How to install fixes for a given vulnerability?
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 10
Issue
- How to install fixes for a given vulnerability?
- How to install fixed packages for a given CVE ID?
- How to install fixed packages using a RHSA ID?
- How to apply Errata/Security fixes to a online or offline system?
Resolution
To update vulnerable packages in RHEL using yum or dnf (RHEL 8 and above), you can use either CVE IDs (recommended) or Errata IDs.
-
Updating with a CVE ID (Recommended)
- When using CVE IDs,
yum/dnfautomatically selects the correct errata for your RHEL version.
yum update --cve CVE-2024-6387- Multiple CVE IDs can be specified:
yum update --cve CVE-2024-38474 --cve CVE-2024-38475 --cve CVE-2024-38476 - When using CVE IDs,
-
Updating with an Errata ID
- When using Errata IDs, ensure they match the exact RHEL version and variant (such as the Extended Update Support Add-On).
- For example, if you are running a minor version like RHEL 9.2 without the Extended Update Support Add-On,
you should refer to Red Hat Enterprise Linux 9 for the applicable Errata ID.
yum update --advisory RHSA-2024:4312- If you are running RHEL 9.2 with the Extended Update Support Add-On refers to the Errata ID for the Red Hat Enterprise Linux 9.2 Extended Update Support product.
- Multiple errata IDs can be specified on the same command.
-
Air Gapped / Offline Systems
- Online systems retrieve updates from repositories, while air gapped/offline systems require RPM packages to be copied for installation.
- To update offline systems:
- Download RPMs from the Updated Packages tab on the Errata page.
- Copy RPMs to a folder on the target system.
- Navigate to the folder and run
yum update *.rpm(recommended) orrpm -Uvh *.rpmto update the packages. See What are the advantages of using yum/dnf over rpm?. - To test update for missing dependencies beforehand please refer to How to test a rpm operation for potential conflicts before performing actual operation?
- If dependencies are missing, download required RPMs from the This content is not included.Red Hat Package Browser, add them to the folder, and retry the command.
- See How to install or upgrade an RPM package? for more details.
Notes:
- From RHEL8 onward, the
yumcommand has been replaced withdnf, sodnfcan be used in place ofyumin the commands in this article. - Use
yum updateto upgrade to the latest version of a package, oryum update-minimalto install the lowest version that includes the fix. - Use
--assumenoto preview changes without making any changes. - If an affected package is not installed, it will not be installed/updated by running the
yum updatecommand. - RHEL maintains compatibility within major releases, so packages for newer minor releases (like 9.5) work on older versions (like 9.2).
Diagnostic Steps
- For a list of packages affected by a CVE, refer to the CVE details in our CVE datase.
- The search the CVE database for multiple vulnerabilities, use This content is not included.Red Hat CVE Checker
- The name of the packages are listed under the Component column on each CVE page.
If a package is vulnerable and a fix is available, it will be marked as Fixed in the State column
and the RHSA ID will be indicated in the Errata column. - Click on the RHSA ID to go to the RHSA page, the listed of fixed packages can be found on the "Updated Packages tab" on the RHSA page. On ecan verify the version of the package that fix the vulnerability on this page.
- To indentify if a system reboot is necessary after an upgrade, see Identify packages that will require a system reboot after an update
- To verify if a package is installed on the system, see How to verify if a package is installed?
Product(s)
Components
Category
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.