check_yum missing security updates

[jalbstmeijer]

Hi,

It seems like when security updates are surpassed by non-security updates the security update is missed.

Not sure where the fault lies, check_yum does not see the list of packages in the '/usr/bin/yum --security check-update' output or if it is a '/usr/bin/yum --security check-update' bug, which concludes there are 'No packages needed for security', but still shows in between updates that are security upgrades.

./check_yum -vvvv
check_yum - Version 1.1.0

setting plugin timeout to 55 seconds
running command: /usr/bin/yum --security check-update
Returncode: '100'
Output: 'Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile

• epel: mirror-fr1.bbln.org
• openvz-kernel-rhel6: openvz.proserve.nl
• openvz-utils: openvz.proserve.nl
• rpmforge: mirror.de.leaseweb.net
  Limiting package lists to security relevant ones
  No packages needed for security; 28 packages available

facter.x86_64 1:2.4.1-1.el6 puppetlabs-products
tzdata.noarch 2015a-1.el6 updates
'
0 Security Updates Available. 28 Non-Security Updates Available

yum check-update --security -v
Loading "changelog" plugin
Loading "fastestmirror" plugin
Loading "security" plugin
Config time: 0.048
Yum Version: 3.2.29
rpmdb time: 0.000
Building updates object
Setting up Package Sacks
Loading mirror speeds from cached hostfile

• epel: mirror-fr1.bbln.org
• openvz-kernel-rhel6: openvz.proserve.nl
• openvz-utils: openvz.proserve.nl
• rpmforge: mirror.de.leaseweb.net
  Limiting package lists to security relevant ones
  Building updates object
  up:Obs Init time: 0.666
  up:simple updates time: 0.024
  up:obs time: 0.018
  up:condense time: 0.000
  updates time: 3.798
  --> unzip-6.0-2.el6_6.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> dracut-004-356.el6_6.1.noarch from updates excluded (non-security)
  --> 32:bind-utils-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> subversion-1.6.11-12.el6_6.x86_64 from updates excluded (non-security)
  --> augeas-libs-1.0.0-7.el6_6.1.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> vzkernel-2.6.32-042stab106.4.x86_64 from openvz-kernel-rhel6 excluded (non-security)
  --> kpartx-0.4.9-80.el6_6.3.x86_64 from updates excluded (non-security)
  --> libssh2-1.4.2-1.el6_6.1.x86_64 from updates excluded (non-security)
  --> tzdata-2015b-1.el6.noarch from updates excluded (non-security)
  --> tcsh-6.17-25.el6_6.x86_64 from updates excluded (non-security)
  --> ruby-rdoc-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> vzkernel-headers-2.6.32-042stab106.4.x86_64 from openvz-kernel-rhel6 excluded (non-security)
  --> 2:shadow-utils-4.1.4.2-19.el6_6.1.x86_64 from updates excluded (non-security)
  --> libcurl-7.19.7-40.el6_6.4.x86_64 from updates excluded (non-security)
  --> 32:bind-libs-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> ruby-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 1:busybox-1.15.1-21.el6_6.x86_64 from updates excluded (non-security)
  --> dracut-kernel-004-356.el6_6.1.noarch from updates excluded (non-security)
  --> curl-7.19.7-40.el6_6.4.x86_64 from updates excluded (non-security)
  --> puppet-3.7.5-1.el6.noarch from puppetlabs-products excluded (non-security)
  --> ruby-libs-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 32:bind-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> ruby-irb-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 1:facter-2.4.3-1.el6.x86_64 from puppetlabs-products excluded (non-security)
  --> krb5-libs-1.10.3-37.el6_6.x86_64 from updates excluded (non-security)
  No packages needed for security; 28 packages available
  pkgsack time: 8.451
  up:Obs Init time: 0.623
  up:simple updates time: 0.018
  up:obs time: 0.022
  up:condense time: 0.000
  updates time: 10.116

facter.x86_64 1:2.4.1-1.el6 puppetlabs-products
tzdata.noarch 2015a-1.el6 updates

[calestyo]

Hey.

Sorry for the delay.
I'd strongly suspect that this would be an issue in yum-security.
check_yum simply takes the output of yum --security check-update
and looks for these regular expressions:

"Needed \d+ of \d+ packages, for security"
"\d+ package\(s\) needed for security, out of \d+ available"
"No packages needed, for security, \d+ available"
"No packages needed for security; \d+ packages available"

So either they tell about the security updates or not, right now I cannot see how check_yum could do anything wrong there.

Have you reported the issue against the yum-security upstream?

Cheers,
Chris.