support yum --security check-update

[jsoref]

• Program: Authoritative, Recursor, dnsdist
• Issue type: Feature request

Short description

There's a feature in yum which allows yum to report which package shave security updates...

yum --security check-update

Environment

• Operating system: RHEL 6
• Software version: pdns-4.1.7-1pdns.el6.x86_64
• Software source: PowerDNS repository

Steps to reproduce

1. ask pdns if it's secure:

# /usr/bin/pdns_control show security-status
1

It knows it isn't (because pdns published a dns record for it)

2. ask yum if there are security updates:

# yum updateinfo list --security
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.ca.planethoster.net
 * epel: mirror.metrocast.net
 * extras: centos.mirror.ca.planethoster.net
 * updates: centos.mirror.ca.planethoster.net
9 packages excluded due to repository priority protections
updateinfo list done

it claims there are none

3. as yum about general updates:

# yum update
Loaded plugins: fastestmirror, priorities, security
Setting up Update Process
Loading mirror speeds from cached hostfile
 * base: centos.mirror.ca.planethoster.net
 * epel: mirror.metrocast.net
 * extras: centos.mirror.ca.planethoster.net
 * updates: centos.mirror.ca.planethoster.net
9 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package pdns.x86_64 0:4.1.7-1pdns.el6 will be updated
---> Package pdns.x86_64 0:4.1.8-1pdns.el6 will be an update
---> Package pdns-backend-postgresql.x86_64 0:4.1.7-1pdns.el6 will be updated
---> Package pdns-backend-postgresql.x86_64 0:4.1.8-1pdns.el6 will be an update
---> Package tzdata.noarch 0:2018i-1.el6 will be updated
---> Package tzdata.noarch 0:2019a-1.el6 will be an update
---> Package tzdata-java.noarch 0:2018i-1.el6 will be updated
---> Package tzdata-java.noarch 0:2019a-1.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================
 Package                           Arch             Version                      Repository                  Size
==================================================================================================================
Updating:
 pdns                              x86_64           4.1.8-1pdns.el6              powerdns-auth-41           2.9 M
 pdns-backend-postgresql           x86_64           4.1.8-1pdns.el6              powerdns-auth-41            37 k
 tzdata                            noarch           2019a-1.el6                  updates                    513 k
 tzdata-java                       noarch           2019a-1.el6                  updates                    188 k

Transaction Summary
==================================================================================================================
Upgrade       4 Package(s)

Total download size: 3.6 M
Is this ok [y/N]: n

Expected behaviour

tell me about security updates

Actual behaviour

claims there are none

Other information

I'm told to "generate yum security repodata that includes that file"

Usecase

I'm slowly adding monitoring (zabbix) to report systems w/ packages that have security updates that need to be applied.

Description

Let my monitoring tell me (and everyone else) what systems have packages that need to be upgraded

[jsoref]

The relevant file is updateinfo.xml, there's some documentation of how to deal w/ it here: https://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/rpm.html#updateinfo-xml

Here's a random sample of the content of the file (taken from EPEL6 -- specifically this was via strace, so the \" is probably strace as opposed to in the raw file...):

  <update from=\"updates@fedoraproject.org\" status=\"stable\" type=\"bugfix\" version=\"2.0\">
    <id>FEDORA-EPEL-2018-604613b5d5</id>
    <title>python-ldap3-2.5.1-3.el6</title>
    <issued date=\"2019-01-02 01:24:16\"/>
    <updated date=\"2019-04-03 00:18:09\"/>
    <rights>Copyright (C) 2019 Red Hat, Inc. and others.</rights>
    <release>Fedora EPEL 6</release>
    <severity>None</severity>
    <summary>python-ldap3-2.5.1-3.el6 bugfix update</summary>
    <description>Fix El6 requirements

