DNF Update Information – Fedora/CentOS 8

The Fedora operating system comes with an updated version of the famous yum package management utility, called “DNF“. DNF stands for “Dandified YUM”, and it retains the general syntax that users of the yum package manager are used to.

If you are reading this post should be familiar with at least the basics of installing and updating packages with YUM or DNF. Take a look at the Fedora Docs if you need a quick refresher on how to install packages with DNF.

What I would like to go over is a bit more advanced, though not a difficult aspect of DNF/YUM. That is how to get detailed information on what updates are available, why they are needed, and how to be a bit more selective in the updates that you choose to install. The commands we cover here will work on the current Fedora release (currently 31), they should work on any release as far back as 22 which is when the switch to DNF became official as well as CentOS 8 and RHEL 8.

What information can you get from DNF?

There is a ton of information available directly from the command line to help you gather information on the latest fixes, enhancements, and security vulnerabilities that affect the systems you manage. We will see how to find Fedora Advisories, CVE’s, and Bugzilla’s that are installable on a Fedora system, be it a Workstation or a Server and how to install just the packages that are required to address those issues.

The command we are looking specifically is dnf updateinfo.

Keep in mind that the level of detail provided will be dependent on security meta data provided by the OS vendor, or repositories. Not all repositories include metadata for security and bugfixes in their repositories.

Who cares? Why not just install all the updates and not worry about it?

Just doing dnf -y upgrade every couple of weeks is probably just fine for a lot of people, maybe most people. If you don’t care about the cve’s your addressing, or the enhancements that are coming down then no need to keep reading. – no judgment, I often don’t necessarily care about all that stuff either, but when I do care it’s nice to know how to find that information.

This is directed more towards someone who has a need to:

  • Report on CVE’s / Bugfixes available on a system.
  • Wants to minimize change while still keeping a system patched and secure.
  • Likes to stay in the loop about what vulnerabilities are being patched when they update.

How to get information on available updates.

DNF update summary

If you are just looking for a brief summary of the types of updates that are available on your system you can use dnf update info or dnf update info --summary both commands do the same thing.

dnf updateinfo
Updates Information Summary: available
    10 Security notice(s)
         4 Important Security notice(s)
         6 Moderate Security notice(s)
    22 Bugfix notice(s)
     6 Enhancement notice(s)
     4 other notice(s)

If you just need a quick executive summary to hand off to your manager, or to an application owner this is what you are looking for. It gives you a quick break down of the types of updates that are available (Security, Bugfix, Enhancement, etc) and in the case of security updates even breaks them down into more detailed categories (Critical, Important, Moderate, Low)

Notice that you do not have to run these commands with sudo. A regular user should be able to generate these reports if they need to.

DNF advisories

To get a bit more detailed look at the available patches than the summary contains, you can see which Fedora advisories are ready to be installed using dnf updateinfo --list

dnf updateinfo --list
FEDORA-2020-76d608179d Moderate/Sec.  NetworkManager-ssh-1.2.11-1.fc30.x86_64
FEDORA-2020-76d608179d Moderate/Sec.  NetworkManager-ssh-gnome-1.2.11-1.fc30.x86_64
FEDORA-2020-e94bce43a0 bugfix         abrt-2.14.0-1.fc30.x86_64
FEDORA-2020-e94bce43a0 bugfix         abrt-addon-ccpp-2.14.0-1.fc30.x86_64
FEDORA-2020-e94bce43a0 bugfix         abrt-addon-kerneloops-2.14.0-1.fc30.x86_64
FEDORA-2020-262cfead59 bugfix         authselect-compat-1.1-3.fc30.x86_64
FEDORA-2020-262cfead59 bugfix         authselect-libs-1.1-3.fc30.x86_64
FEDORA-2020-375927619e unknown        babl-0.1.74-1.fc30.x86_64
FEDORA-2020-5e06ad5ec5 unknown        cryptsetup-2.3.0-1.fc30.x86_64
FEDORA-2020-5e06ad5ec5 unknown        cryptsetup-libs-2.3.0-1.fc30.x86_64
FEDORA-2020-93f59740fe bugfix         cups-filters-1.27.1-1.fc30.x86_64
FEDORA-2020-93f59740fe bugfix         cups-filters-libs-1.27.1-1.fc30.x86_64
FEDORA-2020-173ac89547 bugfix         distribution-gpg-keys-1.37-1.fc30.noarch
FEDORA-2020-42dbcf8d17 bugfix         dkms-2.8.1-4.20200214git5ca628c.fc30.noarch
FEDORA-2020-66c974fdb6 enhancement    dnf-4.2.18-1.fc30.noarch
FEDORA-2020-66c974fdb6 enhancement    dnf-data-4.2.18-1.fc30.noarch
FEDORA-2020-66c974fdb6 enhancement    dnf-plugins-core-4.0.13-1.fc30.noarch
FEDORA-2020-66c974fdb6 enhancement    dnf-yum-4.2.18-1.fc30.noarch
FEDORA-2020-46169d6812 enhancement    enchant2-2.2.8-1.fc30.x86_64
FEDORA-2020-247650d74a Important/Sec. firefox-73.0.1-1.fc30.x86_64
FEDORA-2020-1a8b3ac8a4 bugfix         libsane-hpaio-3.19.12-4.fc30.x86_64
FEDORA-2020-6f1209bb45 Moderate/Sec.  libtiff-4.0.10-8.fc30.x86_64
FEDORA-2020-765f45cd37 unknown        libtirpc-1.2.5-1.rc2.fc30.x86_64
FEDORA-2020-da16c02863 bugfix         libxcrypt-4.4.15-1.fc30.x86_64
FEDORA-2020-da16c02863 bugfix         libxcrypt-compat-4.4.15-1.fc30.x86_64
FEDORA-2020-da16c02863 bugfix         libxcrypt-devel-4.4.15-1.fc30.x86_64
FEDORA-2020-b7b2270753 bugfix         mdadm-4.1-1.fc30.x86_64
FEDORA-2020-881594a179 enhancement    mkpasswd-5.5.6-1.fc30.x86_64

