Yumのセキュリティプラグイン

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

はじめに

藤本です。

みなさん、yumのことを「ヤム」と呼んでいますか?「ユム」と呼んでいますか?
私は10年間「ユム」と呼んできましたが、先日、Wikipediaを覗いたところ、
「ヤム」と記載されていて、絶賛矯正中ですが、10年の月日は長かったようです。
なかなか治りません。。

そんなことはさておき。
先日、弊社メンバーに「yum-security」というYumのsecurityプラグインの存在を教えていただき、調べてみたのでご紹介させていただきます。

概要

みなさん、ミドルウェアの脆弱性対応をどのように取り組んでいますか?
当ブログでも脆弱性情報の得方、脆弱性の対応方法についていくつかご紹介しています。

Linuxで脆弱性が見つかった場合の対応方法 まとめ

脆弱性対応は本気で取り組む場合、日々発信される脆弱性情報のウォッチ、脆弱性の対応要否判断、対応方式の検討、パッチ適用検証/影響確認、作業日程の調整、対応状況の管理などなどシステム当たりに専任の担当が必要なほど大変業務です。
だからと言って脆弱性対応を放置するとシステムがダウンしたり、情報を引きぬかれたり、最悪サーバーを乗っ取られたりというような様々なリスクがあり、無視できることではありません。
ただ闇雲にパッケージを最新化すればミドルウェアの機能拡張やバグフィックスによってプログラムや他ミドルウェアとの相性の問題で不具合を起こしますし、日々発信される多くの脆弱性情報を管理すれば運用コストが嵩みます。

今回紹介するYumのsecurityプラグインはYumでインストールされたパッケージのセキュリティパッチをベンダの判断基準に則ってサポートしてくれる素敵なプラグインです。

* 今回紹介するSecurityプラグインはあくまでもサポートしてくれる機能であり、上記で紹介したような問題を完全に解決してくれるわけではないことはご注意ください。

環境

今回確認したOSは以下となります。

  • Amazon Linux
  • CentOS 6
  • CentOS 7

yum-plugin-security

yum-plugin-securityパッケージを導入することでyumをセキュリティ関連のアップデートのみを検索するよう制限することができます。
例えば、特定のCVEに対応したパッケージのみをアップデートしたい、脆弱性対応したパッケージのみをアップデートしたい、脆弱性対応したパッケージの中でもCriticalレベルの脆弱性対応したパッケージのみアップデートしたいといったことを叶えてくれます。

インストール

  • Amazon Linux
    SecurityプラグインがバンドルされたYumパッケージがデフォルトインストールされているため、
    追加インストールせずともSecurityプラグインを利用可能です。

  • CentOS 7
    Amazon Linuxと同じく。

  • CentOS 6
    別途パッケージをインストールする必要があります。
    yumコマンド一発です。

# yum install yum-plugin-security -y
(略)
Installed:
  yum-plugin-security.noarch 0:1.1.30-30.el6

Complete!

使い方

上記の例で挙げたようなユースケースで利用できるコマンドを紹介します。
今回はAmazon Linux(amzn-ami-hvm-2013.09.0.x86_64-ebs (ami-0961fe08))で動作確認しています。

まずyum-plugin-securityによってyumのサブコマンド、オプションが追加されています。

# yum --help
(略)
update-minimal Works like upgrade, but goes to the 'newest' package match which fixes a problem that affects your system
updateinfo     Acts on repository update information
(略)
  --bugfix              Include bugfix relevant packages, in updates
  --security            Include security relevant packages, in updates
  --advisory=ADVS, --advisories=ADVS
                        Include packages needed to fix the given advisory, in
                        updates
  --bzs=BZS             Include packages needed to fix the given BZ, in
                        updates
  --cves=CVES           Include packages needed to fix the given CVE, in
                        updates
  --sec-severity=SEVS, --secseverity=SEVS
                        Include security relevant packages matching the
                        severity, in updates
脆弱性対応したパッケージのみ確認

