The Fedora operating system comes with an updated version of the famous yum package management utility, called “DNF“. DNF stands for “Dandified YUM”, and it retains the general syntax that users of the yum package manager are used to.
If you are reading this post should be familiar with at least the basics of installing and updating packages with YUM or DNF. Take a look at the Fedora Docs if you need a quick refresher on how to install packages with DNF.
What I would like to go over is a bit more advanced, though not a difficult aspect of DNF/YUM. That is how to get detailed information on what updates are available, why they are needed, and how to be a bit more selective in the updates that you choose to install. The commands we cover here will work on the current Fedora release (currently 31), they should work on any release as far back as 22 which is when the switch to DNF became official as well as CentOS 8 and RHEL 8.
What information can you get from DNF?
There is a ton of information available directly from the command line to help you gather information on the latest fixes, enhancements, and security vulnerabilities that affect the systems you manage. We will see how to find Fedora Advisories, CVE’s, and Bugzilla’s that are installable on a Fedora system, be it a Workstation or a Server and how to install just the packages that are required to address those issues.
The command we are looking specifically is
Keep in mind that the level of detail provided will be dependent on security meta data provided by the OS vendor, or repositories. Not all repositories include metadata for security and bugfixes in their repositories.
Who cares? Why not just install all the updates and not worry about it?
dnf -y upgrade every couple of weeks is probably just fine for a lot of people, maybe most people. If you don’t care about the cve’s your addressing, or the enhancements that are coming down then no need to keep reading. – no judgment, I often don’t necessarily care about all that stuff either, but when I do care it’s nice to know how to find that information.
This is directed more towards someone who has a need to:
- Report on CVE’s / Bugfixes available on a system.
- Wants to minimize change while still keeping a system patched and secure.
- Likes to stay in the loop about what vulnerabilities are being patched when they update.
How to get information on available updates.
DNF update summary
If you are just looking for a brief summary of the types of updates that are available on your system you can use
dnf update info or
dnf update info --summary both commands do the same thing.
dnf updateinfo ... ... Updates Information Summary: available 10 Security notice(s) 4 Important Security notice(s) 6 Moderate Security notice(s) 22 Bugfix notice(s) 6 Enhancement notice(s) 4 other notice(s)
If you just need a quick executive summary to hand off to your manager, or to an application owner this is what you are looking for. It gives you a quick break down of the types of updates that are available (Security, Bugfix, Enhancement, etc) and in the case of security updates even breaks them down into more detailed categories (Critical, Important, Moderate, Low)
Notice that you do not have to run these commands with sudo. A regular user should be able to generate these reports if they need to.
To get a bit more detailed look at the available patches than the summary contains, you can see which Fedora advisories are ready to be installed using
dnf updateinfo --list
