This topic describes how to use YUM to query, check for, and install security updates for Alibaba Cloud Linux 2.
Background
To ensure system security, Alibaba Cloud Linux 2 stays up-to-date on Common Vulnerabilities and Exposures (CVEs) through a community-based, industry-supported efforts. Alibaba Cloud Linux 2 updates software packages including the kernel packages, and fixes software defects and security vulnerabilities in a timely manner. For information about Alibaba Cloud Linux 2 security updates, see Alibaba Cloud Linux 2.1903 Security Advisories.
Alibaba Cloud Linux 2 security updates are classified into the following severity
levels based on the Common Vulnerability Scoring System 3 (CVSS3) for CVEs:
- Critical: High-risk vulnerabilities exist and the security update is required.
- Important: Relatively high-risk vulnerabilities exist and the security update is strongly recommended.
- Moderate: Medium-risk vulnerabilities exist and the security update is recommended.
- Low: Low-risk vulnerabilities exist and the security update is optional.
Query security updates
You can run the following command to query security updates:
yum updateinfo <command> [option]The following table describes the variables of the command.
| Variable | Valid value |
|---|---|
| command |
|
| option |
|
This section provides examples of the commands that you can run to query security updates.
- Run the
yum updateinfo --helpto obtain the help information about the command. - Run the
yum updateinfocommand to query information about all available security updates. Sample command and command output:# yum updateinfo Loaded plugins: fastestmirror Determining fastest mirrors base | 3.1 kB 00:00:00 extras | 2.5 kB 00:00:00 plus | 2.5 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/6): extras/2.1903/x86_64/primary_db | 149 kB 00:00:00 (2/6): base/2.1903/x86_64/group_gz | 101 kB 00:00:00 (3/6): updates/2.1903/x86_64/updateinfo | 81 kB 00:00:00 (4/6): plus/2.1903/x86_64/primary_db | 1.5 MB 00:00:00 (5/6): base/2.1903/x86_64/primary_db | 4.9 MB 00:00:00 (6/6): updates/2.1903/x86_64/primary_db | 6.1 MB 00:00:00 Updates Information Summary: updates 17 Security notice(s) 7 Important Security notice(s) 6 Moderate Security notice(s) 4 Low Security notice(s) updateinfo summary done - Run the
yum updateinfo listcommand to query the list of available security updates. Sample command and command output:# yum updateinfo list Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile ALINUX2-SA-2019:0055 Moderate/Sec. binutils-2.27-41.base.1.al7.x86_64 ALINUX2-SA-2019:0058 Low/Sec. curl-7.29.0-54.1.al7.x86_64 ALINUX2-SA-2019:0059 Low/Sec. elfutils-default-yama-scope-0.176-2.1.al7.n ... - Run the
yum updateinfo info <update_id>command to query the details about a specific security update. Sample command and command output:# yum updateinfo info ALINUX2-SA-2020:0005 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile =============================================================================== ALINUX2-SA-2020:0005: nss, nss-softokn, nss-util security update (Important) =============================================================================== Update ID : ALINUX2-SA-2020:0005 Release : Alibaba Cloud Linux 2.1903 Type : security Status : stable Issued : 2020-01-03 CVEs : CVE-2019-11729 : CVE-2019-11745 Description : Package updates are available for Alibaba Cloud Linux 2.1903 that fix : the following vulnerabilities: : : CVE-2019-11729: : Empty or malformed p256-ECDH public keys may : trigger a segmentation fault due values being : improperly sanitized before being copied into : memory and used. This vulnerability affects : Firefox ESR < 60.8, Firefox < 68, and Thunderbird : < 60.8. : : CVE-2019-11745: : When encrypting with a block cipher, if a call to : NSC_EncryptUpdate was made with data smaller than : the block size, a small out of bounds write could : occur. This could have caused heap corruption and : a potentially exploitable crash. This : vulnerability affects Thunderbird < 68.3, Firefox : ESR < 68.3, and Firefox < 71. : Severity : Important updateinfo info done
Check for security updates
You can run the yum check-update --security command to check for security updates available for the system. You can append --secseverity=<SEVS> to the command to check for security updates of specific severity levels. Set <SEVS> to one or more severity levels.
Notice If you want to specify multiple security update severity levels, separate them with
commas (,). The values of <SEVS> are case-sensitive.
The following examples demonstrate how to check for security updates:
- Example 1
# yum check-update --security |grep available 49 package(s) needed for security, out of 183 available - Example 2
# yum check-update --security --secseverity=Critical,Important |grep available 30 package(s) needed for security, out of 183 available
Install security updates
You can use the yum upgrade command to install security updates in one of the following ways:
- You can run the
yum upgrade --securitycommand to install security updates. You can appendsecseverity=<SEVS>to the command to install security updates of specific severity levels. Set<SEVS>to one or more severity levels.Sample command and command output:Notice If you want to specify multiple security update severity levels, separate them with commas (,). The values of <SEVS> are case-sensitive.# yum upgrade --security --secseverity=Critical,Important Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile ... [snipped] ... Transaction Summary ============================================================================================================================================================================= Upgrade 30 Packages (+1 Dependent package) Total download size: 91 M Is this ok [y/d/N]: - You can run the
yum upgrade -cves=<CVES>command to install security updates for specific CVEs. Set<CVES>to one or more CVE IDs.Sample command and command output:Notice If you want to specify multiple CVE IDs, separate them with commas (,). The values of <CVES> are case-sensitive.# yum upgrade --cve=CVE-2019-11729,CVE-2019-11745 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile ... [snipped] ... Dependencies Resolved ============================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================= Updating: nss x86_64 3.44.0-7.1.al7 updates 854 k nss-softokn x86_64 3.44.0-8.1.al7 updates 330 k nss-softokn-freebl x86_64 3.44.0-8.1.al7 updates 225 k nss-sysinit x86_64 3.44.0-7.1.al7 updates 65 k nss-tools x86_64 3.44.0-7.1.al7 updates 528 k nss-util x86_64 3.44.0-4.1.al7 updates 79 k Updating for dependencies: nspr x86_64 4.21.0-1.1.al7 updates 127 k Transaction Summary ============================================================================================================================================================================= Upgrade 6 Packages (+1 Dependent package) Total download size: 2.2 M Is this ok [y/d/N]:
Note The output of the
man yum command shows that the yum upgrade command is equivalent to the yum update --obsoletes command. The yum upgrade command is also equivalent to the yum update command because obsoletes is enabled in the /etc/yum.conf configuration file by default.