Account Links: Cart | Your Account | Logout

Skip to content

Red Hat Knowledgebase

Red Hat Knowledgebase Search:

Updated Within the Last:

New Solutions within the last day New Solutions within the last week New Solutions within the last month

Browse by topics:


Click to View a Topic
Red Hat Enterprise Linux > AS/ES/WS Basics > Issue <<  119 of 908 >>

Solution Tools:


Email a Solution Postcard Printer version Submit a comment on this answer Update notifications Request an answer Back

Article Reference

Article ID: 565
Last update: 05-11-06
Issue:
How do I download security RPMs using the Red Hat Errata Website?
Resolution:

When security errata reports are released, they are published on the Red Hat Errata website available at http://www.redhat.com/security/updates. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Enterprise Linux Security Advisories. If the synopsis of one of the advisories describes a package used on your system, click on the synopsis for more details.

The details page describes the security exploit and any special instructions that must be performed in addition to updating the package to fix the security hole.

To download the updated package(s), click on the package name(s) and save to the hard drive. It is highly recommended that you create a new directory, such as /tmp/updates, and save all the downloaded packages to it.

All Red Hat Enterprise Linux packages are signed with the Red Hat, Inc. GPG key. The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an RPM package before installing it. If the Red Hat, Inc. GPG key is not installed, install it from a secure, static location such as an Red Hat Enterprise Linux installation CD-ROM.

Assuming the CD-ROM is mounted in /mnt/cdrom, use the following command to import it into the keyring:

rpm --import /mnt/cdrom/RPM-GPG-KEY

To display a list of all keys installed for RPM verification, execute the following command:

rpm -qa gpg-pubkey*

For the Red Hat, Inc. key, the output includes the following:

gpg-pubkey-db42a60e-37ea5438

To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example:

rpm -qi gpg-pubkey-db42a60e-37ea5438

It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the Red Hat, Inc. release of the packages. To verify all the downloaded packages at once, issue the following command:

rpm -K /tmp/updates/*.rpm

For each package, if the GPG key verifies successfully, the command returns gpg OK .

After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.

This can be done safely for most packages (except kernel packages) by issuing the following command:

rpm -Uvh /tmp/updates/*.rpm

For kernel packages it is advised that the following command be used:

rpm -ivh /tmp/updates/< kernel-package>

Replace <kernel-package> in the previous example with the name of the kernel RPM.

Once the machine has been safely rebooted using the new kernel, the old kernel may be removed using the following command:

rpm -e <old-kernel-package>

Replace < old-kernel-package> in the previous example with the name of the older kernel RPM.

Note:It is not a requirement that the old kernel be removed.
Important:Before installing any security errata, be sure to read any special instructions contained in the errata report and execute them accordingly.


How well did this entry answer your question?


good wrong incomplete out of date
Red Hat Enterprise Linux > AS/ES/WS Basics > Issue <<   119  of  908  >>