3.1.10-9.el6_3.x86_64 i CESA_2013__0505 Moderate/Sec. squid-3.1.10-16.el6.x86_64 i CEBA_2013__0985 bugfix squid-3.1.10-18.el6_4.x86_64 i CEBA_2013__1396 bugfix squid-3.1.10-19.el6_4.x86_64 i CEBA_2014__0048 bugfix squid-3.1.10-20.el6_5.x86_64 i CESA_2014__0597 Moderate/Sec. squid-3.1.10-20.el6_5.3.x86_64 i CESA_2014__1148 Important/Sec. squid-3.1.10-22.el6_5.x86_64 i CEBA_2014__1446 bugfix squid-3.1.10-29.el6.x86_64 i CEBA_2015__1314 bugfix squid-3.1.23-9.el6.x86_64 i CEBA_2016__0896 bugfix squid-3.1.23-16.el6.x86_64 i CESA_2016__1138 Moderate/Sec. squid-3.1.23-16.el6_8.4.x86_64 i CEBA_2016__1412 bugfix squid-3.1.23-16.el6_8.5.x86_64 i CESA_2016__1573 Moderate/Sec. squid-3.1.23-16.el6_8.6.x86_64
- When I try to get information for that errata there's nothing
yum update info CESA_2016__1573 --- NOTHING NOTHING NOTHING ---
- When I try to list all errata but grep that one I can see it
yum updateinfo info all | grep CESA_2016__1573 -B3 -A8 =============================================================================== Moderate CentOS squid Security Update =============================================================================== Update ID : CESA_2016__1573 Release : CentOS 6 Type : security Status : stable Issued : 2016-08-04 12:51:39 Description : Moderate CentOS squid Security Update Severity : Moderate Installed : true
I would like to point out that I tested this scenario (downgrade/upgrade) on RHEL6 and it works. I also tried to install old version of squid package directly to avoid downgrade/upgrade sequence but the result was also the same. And the issue is not related to squid package only. Basically, I can reproduce the issue with any package. I also tried to clean yum cache after package downgrade but it doesn't help.
Any idea what could be wrong?!? Why is it marked as installed when it is actually not?!? When testing on RHEL6, I can see it is not installed and then, it is included in the list of packages to be updated.
Thanks for any answer.