updateinfoサブコマンドでセキュリティパッチに特化したパッケージ情報を検索できます。

# yum updateinfo list
Loaded plugins: priorities, update-motd, upgrade-helper
ALAS-2014-281 medium/Sec. ca-certificates-2012.1.95-3.12.amzn1.noarch
ALAS-2013-261 low/Sec.    coreutils-8.4-31.17.amzn1.x86_64
ALAS-2013-261 low/Sec.    coreutils-libs-8.4-31.17.amzn1.x86_64
ALAS-2014-338 medium/Sec. cyrus-sasl-2.1.23-13.14.amzn1.x86_64
ALAS-2014-338 medium/Sec. cyrus-sasl-lib-2.1.23-13.14.amzn1.x86_64
ALAS-2014-338 medium/Sec. cyrus-sasl-plain-2.1.23-13.14.amzn1.x86_64
ALAS-2013-257 medium/Sec. dracut-004-336.21.amzn1.noarch
ALAS-2015-478 medium/Sec. e2fsprogs-1.42.12-1.34.amzn1.x86_64
ALAS-2015-542 low/Sec.    e2fsprogs-1.42.12-4.35.amzn1.x86_64
ALAS-2015-478 medium/Sec. e2fsprogs-libs-1.42.12-1.34.amzn1.x86_64
ALAS-2015-542 low/Sec.    e2fsprogs-libs-1.42.12-4.35.amzn1.x86_64
ALAS-2014-345 medium/Sec. elfutils-libelf-0.158-3.16.amzn1.x86_64
ALAS-2014-304 medium/Sec. file-5.11-13.14.amzn1.x86_64
ALAS-2014-323 medium/Sec. file-5.11-13.16.amzn1.x86_64
ALAS-2014-382 medium/Sec. file-5.19-1.18.amzn1.x86_64
ALAS-2014-398 medium/Sec. file-5.19-4.19.amzn1.x86_64
ALAS-2014-453 medium/Sec. file-5.19-7.24.amzn1.x86_64
ALAS-2015-497 medium/Sec. file-5.22-2.29.amzn1.x86_64
ALAS-2014-304 medium/Sec. file-libs-5.11-13.14.amzn1.x86_64
ALAS-2014-323 medium/Sec. file-libs-5.11-13.16.amzn1.x86_64
ALAS-2014-382 medium/Sec. file-libs-5.19-1.18.amzn1.x86_64
ALAS-2014-398 medium/Sec. file-libs-5.19-4.19.amzn1.x86_64
ALAS-2014-453 medium/Sec. file-libs-5.19-7.24.amzn1.x86_64
ALAS-2015-497 medium/Sec. file-libs-5.22-2.29.amzn1.x86_64
ALAS-2013-237 medium/Sec. gnupg2-2.0.22-1.24.amzn1.x86_64
ALAS-2014-379 medium/Sec. gnupg2-2.0.24-1.25.amzn1.x86_64
ALAS-2015-574 low/Sec.    gnupg2-2.0.28-1.30.amzn1.x86_64
ALAS-2015-500 low/Sec.    gpgme-1.4.3-5.15.amzn1.x86_64
ALAS-2013-233 medium/Sec. kernel-3.4.66-55.43.amzn1.x86_64
ALAS-2013-252 medium/Sec. kernel-3.4.71-63.98.amzn1.x86_64
ALAS-2013-258 low/Sec.    kernel-3.4.73-64.112.amzn1.x86_64
ALAS-2014-289 medium/Sec. kernel-3.4.82-69.112.amzn1.x86_64
ALAS-2014-317 low/Sec.    kernel-3.10.34-37.137.amzn1.x86_64
ALAS-2014-328 medium/Sec. kernel-3.10.37-47.135.amzn1.x86_64
ALAS-2014-339 medium/Sec. kernel-3.10.40-50.136.amzn1.x86_64
ALAS-2014-363 medium/Sec. kernel-3.10.42-52.145.amzn1.x86_64
ALAS-2014-368 medium/Sec. kernel-3.10.48-55.140.amzn1.x86_64
