3.2. Using the Errata Website

When security errata reports are released, they are published on the Red Hat Linux Errata website available at http://www.redhat.com/apps/support/errata/. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Linux Security Advisories. If the synopsis of one of the advisories describes a package used on your system, click on the synopsis for more details.

The details page describes the security exploit and any special instructions that must be performed in addition to updating the package to fix the security hole.

To download the updated package(s), click on the package name(s) and save to the hard drive. It is highly recommended that you create a new directory such as /tmp/updates and save all the downloaded packages to it.

All Red Hat Linux packages are signed with the Red Hat, Inc. GPG key. The RPM utility in Red Hat Linux 9 automatically tries to verify the GPG signature of an RPM before installing it. If you do not have the Red Hat, Inc. GPG key installed, install it from a secure, static location such as an Red Hat Linux distribution CD-ROM.

Assuming the CD-ROM is mounted in /mnt/cdrom, use the following command to import it into the keyring:

rpm --import /mnt/cdrom/RPM-GPG-KEY

To display a list of all keys installed for RPM verification, execute the command:

rpm -qa gpg-pubkey*

For the Red Hat, Inc. key, the output will include:

gpg-pubkey-db42a60e-37ea5438

To display details about a specific key, use the rpm -qi followed by the output from the previous command:

rpm -qi gpg-pubkey-db42a60e-37ea5438

It is extremely important that you verify the signature of the RPM files before installing them. This step ensures that they have not been altered (such as a trojan horse being inserted into the packages) from the FORMAL-RHI; release of the packages. To verify all the downloaded packages at once:

rpm -K /tmp/updates/*.rpm

For each package, if the GPG key verifies successfully, it should return gpg OK in the output.

After verifying the GPG key and downloading all the packages associated with the errata report, install them as root at a shell prompt. For example:

rpm -Uvh /tmp/updates/*.rpm

If the errata reports contained any special instructions, remember to execute them accordingly. If the security errata packages contained a kernel package, be sure to reboot the machine to enable the new kernel.