7.1 KiB
| title | excerpt | date | updated | tags | |
|---|---|---|---|---|---|
| CentOS Stream does not support dnf-automatic security updates | The repository lacks updateinfo to provide errata | 2024-07-15 | 2024-08-16 |
|
If you have configured dnf-automatic to only apply security updates on CentOS Stream, it will not install any updates.
[commands]
upgrade_type = security
Background
I discovered this limitation when attempting to patch openssh against CVE-2024-6387 (regreSSHion). Here's a brief timeline of patch availability on CentOS Stream 9:
- 1 Jul 2024: CVE-2024-6387 made public
- 3 Jul 2024: Patch available for RHEL 9 through openssh-8.7p1-38.el9_4.1.
- 4 Jul 2024: CentOS Stream 9 merged the patch
- 8 Jul 2024: Patch available through openssh-8.7p1-42.el9
While waiting for the patch availability, I enabled dnf-automatic and configured it to apply security updates only. When the patch openssh-8.7p1-42.el9 was finally available, I checked whether it has been applied using dnf info openssh. It showed the installed version is still 8.7p1-41 and 8.7p1-42 is available. That did not look good. Did I forgot to enable dnf-automatic? systemctl status dnf-automatic.timer showed it is enabled. Did it trigger dnf-automatic.service?
Jul 9 06:15:03 localhost dnf-automatic[12345]: No security updates needed, but 3 updates available
Not only dnf-automatic did not install 8.7p1-42, it also did not see the version as a security update. Before I went on to search for answer, I applied the patch first dnf upgrade openssh.
updateinfo.xml
RedHat documentation mentions installed security updates can be listed through dnf updateinfo list security --installed, however it returned empty on CentOS Stream 9. To check if the command actually works, I ran it on an AlmaLinux box and it returned similar output as the RedHat documentation.
I then learned that dnf depends on errata to be able to detect whether a package version is a security update. From this post (archived), I discovered errata is published on the repository in the form of updateinfo.xml, which is related to dnf updateinfo.
I remembered when dnf attempts to refresh a repository, the first thing it looks for is /repodata/repomd.xml. So, I tried to look for updateinfo.xml in /repodata/ but could not find it. This explained the empty output of dnf updateinfo but I wasn't convinced yet. I searched it in AlmaLinux and found {sha256sum-hash}-updateinfo.xml.gz. Since the content is updated constantly, how does dnf know which updateinfo.xml to grab? I opened up the repomd.xml and noticed
<data type="updateinfo">
<location href="repodata/{sha256sum-hash}-updateinfo.xml.gz"/>
</data>
I also searched and discovered updateinfo is also available on Rocky Linux, Oracle Linux and Fedora. Looking at Fedora's [repomd.xml], I learned that the updateinfo.xml can be available in gzip, xzip and zchunk (updateinfo_zck) formats. By then, I was sure that dnf cannot apply security (nor bugfix/feature)-specific updates in CentOS Stream.
CentOS used to have updateinfo prior to CentOS 7; after it was removed in CentOS 7, there was a third-party repository that filled the gap but it never supported CentOS Stream.
Enable automatic updates
Automatic updates only works in CentOS Stream with this config:
[commands]
upgrade_type = default
apply_updates = yes
Automatic security-only updates are available on RHEL, AlmaLinux, Rocky Linux, Oracle Linux and Fedora. Fedora's updateinfo does not include a CVE reference (e.g. <reference href="https://access.redhat.com/security/cve/CVE-2024-6387" id="CVE-2024-6387" type="cve" title="CVE-2024-6387"/>), thus unable to filter by CVE ID (dnf updateinfo list --cve CVE-2024-6387 --installed).
Unattended upgrades in Debian/Ubuntu
Automatic updates is provided by the unattended-upgrades package which is installed by default, but not enabled. It can be configured through "/etc/apt/apt.conf.d/50unattended-upgrades".
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
};
Each allowed origin refers to a distribution/component; in Ubuntu 24.04, those two lines refer to 24.04:noble and 24.04:noble-security. The default config effectively applies security updates only, though it is not obvious at first. noble is the base repository of Ubuntu 24.04 once it reached general availability. Security updates are available in noble-security while bugfix updates are available in noble-updates instead.
In Debian, the config is different.
Unattended-Upgrade::Allowed-Origins {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Security updates are published to a different uri debian-security instead of the primary uri debian. A notable implication is that not every Debian mirror mirrors debian-security.
To enable unattended upgrades, dpkg-reconfigure --priority=low unattended-upgrades, select yes and it will create "/etc/apt/apt.conf.d/20auto-upgrades".
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";