ALAS-2014-392 medium/Sec. kernel-3.10.53-56.140.amzn1.x86_64
ALAS-2014-417 medium/Sec. kernel-3.14.19-17.43.amzn1.x86_64
ALAS-2014-455 medium/Sec. kernel-3.14.26-24.46.amzn1.x86_64
ALAS-2015-476 medium/Sec. kernel-3.14.33-26.47.amzn1.x86_64
ALAS-2015-489 medium/Sec. kernel-3.14.34-27.48.amzn1.x86_64
ALAS-2015-491 low/Sec.    kernel-3.14.35-28.38.amzn1.x86_64
ALAS-2015-523 medium/Sec. kernel-3.14.42-31.38.amzn1.x86_64
ALAS-2015-544 medium/Sec. kernel-3.14.44-32.39.amzn1.x86_64
ALAS-2015-565 medium/Sec. kernel-3.14.48-33.39.amzn1.x86_64
ALAS-2014-443 medium/Sec. krb5-libs-1.10.3-33.28.amzn1.x86_64
ALAS-2015-518 medium/Sec. krb5-libs-1.10.3-37.29.amzn1.x86_64
ALAS-2014-443 medium/Sec. krb5-workstation-1.10.3-33.28.amzn1.x86_64
ALAS-2015-518 medium/Sec. krb5-workstation-1.10.3-37.29.amzn1.x86_64
ALAS-2014-452 medium/Sec. libX11-1.6.0-2.2.12.amzn1.x86_64
ALAS-2014-452 medium/Sec. libX11-common-1.6.0-2.2.12.amzn1.x86_64
ALAS-2014-403 medium/Sec. libXext-1.3.1-2.9.amzn1.x86_64
ALAS-2014-452 medium/Sec. libXi-1.7.2-2.2.9.amzn1.x86_64
ALAS-2014-452 medium/Sec. libXrender-0.9.8-2.1.9.amzn1.x86_64
ALAS-2014-406 medium/Sec. libXtst-1.2.1-2.8.amzn1.x86_64
ALAS-2015-543 medium/Sec. libcap-ng-0.7.3-5.13.amzn1.x86_64
ALAS-2015-478 medium/Sec. libcom_err-1.42.12-1.34.amzn1.x86_64
ALAS-2015-542 low/Sec.    libcom_err-1.42.12-4.35.amzn1.x86_64
ALAS-2015-577 medium/Sec. libgcrypt-1.5.3-12.18.amzn1.x86_64
ALAS-2013-267 medium/Sec. libjpeg-turbo-1.2.1-3.4.amzn1.x86_64
ALAS-2015-540 low/Sec.    libjpeg-turbo-1.2.90-5.10.amzn1.x86_64
ALAS-2015-478 medium/Sec. libss-1.42.12-1.34.amzn1.x86_64
ALAS-2015-542 low/Sec.    libss-1.42.12-4.35.amzn1.x86_64
ALAS-2014-405 medium/Sec. libxcb-1.8.1-1.15.amzn1.x86_64
ALAS-2014-402 medium/Sec. lua-5.1.4-4.1.9.amzn1.x86_64
ALAS-2014-294 medium/Sec. openldap-2.4.23-34.23.amzn1.x86_64
ALAS-2014-354 medium/Sec. pam-1.1.8-9.29.amzn1.x86_64
ALAS-2015-528 low/Sec.    pcre-8.21-7.7.amzn1.x86_64
ALAS-2014-374 low/Sec.    python-simplejson-3.5.3-1.7.amzn1.x86_64
ALAS-2014-357 low/Sec.    readline-6.2-9.14.amzn1.x86_64
ALAS-2014-445 medium/Sec. rsyslog-5.8.10-9.26.amzn1.x86_64
ALAS-2013-259 low/Sec.    sudo-1.8.6p3-12.17.amzn1.x86_64
ALAS-2015-557 medium/Sec. tcpdump-14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64
ALAS-2015-504 medium/Sec. unzip-6.0-2.9.amzn1.x86_64
ALAS-2014-442 medium/Sec. wget-1.16-1.13.amzn1.x86_64
updateinfo list done