dnf updateinfo --list .... ... FEDORA-2020-76d608179d Moderate/Sec. NetworkManager-ssh-1.2.11-1.fc30.x86_64 FEDORA-2020-76d608179d Moderate/Sec. NetworkManager-ssh-gnome-1.2.11-1.fc30.x86_64 FEDORA-2020-e94bce43a0 bugfix abrt-2.14.0-1.fc30.x86_64 FEDORA-2020-e94bce43a0 bugfix abrt-addon-ccpp-2.14.0-1.fc30.x86_64 FEDORA-2020-e94bce43a0 bugfix abrt-addon-kerneloops-2.14.0-1.fc30.x86_64 ... FEDORA-2020-262cfead59 bugfix authselect-compat-1.1-3.fc30.x86_64 FEDORA-2020-262cfead59 bugfix authselect-libs-1.1-3.fc30.x86_64 FEDORA-2020-375927619e unknown babl-0.1.74-1.fc30.x86_64 FEDORA-2020-5e06ad5ec5 unknown cryptsetup-2.3.0-1.fc30.x86_64 FEDORA-2020-5e06ad5ec5 unknown cryptsetup-libs-2.3.0-1.fc30.x86_64 FEDORA-2020-93f59740fe bugfix cups-filters-1.27.1-1.fc30.x86_64 FEDORA-2020-93f59740fe bugfix cups-filters-libs-1.27.1-1.fc30.x86_64 FEDORA-2020-173ac89547 bugfix distribution-gpg-keys-1.37-1.fc30.noarch FEDORA-2020-42dbcf8d17 bugfix dkms-2.8.1-4.20200214git5ca628c.fc30.noarch FEDORA-2020-66c974fdb6 enhancement dnf-4.2.18-1.fc30.noarch FEDORA-2020-66c974fdb6 enhancement dnf-data-4.2.18-1.fc30.noarch FEDORA-2020-66c974fdb6 enhancement dnf-plugins-core-4.0.13-1.fc30.noarch FEDORA-2020-66c974fdb6 enhancement dnf-yum-4.2.18-1.fc30.noarch FEDORA-2020-46169d6812 enhancement enchant2-2.2.8-1.fc30.x86_64 FEDORA-2020-247650d74a Important/Sec. firefox-73.0.1-1.fc30.x86_64 ... FEDORA-2020-1a8b3ac8a4 bugfix libsane-hpaio-3.19.12-4.fc30.x86_64 FEDORA-2020-6f1209bb45 Moderate/Sec. libtiff-4.0.10-8.fc30.x86_64 FEDORA-2020-765f45cd37 unknown libtirpc-1.2.5-1.rc2.fc30.x86_64 FEDORA-2020-da16c02863 bugfix libxcrypt-4.4.15-1.fc30.x86_64 FEDORA-2020-da16c02863 bugfix libxcrypt-compat-4.4.15-1.fc30.x86_64 FEDORA-2020-da16c02863 bugfix libxcrypt-devel-4.4.15-1.fc30.x86_64 FEDORA-2020-b7b2270753 bugfix mdadm-4.1-1.fc30.x86_64 FEDORA-2020-881594a179 enhancement mkpasswd-5.5.6-1.fc30.x86_64 ...
What are we looking at here? By column, you can see the following information
- Advisory name. i.e (FEDORA-2020-76d608179d)
- Type. i.e. (enhancement, bugfix, security)
- The name and version of the package that will address the issue. i.e. (NetworkManager-ssh-1.2.11-1.fc30.x86_64)
By default, the
--list option creates a list of advisories that your system is affected by. You can break this list down even further using
--security, --bugfix, or --enhancement.
dnf updateinfo --list --security to see a list of all the security-related advisories that are applicable to your system.
dnf updateinfo --list --security ... FEDORA-2020-76d608179d Moderate/Sec. NetworkManager-ssh-1.2.11-1.fc30.x86_64 FEDORA-2020-76d608179d Moderate/Sec. NetworkManager-ssh-gnome-1.2.11-1.fc30.x86_64 FEDORA-2020-247650d74a Important/Sec. firefox-73.0.1-1.fc30.x86_64 FEDORA-2020-092ef6572a Moderate/Sec. glib2-2.60.7-3.fc30.x86_64 FEDORA-2020-47efc31973 Important/Sec. libnghttp2-1.40.0-1.fc30.x86_64 FEDORA-2020-6f1209bb45 Moderate/Sec. libtiff-4.0.10-8.fc30.x86_64 FEDORA-2020-8193c0aa68 Important/Sec. openjpeg2-2.3.1-6.fc30.x86_64 FEDORA-2020-571091c70b Moderate/Sec. ppp-2.4.7-34.fc30.x86_64 FEDORA-2020-5cdbb19cca Moderate/Sec. python3-pillow-5.4.1-4.fc30.x86_64 FEDORA-2020-f8e267d6d0 Important/Sec. systemd-241-14.git18dd3fb.fc30.x86_64 FEDORA-2020-f8e267d6d0 Important/Sec. systemd-container-241-14.git18dd3fb.fc30.x86_64 FEDORA-2020-f8e267d6d0 Important/Sec. systemd-libs-241-14.git18dd3fb.fc30.x86_64 FEDORA-2020-f8e267d6d0 Important/Sec. systemd-pam-241-14.git18dd3fb.fc30.x86_64 FEDORA-2020-f8e267d6d0 Important/Sec. systemd-rpm-macros-241-14.git18dd3fb.fc30.noarch FEDORA-2020-f8e267d6d0 Important/Sec. systemd-udev-241-14.git18dd3fb.fc30.x86_64 FEDORA-2020-4d11d35a1f Moderate/Sec. webkit2gtk3-2.26.4-1.fc30.x86_64 FEDORA-2020-4d11d35a1f Moderate/Sec. webkit2gtk3-jsc-2.26.4-1.fc30.x86_64
Use DNF to get detailed information about an advisory
It looks like one of my outstanding security issues is
FEDORA-2020-f8e267d6d0. What does that mean? DNF can give you a detailed look at what the advisories mean, what issues they address and which packages will be installed to fix those issues.