----

python-backports-ssl_match_hostname only required for Python 2.6

----

Update to 2.5.1</description>
    <references>
      <reference href=\"https://bugzilla.redhat.com/show_bug.cgi?id=1653732\" id=\"1653732\" type=\"bugzilla\" title=\"Provide new python-ldap3 packages for EPEL\"/>
    </references>
    <pkglist>
      <collection short=\"EL-6\">
        <name>Fedora EPEL 6</name>
        <package name=\"python34-ldap3\" version=\"2.5.1\" release=\"3.el6\" epoch=\"0\" arch=\"noarch\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/p/python34-ldap3-2.5.1-3.el6.noarch.rpm\">
          <filename>python34-ldap3-2.5.1-3.el6.noarch.rpm</filename>
        </package>
        <package name=\"python2-ldap3\" version=\"2.5.1\" release=\"3.el6\" epoch=\"0\" arch=\"noarch\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/p/python2-ldap3-2.5.1-3.el6.noarch.rpm\">
          <filename>python2-ldap3-2.5.1-3.el6.noarch.rpm</filename>
        </package>
        <package name=\"python-ldap3\" version=\"2.5.1\" release=\"3.el6\" epoch=\"0\" arch=\"src\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/SRPMS/p/python-ldap3-2.5.1-3.el6.src.rpm\">
          <filename>python-ldap3-2.5.1-3.el6.src.rpm</filename>
        </package>
      </collection>
    </pkglist>
  </update>
  <update from=\"updates@fedoraproject.org\" status=\"stable\" type=\"enhancement\" version=\"2.0\">
    <id>FEDORA-EPEL-2017-cef1a3c96f</id>
    <title>libdirq-0.5-1.el6</title>
    <issued date=\"2017-08-23 09:07:03\"/>
    <updated date=\"2019-04-03 00:18:09\"/>
    <rights>Copyright (C) 2019 Red Hat, Inc. and others.</rights>
    <release>Fedora EPEL 6</release>
    <severity>Low</severity>
    <summary>libdirq-0.5-1.el6 enhancement update</summary>
    <description>Upgraded to upstream version 0.5.</description>
    <references/>
    <pkglist>
      <collection short=\"EL-6\">
        <name>Fedora EPEL 6</name>
        <package name=\"libdirq-debuginfo\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/libdirq-debuginfo-0.5-1.el6.i686.rpm\">
          <filename>libdirq-debuginfo-0.5-1.el6.i686.rpm</filename>
        </package>
        <package name=\"libdirq-static\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/libdirq-static-0.5-1.el6.i686.rpm\">
          <filename>libdirq-static-0.5-1.el6.i686.rpm</filename>
        </package>
        <package name=\"libdirq\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/libdirq-0.5-1.el6.i686.rpm\">
          <filename>libdirq-0.5-1.el6.i686.rpm</filename>
        </package>
        <package name=\"libdirq-devel\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/libdirq-devel-0.5-1.el6.i686.rpm\">
          <filename>libdirq-devel-0.5-1.el6.i686.rpm</filename>
        </package>
        <package name=\"libdirq\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/libdirq-0.5-1.el6.ppc64.rpm\">
          <filename>libdirq-0.5-1.el6.ppc64.rpm</filename>
        </package>
        <package name=\"libdirq-devel\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/libdirq-devel-0.5-1.el6.ppc64.rpm\">
          <filename>libdirq-devel-0.5-1.el6.ppc64.rpm</filename>
        </package>
        <package name=\"libdirq-static\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/libdirq-static-0.5-1.el6.ppc64.rpm\">
          <filename>libdirq-static-0.5-1.el6.ppc64.rpm</filename>
        </package>
        <package name=\"libdirq-debuginfo\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/libdirq-debuginfo-0.5-1.el6.ppc64.rpm\">
          <filename>libdirq-debuginfo-0.5-1.el6.ppc64.rpm</filename>
        </package>
        <package name=\"libdirq-devel\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/libdirq-devel-0.5-1.el6.x86_64.rpm\">
          <filename>libdirq-devel-0.5-1.el6.x86_64.rpm</filename>
        </package>
        <package name=\"libdirq-debuginfo\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/libdirq-debuginfo-0.5-1.el6.x86_64.rpm\">
          <filename>libdirq-debuginfo-0.5-1.el6.x86_64.rpm</filename>
        </package>
        <package name=\"libdirq-static\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/libdirq-static-0.5-1.el6.x86_64.rpm\">
          <filename>libdirq-static-0.5-1.el6.x86_64.rpm</filename>
        </package>
        <package name=\"libdirq\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/libdirq-0.5-1.el6.x86_64.rpm\">
          <filename>libdirq-0.5-1.el6.x86_64.rpm</filename>
        </package>
        <package name=\"libdirq\" version=\"0.5\" release=\"1.el6\" epoch=\"0\" arch=\"src\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/SRPMS/l/libdirq-0.5-1.el6.src.rpm\">
          <filename>libdirq-0.5-1.el6.src.rpm</filename>
        </package>
      </collection>
    </pkglist>
  </update>
  <update from=\"updates@fedoraproject.org\" status=\"stable\" type=\"newpackage\" version=\"2.0\">
    <id>FEDORA-EPEL-2014-1603</id>
    <title>perl-Class-Trigger-0.13-0.2.1.el6</title>
    <issued date=\"2014-06-11 22:55:44\"/>
    <updated date=\"2019-04-03 00:18:09\"/>
    <rights>Copyright (C) 2019 Red Hat, Inc. and others.</rights>
    <release>Fedora EPEL 6</release>
    <severity>None</severity>