表示は3つの要素となり、左から以下の内容となります。

  1. Amazon Linux AMI Security Centerに登録された脆弱性情報を一意に示すID
    Amazon Linux AMI Security CenterでCVE番号と対応付けられています。
  2. 種別は変更がBugfixなのか、Enhancement(機能拡張)なのか、Security対応なのか、
    またSecurity対応の場合、Securityリスクのレベル(critical/important/medium/low)が表示されます。
  3. 対象パッケージ名/バージョン
脆弱性対応したパッケージのみアップデート

--securityオプションで事前に検索したパッケージのみをアップデートできます。

# yum update --security
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest                                                                                                amzn-updates/latest                                                                                             
38 package(s) needed (+0 related) for security, out of 204 available
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.7.amzn1 will be updated
---> Package ca-certificates.noarch 0:2014.1.98-65.0.13.amzn1 will be an update
--> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch
--> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch
---> Package coreutils.x86_64 0:8.4-19.15.amzn1 will be updated
---> Package coreutils.x86_64 0:8.21-13.31.amzn1 will be obsoleting
--> Processing Dependency: util-linux >= 2.22.1-3 for package: coreutils-8.21-13.31.amzn1.x86_64
---> Package coreutils-libs.x86_64 0:8.4-19.15.amzn1 will be obsoleted
---> Package cyrus-sasl.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package dracut.noarch 0:004-303.18.amzn1 will be updated
---> Package dracut.noarch 0:004-336.24.amzn1 will be an update
---> Package e2fsprogs.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package e2fsprogs.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package e2fsprogs-libs.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package e2fsprogs-libs.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package elfutils-libelf.x86_64 0:0.152-1.12.amzn1 will be updated
---> Package elfutils-libelf.x86_64 0:0.158-3.16.amzn1 will be an update
---> Package file.x86_64 0:5.11-4.12.amzn1 will be updated
---> Package file.x86_64 0:5.22-2.29.amzn1 will be an update
---> Package file-libs.x86_64 0:5.11-4.12.amzn1 will be updated
---> Package file-libs.x86_64 0:5.22-2.29.amzn1 will be an update
---> Package gnupg2.x86_64 0:2.0.19-8.21.amzn1 will be updated
---> Package gnupg2.x86_64 0:2.0.28-1.30.amzn1 will be an update
---> Package gpgme.x86_64 0:1.3.2-1.13.amzn1 will be updated
---> Package gpgme.x86_64 0:1.4.3-5.15.amzn1 will be an update
---> Package kernel.x86_64 0:3.14.48-33.39.amzn1 will be installed
---> Package krb5-libs.x86_64 0:1.10.3-10.26.amzn1 will be updated
---> Package krb5-libs.x86_64 0:1.12.2-14.43.amzn1 will be an update
--> Processing Dependency: keyutils-libs >= 1.5.8 for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
--> Processing Dependency: libkeyutils.so.1(KEYUTILS_1.5)(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
--> Processing Dependency: libverto.so.1()(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
---> Package krb5-workstation.x86_64 0:1.10.3-10.26.amzn1 will be updated
---> Package krb5-workstation.x86_64 0:1.12.2-14.43.amzn1 will be an update
---> Package libX11.x86_64 0:1.5.0-4.10.amzn1 will be updated
---> Package libX11.x86_64 0:1.6.0-2.2.12.amzn1 will be an update
---> Package libX11-common.x86_64 0:1.5.0-4.10.amzn1 will be updated
---> Package libX11-common.x86_64 0:1.6.0-2.2.12.amzn1 will be an update
---> Package libXext.x86_64 0:1.3.1-2.8.amzn1 will be updated