Using a new command switch
dnf updateinfo --info
Let’s say our management wants to know what is included in
FEDORA-2020-f8e267d6d0. That information can be gathered from DNF, no need to start searching the web for answers.
dnf updateinfo --info --advisory=FEDORA-2020-f8e267d6d0 ... =============================================================================== systemd-241-14.git18dd3fb.fc30 =============================================================================== Update ID: FEDORA-2020-f8e267d6d0 Type: security Updated: 2020-03-09 15:44:28 Bugs: 1614871 - systemd-journald.service: Service has no hold-off time, scheduling restart : 1705522 - resume from hibernation times out on disk unlock screen after 90 seconds (even with systemd.device-timeout=0) : 1708213 - Remote/distributed journal broken in systemd 241 (no workaround), backport 242 required : 1709547 - Boot fails when password file in crypttab can't be read : 1717712 - F30 installer screen inverted : 1793980 - CVE-2019-20386 systemd: a memory leak was discovered in button_open in login/logind-button.c when executing the udevadm trigger command [fedora-30] : 1798414 - CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed [fedora-all] Description: A few bugfixes and hwdb update. : : No need to log out or reboot. Severity: Important
As you can see DNF will provide a whole lot of useful information. Here are some of the highlights that I think are especially important:
- Right at the top, you will see a list of packages that will be updated. In this case, it’s just one.
- Type. In this case, it is a security issue.
- The date and time the package update became available.
- Which bugs this will fix with a BZ number that you can look up (more on that later).
- A brief description, which includes whether or not a reboot is required.
- The severity.
Speaking of Bugzilla reports…
Looking at the output of the advisory information, we can see several bugs listed, all of them prefixed by a number. Those numbers correspond to a Bugzilla report.
DNF can also get information on a Bugzilla report. For example one of the bugs fixed by
1256108. Let’s see what information we can get about that report.
dnf updateinfo --info --bz=1256108 ... =============================================================================== dnf-4.2.18-1.fc30 dnf-plugins-core-4.0.13-1.fc30 libdnf-0.43.1-2.fc30 microdnf-3.4.0-1.fc30 =============================================================================== Update ID: FEDORA-2020-66c974fdb6 Type: enhancement Updated: 2020-03-09 15:43:35 Bugs: 1256108 - : 1338975 - : 1782052 - : 1783041 - Description: libdnf: : : - Allow excluding packages with "excludepkgs" and globs : - Add two new query filters: obsoletes_by_priority, upgrades_by_priority : - [context] Use installonly_limit from global config (RhBug:1256108) : - [context] Add API to get/set "install_weak_deps" : - [context] Add wildcard support for repo_id in dnf_context_repo_enable/disable (RhBug:1781420) : - [context] Adds support for includepkgs in repository configuration. : - [context] Adds support for excludepkgs, exclude, includepkgs, and disable_excludes in main configuration. : - [context] Added function dnf_transaction_set_dont_solve_goal : - [context] Added functions dnf_context_get/set_config_file_path : - [context] Respect "plugins" global conf value : - [context] Add API to disable/enable plugins : : dnf: : : - [doc] Remove note about user-agent whitelist : - Do a substitution of variables in repo_id (RhBug:1748841) : - Respect order of config files in aliases.d (RhBug:1680489) : - Unify downgrade exit codes with upgrade (RhBug:1759847) : - Improve help for 'dnf module' command (RhBug:1758447) : - Add shell restriction for local packages (RhBug:1773483) : - Fix detection of the latest module (RhBug:1781769) : - Document the retries config option only works for packages (RhBug:1783041) : - Sort packages in transaction output by nevra (RhBug:1773436) : - Honor repo priority with check-update (RhBug:1769466) : - Strip '\' from aliases when processing (RhBug:1680482) : - Print the whole alias definition in case of infinite recursion (RhBug:1680488) : - Add support of commandline packages by repoquery (RhBug:1784148) : - Running with tsflags=test doesn't update log files : - Restore functionality of remove --oldinstallonly : - Allow disabling individual aliases config files (RhBug:1680566) : : dnf-plugins-core: : : - Fix: config_manager respect config file