What are we looking at here? By column, you can see the following information

  • Advisory name. i.e (FEDORA-2020-76d608179d)
  • Type. i.e. (enhancement, bugfix, security)
  • The name and version of the package that will address the issue. i.e. (NetworkManager-ssh-1.2.11-1.fc30.x86_64)

By default, the --list option creates a list of advisories that your system is affected by. You can break this list down even further using --security, --bugfix, or --enhancement.

Try dnf updateinfo --list --security to see a list of all the security-related advisories that are applicable to your system.

dnf updateinfo --list --security
FEDORA-2020-76d608179d Moderate/Sec.  NetworkManager-ssh-1.2.11-1.fc30.x86_64
FEDORA-2020-76d608179d Moderate/Sec.  NetworkManager-ssh-gnome-1.2.11-1.fc30.x86_64
FEDORA-2020-247650d74a Important/Sec. firefox-73.0.1-1.fc30.x86_64
FEDORA-2020-092ef6572a Moderate/Sec.  glib2-2.60.7-3.fc30.x86_64
FEDORA-2020-47efc31973 Important/Sec. libnghttp2-1.40.0-1.fc30.x86_64
FEDORA-2020-6f1209bb45 Moderate/Sec.  libtiff-4.0.10-8.fc30.x86_64
FEDORA-2020-8193c0aa68 Important/Sec. openjpeg2-2.3.1-6.fc30.x86_64
FEDORA-2020-571091c70b Moderate/Sec.  ppp-2.4.7-34.fc30.x86_64
FEDORA-2020-5cdbb19cca Moderate/Sec.  python3-pillow-5.4.1-4.fc30.x86_64
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-241-14.git18dd3fb.fc30.x86_64
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-container-241-14.git18dd3fb.fc30.x86_64
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-libs-241-14.git18dd3fb.fc30.x86_64
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-pam-241-14.git18dd3fb.fc30.x86_64
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-rpm-macros-241-14.git18dd3fb.fc30.noarch
FEDORA-2020-f8e267d6d0 Important/Sec. systemd-udev-241-14.git18dd3fb.fc30.x86_64
FEDORA-2020-4d11d35a1f Moderate/Sec.  webkit2gtk3-2.26.4-1.fc30.x86_64
FEDORA-2020-4d11d35a1f Moderate/Sec.  webkit2gtk3-jsc-2.26.4-1.fc30.x86_64

Use DNF to get detailed information about an advisory

It looks like one of my outstanding security issues is FEDORA-2020-f8e267d6d0. What does that mean? DNF can give you a detailed look at what the advisories mean, what issues they address and which packages will be installed to fix those issues.

