Keeping your system up-to-date with the latest security patches is essential to ensure the safety and integrity of your Linux environment. In this guide, we’ll explore how to check for security updates, find Common Vulnerabilities and Exposures (CVEs), and install security updates using DNF (Dandified YUM) and RPM (Red Hat Package Manager).
1. Checking for Security Updates with DNF
DNF provides a convenient way to check for security updates across all installed packages. To list available security updates, use the following command:
# dnf updateinfo list security
This command will list all available security updates, showing the associated advisory and package details. It helps you identify which packages have security patches available.
2. Viewing Detailed Security Update Information
To get detailed information about a specific security advisory, including the CVE identifiers associated with it, use the following command:
# dnf changelog --upgrades package-name
For example, to get detailed information about security updates for the “openssl” package, you’d use:
# dnf changelog --upgrades openssl
This command provides more in-depth information about the security advisory and its impact on the specified package.
3. Finding CVE (Common Vulnerabilities and Exposures)
- Finding CVE via National Vulnerability Database (NVD)
If you want to find detailed information about a specific security vulnerability using its CVE identifier, you can use the National Vulnerability Database (NVD) website or other security databases. Typically, you won’t find this directly through DNF or RPM commands. For example, you can visit the NVD website at https://nvd.nist.gov/ and search for the CVE using their search interface.
- Red Hat Errata
Red Hat provides official errata, which are documents containing information about security vulnerabilities, bug fixes, and enhancements. To access Red Hat’s errata online, visit their website at https://access.redhat.com/errata/. Here, you can search for specific advisories using keywords or CVE identifiers.
4. Identifying CVEs in Installed Packages
If you want to identify CVEs associated with installed packages on your system, you can use the following command:
# rpm -qa --changelog | grep CVE
OR
rpm -q --changelog package-name | grep CVE
This command will search the package changelogs for references to CVE identifiers. It’s useful to quickly identify CVEs in your installed packages.
5. Installing Security Updates with DNF
Once you’ve identified the security updates you want to install (either through checking with DNF or other sources), you can proceed with updating your system. To install all available security updates, use the following command:
# sudo dnf update --security
This command will update all packages with available security updates, ensuring that your system is protected against known vulnerabilities.
To install a application available security updates, use the following command:
# sudo dnf update --security openssl
Example:
[root@TechArticles:~]# dnf update --security openssl Last metadata expiration check: 0:05:08 ago on Mon Aug 14 19:55:09 2023. Dependencies resolved. ======================================================================================================================= Package Architecture Version Repository Size ======================================================================================================================= Upgrading: openssl x86_64 1:3.0.7-17.el9_2 baseos 1.2 M openssl-libs x86_64 1:3.0.7-17.el9_2 baseos 2.1 M Transaction Summary ======================================================================================================================= Upgrade 2 Packages Total download size: 3.3 M Is this ok [y/N]: y Downloading Packages: (1/2): openssl-3.0.7-17.el9_2.x86_64.rpm 50 kB/s | 1.2 MB 00:23 (2/2): openssl-libs-3.0.7-17.el9_2.x86_64.rpm 58 kB/s | 2.1 MB 00:37 ----------------------------------------------------------------------------------------------------------------------- Total 86 kB/s | 3.3 MB 00:39 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : openssl-libs-1:3.0.7-17.el9_2.x86_64 1/4 Upgrading : openssl-1:3.0.7-17.el9_2.x86_64 2/4 Cleanup : openssl-1:3.0.1-43.el9_0.x86_64 3/4 Cleanup : openssl-libs-1:3.0.1-43.el9_0.x86_64 4/4 Running scriptlet: openssl-libs-1:3.0.1-43.el9_0.x86_64 4/4 Verifying : openssl-1:3.0.7-17.el9_2.x86_64 1/4 Verifying : openssl-1:3.0.1-43.el9_0.x86_64 2/4 Verifying : openssl-libs-1:3.0.7-17.el9_2.x86_64 3/4 Verifying : openssl-libs-1:3.0.1-43.el9_0.x86_64 4/4 Upgraded: openssl-1:3.0.7-17.el9_2.x86_64 openssl-libs-1:3.0.7-17.el9_2.x86_64 Complete!
This command will update only openssl with available security updates, ensuring that your system is protected against known vulnerabilities.
6. Installing Security Updates with RPM
If you need to install a specific RPM package that provides a security fix, you can do this directly using the RPM command. First, download the updated RPM package from a trusted source (such as the official repository or the package maintainer’s website). Then, use the following command to install the RPM:
# sudo rpm -Uvh package.rpm
Replace “package.rpm” with the actual filename of the downloaded RPM package. This command will upgrade the package if it’s already installed or install it if it’s not present on the system.
Conclusion
Regularly checking for security updates, being aware of CVEs, and promptly installing security patches are crucial steps in maintaining a secure Linux system. By using DNF and RPM, you have powerful tools at your disposal to keep your system protected from known vulnerabilities.
==================================================================================
Was this article of use to you? Post your insightful thoughts or recommendations in the comments section if you don’t find this article to be helpful or if you see any outdated information, a problem, or a typo to help this article better.
==================================================================================