location during save : - Redesign reposync --latest for modular system (RhBug:1775434) : - [reposync] Fix --delete with multiple repos (RhBug:1774103) : - [doc] Skip creating and installing migrate documentation for Python 3+ : - [config-manager] Allow use of --set-enabled without arguments (RhBug:1679213) : - [versionlock] Prevent conflicting/duplicate entries (RhBug:1782052) : : microdnf: : : - Add reinstall command : - Add "--setopt=tsflags=test" support : - Add "--setopt=reposdir=<path>" and "--setopt=varsdir=<path1>,<path2>,..." support : - Add "--config=<path_to_config_file>" support : - Add "--disableplugin", "--enableplugin" support (RhBug:1781126) : - Add "--noplugins" support : - Add "--setopt=cachedir=<path_to_cache_directory>" support : - Add "--installroot=<path_to_installroot_directory>" support : - Add "--refresh" support : - Support "install_weak_deps" conf option and "--setopt=install_weak_deps=0/1" : - Respect reposdir from conf file : - Respect "metadata_expire" conf file opton (RhBug:1771147) : - Fix: Don't print lines with (null) in transaction report (RhBug:1691353) : - [repolist] Print padding spaces only if output is terminal Severity: None
In this case, the advisory was an “Enhancement”. You can see that the change report is fairly extensive and should satisfy the curiosity of most people who might have a need to know what this particular patch will do.
Okay, great… Now, what if I only want to install the packages to fix a particular bug?
Let’s say our organization has a need to patch just one particular advisory. Let’s pick a security-related one. The advisory
FEDORA-2020-4d11d35a1f was related to a WebKit issue.
dnf updateinfo --info --advisory=FEDORA-2020-4d11d35a1f ... =============================================================================== webkit2gtk3-2.26.4-1.fc30 =============================================================================== Update ID: FEDORA-2020-4d11d35a1f Type: security Updated: 2020-03-09 15:45:07 Description: * Always use a light theme for rendering form controls. : * Fix several crashes and rendering issues. : * Security fixes: CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868 Severity: Moderate
If for whatever reason this was something that you needed to fix right now but you were not ready to apply all of your patches you can tell DNF to only install packages that apply to a particular advisory using
sudo dnf update --advisory=<advisory_name>.
sudo dnf update --advisory=FEDORA-2020-4d11d35a1f Last metadata expiration check: 0:43:23 ago on Tue 10 Mar 2020 12:50:58 PM EDT. Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Upgrading: webkit2gtk3 x86_64 2.26.4-1.fc30 updates 15 M webkit2gtk3-jsc x86_64 2.26.4-1.fc30 updates 5.8 M Transaction Summary ========================================================================================================= Upgrade 2 Packages Total download size: 21 M Is this ok [y/N]:
DNF will also take a comma-separated value of multiple advisories to apply. For instance, if we wanted to apply the following two advisories:
sudo dnf update --advisory=FEDORA-2020-4d11d35a1f,FEDORA-2020-66c974fdb6 Last metadata expiration check: 0:46:50 ago on Tue 10 Mar 2020 12:50:58 PM EDT. Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Upgrading: dnf noarch 4.2.18-1.fc30 updates 396 k dnf-data noarch 4.2.18-1.fc30 updates 47 k dnf-plugins-core noarch 4.0.13-1.fc30 updates 30 k dnf-yum noarch 4.2.18-1.fc30 updates 45 k libdnf x86_64 0.43.1-3.fc30 updates 611 k python3-dnf noarch 4.2.18-1.fc30 updates 423 k python3-dnf-plugins-core noarch 4.0.13-1.fc30 updates 170 k python3-hawkey x86_64 0.43.1-3.fc30 updates 96 k python3-libdnf x86_64 0.43.1-3.fc30 updates 711 k webkit2gtk3 x86_64 2.26.4-1.fc30 updates 15 M webkit2gtk3-jsc x86_64 2.26.4-1.fc30 updates 5.8 M Transaction Summary ========================================================================================================= Upgrade 11 Packages Total download size: 23 M
Try some of these commands on your own systems.
Take a look at the DNF documentation here: https://dnf.readthedocs.io/en/latest/index.html and try out different combinations of the
updateinfo option on your own systems to get a more in-depth look at what you are updating the next time you need to patch.
Try adding a
-v to the
--info commands that we looked at above. You’ll see that you can get even more information.
Happy patching! And let me know if this has helped you out at all!