URL:
Reporter RHNID: mikephillips1973
Section: -
Language: en-US (English)
Workaround:

Description: RH413 (RHEL 6) uses to mention how updating for a specific CVE or security advisory didn't necessarily update to the package version mentioned in the CVE or security advisory. Instead, the update would give you the latest version of the package. This was a nice bit of information, but since the RH413 classroom installation only provided one version of each package, there wasn't a good way to demonstrate this. In addition, RH413 didn't mention how "yum update-minimal" vs "yum update" could be used to give you the package version specified in the CVE or security advisory.

For instructors who want to test or demonstrate this, make sure to run "lab security-review setup" as student@workstation and then ssh to root@servera.

1. Run "yum updateinfo list". You should see that there are several updates related to the python-perf package.
2. You can see that RHSA-2018-1318 will update the python-perf package to version python-perf-3.10.0-862.2.3.el7.x86_64
3. Check to see which version of python-perf will be installed if you update for this security advisory: yum update --advisory=RHSA-2018:1318
   The python-perf package will be updated to 3.10.0-862.9.1.el7
   Cancel the update by pressing N
4. Use "yum update-minimal" instead of "yum update" and notice how the package version matches the version listed in the advisory: yum update-minimal --advisory=RHSA-2018:1318

If students want the versions specified in CVEs and security advisories, rather than the most recent versions, students can use "yum update-minimal" instead of "yum-update".

Examples:

1. yum update-minimal --security
2. yum update-minimal --security --sec-severity=Critical,Important
3. yum update-minimal --cve CVE-2018-12020