Using a new command switch dnf updateinfo --info

Let’s say our management wants to know what is included in FEDORA-2020-f8e267d6d0. That information can be gathered from DNF, no need to start searching the web for answers.

dnf updateinfo --info --advisory=FEDORA-2020-f8e267d6d0
  Update ID: FEDORA-2020-f8e267d6d0
       Type: security
    Updated: 2020-03-09 15:44:28
       Bugs: 1614871 - systemd-journald.service: Service has no hold-off time, scheduling restart
           : 1705522 - resume from hibernation times out on disk unlock screen after 90 seconds (even with systemd.device-timeout=0)
           : 1708213 - Remote/distributed journal broken in systemd 241 (no workaround), backport 242 required
           : 1709547 - Boot fails when password file in crypttab can't be read
           : 1717712 - F30 installer screen inverted
           : 1793980 - CVE-2019-20386 systemd: a memory leak was discovered in button_open in login/logind-button.c when executing the udevadm trigger command [fedora-30]
           : 1798414 - CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed [fedora-all]
Description: A few bugfixes and hwdb update.
           : No need to log out or reboot.
   Severity: Important

As you can see DNF will provide a whole lot of useful information. Here are some of the highlights that I think are especially important:

  • Right at the top, you will see a list of packages that will be updated. In this case, it’s just one.
  • Type. In this case, it is a security issue.
  • The date and time the package update became available.
  • Which bugs this will fix with a BZ number that you can look up (more on that later).
  • A brief description, which includes whether or not a reboot is required.
  • The severity.

Speaking of Bugzilla reports…

Looking at the output of the advisory information, we can see several bugs listed, all of them prefixed by a number. Those numbers correspond to a Bugzilla report.

DNF can also get information on a Bugzilla report. For example one of the bugs fixed by FEDORA-2020-66c974fdb6 is 1256108. Let’s see what information we can get about that report.

dnf updateinfo --info --bz=1256108
  dnf-4.2.18-1.fc30 dnf-plugins-core-4.0.13-1.fc30 libdnf-0.43.1-2.fc30 microdnf-3.4.0-1.fc30
  Update ID: FEDORA-2020-66c974fdb6
       Type: enhancement
    Updated: 2020-03-09 15:43:35
       Bugs: 1256108 - 
           : 1338975 - 
           : 1782052 - 
           : 1783041 - 
Description: libdnf:
           : - Allow excluding packages with "excludepkgs" and globs
           : - Add two new query filters: obsoletes_by_priority, upgrades_by_priority
           : - [context] Use installonly_limit from global config (RhBug:1256108)
           : - [context] Add API to get/set "install_weak_deps"
           : - [context] Add wildcard support for repo_id in dnf_context_repo_enable/disable (RhBug:1781420)
           : - [context] Adds support for includepkgs in repository configuration.
           : - [context] Adds support for excludepkgs, exclude, includepkgs, and disable_excludes in main configuration.
           : - [context] Added function dnf_transaction_set_dont_solve_goal
           : - [context] Added functions dnf_context_get/set_config_file_path
           : - [context] Respect "plugins" global conf value
           : - [context] Add API to disable/enable plugins
           : dnf:
           : - [doc] Remove note about user-agent whitelist
           : - Do a substitution of variables in repo_id (RhBug:1748841)
           : - Respect order of config files in aliases.d (RhBug:1680489)
           : - Unify downgrade exit codes with upgrade (RhBug:1759847)
           : - Improve help for 'dnf module' command (RhBug:1758447)
           : - Add shell restriction for local packages (RhBug:1773483)
           : - Fix detection of the latest module (RhBug:1781769)
           : - Document the retries config option only works for packages (RhBug:1783041)
           : - Sort packages in transaction output by nevra (RhBug:1773436)
           : - Honor repo priority with check-update (RhBug:1769466)
           : - Strip '\' from aliases when processing (RhBug:1680482)
           : - Print the whole alias definition in case of infinite recursion (RhBug:1680488)
           : - Add support of commandline packages by repoquery (RhBug:1784148)
           : - Running with tsflags=test doesn't update log files
           : - Restore functionality of remove --oldinstallonly
           : - Allow disabling individual aliases config files (RhBug:1680566)
           : dnf-plugins-core:
           : - Fix: config_manager respect config file location during save
           : - Redesign reposync --latest for modular system (RhBug:1775434)
           : - [reposync] Fix --delete with multiple repos (RhBug:1774103)
           : - [doc] Skip creating and installing migrate documentation for Python 3+
           : - [config-manager] Allow use of --set-enabled without arguments (RhBug:1679213)
           : - [versionlock] Prevent conflicting/duplicate entries (RhBug:1782052)
           : microdnf:
           : - Add reinstall command
           : - Add "--setopt=tsflags=test" support
           : - Add "--setopt=reposdir=<path>" and "--setopt=varsdir=<path1>,<path2>,..." support
           : - Add "--config=<path_to_config_file>" support
           : - Add "--disableplugin", "--enableplugin" support (RhBug:1781126)
           : - Add "--noplugins" support
           : - Add "--setopt=cachedir=<path_to_cache_directory>" support
           : - Add "--installroot=<path_to_installroot_directory>" support
           : - Add "--refresh" support
           : - Support "install_weak_deps" conf option and "--setopt=install_weak_deps=0/1"
           : - Respect reposdir from conf file
           : - Respect "metadata_expire" conf file opton (RhBug:1771147)
           : - Fix: Don't print lines with (null) in transaction report (RhBug:1691353)
           : - [repolist] Print padding spaces only if output is terminal
   Severity: None

