My package’s new updateinfo.xml shows up in the yum cache, but isn’t displayed as a security update by yum update

Posted on

Problem :

I have a package I want to release a security update for. So I added an updateinfo.xml and used modifyrepo to add it to the files listed by repomd.xml. When I test with the baseurl of the yum repo config pointed locally, I can verify that yum does download the new updateinfo.xml: it shows up in /var/cache/yum/x86_64/7/MYAPP/gen/updateinfo.xml.

Additionally, since I bumped the version number, running yum install MYAPP says there’s a version update waiting. But I’ve tried the following commands and none of them list any security updates, even though the updateinfo.xml has type=security in the update tag.


$ yum updateinfo MYAPP
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.atlanticmetro.net
* extras: mirror.atlanticmetro.net
* updates: mirror.atlanticmetro.net
updateinfo info done

Note that my package is not in these mirrors; it is a local repo specified in /etc/yum.repos.d/MYAPP.repo.

The updateinfo.xml is as follows. I used https://en.opensuse.org/openSUSE:Standards_Rpm_Metadata_UpdateInfo as an example (and fixed some xml syntax errors) so some of the text is not updated yet.


<updates>
<update from="rel-eng@fedoraproject.org" status="stable" type="security" version="1.4">
<id>MYAPP</id>
<title>MYAPP</title>
<release>MYAPP</release>
<issued date="2018-12-05 00:00:00"/>
<references>
<reference href="https://bugzilla.redhat.com/show_bug.cgi?id=426091" id="426091" title="CVE-2007-3568 imlib: infinite loop DoS using crafted BMP image" type="bugzilla"/>
<reference href="https://bugzilla.redhat.com/show_bug.cgi?id=426091" id="426091" title="CVE-2007-3568 imlib: infinite loop DoS using crafted BMP image" type="cve"/>
</references>
<description>THIS update includes a fix for a denial-of-service issue (CVE-2007-3568) whereby an attacker who could get an imlib-using user to view a specially-crafted BMP imag</description>
<pkglist>
<collection short="F8">
<name>MYAPP</name>
<package arch="x84_64" name="MYAPP" release="MYAPPVERSION" src="">
<filename>MYAPP-MYAPPVERSION.rpm</filename>
<reboot_suggested>True</reboot_suggested>
</package>
</collection>
</pkglist>
</update>
</updates>

any help appreciated. Thanks!

Solution :

The problem was a misunderstanding with the pkglist. I had to specify the versions that fixed the problem (the new version), not the old one.

Leave a Reply

Your email address will not be published.