    <summary>perl-Class-Trigger-0.13-0.2.1.el6 newpackage update</summary>
    <description>This package is a clone (with release prefixed by \"0.\" as per the EPEL guidelines) of the RHEL-6 package in order to provide support for EPEL-6 packages that require it on the ppc64 architecture, for which RHEL-6 does not ship it.</descriptio
n>
    <references>
      <reference href=\"https://bugzilla.redhat.com/show_bug.cgi?id=1033516\" id=\"1033516\" type=\"bugzilla\" title=\"Retire perl-Class-Trigger in EPEL6\"/>
    </references>
    <pkglist>
      <collection short=\"EL-6\">
        <name>Fedora EPEL 6</name>
        <package name=\"perl-Class-Trigger\" version=\"0.13\" release=\"0.2.1.el6\" epoch=\"0\" arch=\"src\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/SRPMS/p/perl-Class-Trigger-0.13-0.2.1.el6.src.rpm\">
          <filename>perl-Class-Trigger-0.13-0.2.1.el6.src.rpm</filename>
        </package>
        <package name=\"perl-Class-Trigger\" version=\"0.13\" release=\"0.2.1.el6\" epoch=\"0\" arch=\"noarch\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/p/perl-Class-Trigger-0.13-0.2.1.el6.noarch.rpm\">
          <filename>perl-Class-Trigger-0.13-0.2.1.el6.noarch.rpm</filename>
        </package>
      </collection>
    </pkglist>
  </update>
  <update from=\"updates@fedoraproject.org\" status=\"stable\" type=\"security\" version=\"2.0\">
    <id>FEDORA-EPEL-2016-55f139473e</id>
    <title>latex2rtf-2.3.10-1.el6.1</title>
    <issued date=\"2016-04-22 17:05:12\"/>
    <updated date=\"2019-04-03 00:18:10\"/>
    <rights>Copyright (C) 2019 Red Hat, Inc. and others.</rights>
    <release>Fedora EPEL 6</release>
    <severity>None</severity>
    <summary>latex2rtf-2.3.10-1.el6.1 security update</summary>
    <description>Update to 2.3.10 for CVE-2015-8106</description>
    <references>
      <reference href=\"https://bugzilla.redhat.com/show_bug.cgi?id=1289786\" id=\"1289786\" type=\"bugzilla\" title=\"latex2rtf-2.3.10 is available\"/>
      <reference href=\"https://bugzilla.redhat.com/show_bug.cgi?id=1282492\" id=\"1282492\" type=\"bugzilla\" title=\"CVE-2015-8106 latex2rtf: Format string vulnerability in CmdKeywords\"/>
      <reference href=\"https://bugzilla.redhat.com/show_bug.cgi?id=1282494\" id=\"1282494\" type=\"bugzilla\" title=\"CVE-2015-8106 latex2rtf: Format string vulnerability in CmdKeywords [epel-all]\"/>
    </references>
    <pkglist>
      <collection short=\"EL-6\">
        <name>Fedora EPEL 6</name>
        <package name=\"latex2rtf\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"src\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/SRPMS/l/latex2rtf-2.3.10-1.el6.1.src.rpm\">
          <filename>latex2rtf-2.3.10-1.el6.1.src.rpm</filename>
        </package>
        <package name=\"latex2rtf-debuginfo\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/latex2rtf-debuginfo-2.3.10-1.el6.1.x86_64.rpm\">
          <filename>latex2rtf-debuginfo-2.3.10-1.el6.1.x86_64.rpm</filename>
        </package>
        <package name=\"latex2rtf\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"x86_64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/x86_64/l/latex2rtf-2.3.10-1.el6.1.x86_64.rpm\">
          <filename>latex2rtf-2.3.10-1.el6.1.x86_64.rpm</filename>
        </package>
        <package name=\"latex2rtf\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/latex2rtf-2.3.10-1.el6.1.ppc64.rpm\">
          <filename>latex2rtf-2.3.10-1.el6.1.ppc64.rpm</filename>
        </package>
        <package name=\"latex2rtf-debuginfo\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"ppc64\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/ppc64/l/latex2rtf-debuginfo-2.3.10-1.el6.1.ppc64.rpm\">
          <filename>latex2rtf-debuginfo-2.3.10-1.el6.1.ppc64.rpm</filename>
        </package>
        <package name=\"latex2rtf-debuginfo\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/latex2rtf-debuginfo-2.3.10-1.el6.1.i686.rpm\">
          <filename>latex2rtf-debuginfo-2.3.10-1.el6.1.i686.rpm</filename>
        </package>
        <package name=\"latex2rtf\" version=\"2.3.10\" release=\"1.el6.1\" epoch=\"0\" arch=\"i686\" src=\"https://download.fedoraproject.org/pub/fedora/linux/updates/6/i386/l/latex2rtf-2.3.10-1.el6.1.i686.rpm\">
          <filename>latex2rtf-2.3.10-1.el6.1.i686.rpm</filename>
        </package>
      </collection>
    </pkglist>
  </update>

The major things that produce this are bodhi and OBS

[jsoref]

https://petersouter.xyz/the-story-of-errata-for-centos/

[jsoref]

Spacewalk is apparently the thing that normally generates this file (for RHEL):
https://github.com/spacewalkproject/spacewalk/blob/a592865171a4df0b839d5f4b5cbdff1c6a973cf8/java/code/src/com/redhat/rhn/taskomatic/task/repomd/UpdateInfoWriter.java#L38

[jsoref]

Apparently pdns is currently using createrepo. w/ a plan to transition to pulp3.

For pulp, support for this thing is a drawing board/wishlist item: https://pulp.plan.io/issues/2626 -- although at least there's a script that can talk to pulp3 (but you still have to generate your own xml file).

[Habbie]

Apparently pdns is currently using createrepo. w/ a plan to transition to pulp3.

That plan is very tentative, it is my understanding that pulp refuses to mature.