In this case, the advisory was an “Enhancement”. You can see that the change report is fairly extensive and should satisfy the curiosity of most people who might have a need to know what this particular patch will do.

Okay, great… Now, what if I only want to install the packages to fix a particular bug?

Let’s say our organization has a need to patch just one particular advisory. Let’s pick a security-related one. The advisory FEDORA-2020-4d11d35a1f was related to a WebKit issue.

dnf updateinfo --info --advisory=FEDORA-2020-4d11d35a1f
  Update ID: FEDORA-2020-4d11d35a1f
       Type: security
    Updated: 2020-03-09 15:45:07
Description:  * Always use a light theme for rendering form controls.
           :  * Fix several crashes and rendering issues.
           :  * Security fixes: CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868
   Severity: Moderate

If for whatever reason this was something that you needed to fix right now but you were not ready to apply all of your patches you can tell DNF to only install packages that apply to a particular advisory using sudo dnf update --advisory=<advisory_name>.

sudo dnf update --advisory=FEDORA-2020-4d11d35a1f
Last metadata expiration check: 0:43:23 ago on Tue 10 Mar 2020 12:50:58 PM EDT.
Dependencies resolved.
 Package                      Architecture        Version                     Repository            Size
 webkit2gtk3                  x86_64              2.26.4-1.fc30               updates               15 M
 webkit2gtk3-jsc              x86_64              2.26.4-1.fc30               updates              5.8 M

Transaction Summary
Upgrade  2 Packages

Total download size: 21 M
Is this ok [y/N]: 

DNF will also take a comma-separated value of multiple advisories to apply. For instance, if we wanted to apply the following two advisories:

sudo dnf update --advisory=FEDORA-2020-4d11d35a1f,FEDORA-2020-66c974fdb6
Last metadata expiration check: 0:46:50 ago on Tue 10 Mar 2020 12:50:58 PM EDT.
Dependencies resolved.
 Package                             Architecture      Version                  Repository          Size
 dnf                                 noarch            4.2.18-1.fc30            updates            396 k
 dnf-data                            noarch            4.2.18-1.fc30            updates             47 k
 dnf-plugins-core                    noarch            4.0.13-1.fc30            updates             30 k
 dnf-yum                             noarch            4.2.18-1.fc30            updates             45 k
 libdnf                              x86_64            0.43.1-3.fc30            updates            611 k
 python3-dnf                         noarch            4.2.18-1.fc30            updates            423 k
 python3-dnf-plugins-core            noarch            4.0.13-1.fc30            updates            170 k
 python3-hawkey                      x86_64            0.43.1-3.fc30            updates             96 k
 python3-libdnf                      x86_64            0.43.1-3.fc30            updates            711 k
 webkit2gtk3                         x86_64            2.26.4-1.fc30            updates             15 M
 webkit2gtk3-jsc                     x86_64            2.26.4-1.fc30            updates            5.8 M

Transaction Summary
Upgrade  11 Packages

Total download size: 23 M

Try some of these commands on your own systems.

Take a look at the DNF documentation here: https://dnf.readthedocs.io/en/latest/index.html and try out different combinations of the updateinfo option on your own systems to get a more in-depth look at what you are updating the next time you need to patch.

Try adding a -v to the --info commands that we looked at above. You’ll see that you can get even more information.

Happy patching! And let me know if this has helped you out at all!

Luke is a Linux Systems Administrator, specializing in Red Hat Linux, Ansible, and automation technologies.

This post, re-published here with permission, was originally posted on Luke’s site here.

Be the first to comment

Leave a Reply

Your email address will not be published.