---> Package libXext.x86_64 0:1.3.2-2.1.10.amzn1 will be an update
---> Package libXi.x86_64 0:1.6.1-3.7.amzn1 will be updated
---> Package libXi.x86_64 0:1.7.2-2.2.9.amzn1 will be an update
---> Package libXrender.x86_64 0:0.9.7-2.7.amzn1 will be updated
---> Package libXrender.x86_64 0:0.9.8-2.1.9.amzn1 will be an update
---> Package libXtst.x86_64 0:1.2.1-2.7.amzn1 will be updated
---> Package libXtst.x86_64 0:1.2.2-2.1.9.amzn1 will be an update
---> Package libcap-ng.x86_64 0:0.6.4-3.8.amzn1 will be updated
---> Package libcap-ng.x86_64 0:0.7.3-5.13.amzn1 will be an update
---> Package libcom_err.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package libcom_err.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package libgcrypt.x86_64 0:1.4.5-9.12.amzn1 will be updated
---> Package libgcrypt.x86_64 0:1.5.3-12.18.amzn1 will be an update
---> Package libjpeg-turbo.x86_64 0:1.2.1-1.2.amzn1 will be updated
---> Package libjpeg-turbo.x86_64 0:1.2.90-5.10.amzn1 will be an update
---> Package libss.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package libss.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package libxcb.x86_64 0:1.8.1-1.14.amzn1 will be updated
---> Package libxcb.x86_64 0:1.8.1-1.18.amzn1 will be an update
---> Package lua.x86_64 0:5.1.4-4.1.8.amzn1 will be updated
---> Package lua.x86_64 0:5.1.4-4.1.9.amzn1 will be an update
---> Package openldap.x86_64 0:2.4.23-32.21.amzn1 will be updated
---> Package openldap.x86_64 0:2.4.23-34.23.amzn1 will be an update
---> Package pam.x86_64 0:1.1.1-13.20.amzn1 will be updated
---> Package pam.x86_64 0:1.1.8-9.31.amzn1 will be an update
--> Processing Dependency: libpwquality >= 0.9.9 for package: pam-1.1.8-9.31.amzn1.x86_64
---> Package pcre.x86_64 0:8.21-7.5.amzn1 will be updated
---> Package pcre.x86_64 0:8.21-7.7.amzn1 will be an update
---> Package readline.x86_64 0:6.0-4.12.amzn1 will be updated
---> Package readline.x86_64 0:6.2-9.14.amzn1 will be an update
---> Package rsyslog.x86_64 0:5.8.10-7.24.amzn1 will be updated
---> Package rsyslog.x86_64 0:5.8.10-9.26.amzn1 will be an update
---> Package sudo.x86_64 0:1.8.6p3-7.16.amzn1 will be updated
---> Package sudo.x86_64 0:1.8.6p3-19.19.amzn1 will be an update
---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.8.amzn1 will be updated
---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 will be an update
---> Package unzip.x86_64 0:6.0-1.7.amzn1 will be updated
---> Package unzip.x86_64 0:6.0-2.9.amzn1 will be an update
---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated
---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update
--> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64
--> Running transaction check
---> Package keyutils-libs.x86_64 0:1.4-4.10.amzn1 will be updated
---> Package keyutils-libs.x86_64 0:1.5.8-3.12.amzn1 will be an update
---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed
--> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64
---> Package libpwquality.x86_64 0:1.2.3-4.8.amzn1 will be installed
---> Package libverto.x86_64 0:0.2.5-4.9.amzn1 will be installed
---> Package p11-kit.x86_64 0:0.18.5-2.3.amzn1 will be installed
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3)(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64
--> Processing Dependency: libtasn1.so.3()(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64
---> Package p11-kit-trust.x86_64 0:0.18.5-2.3.amzn1 will be installed
---> Package util-linux.x86_64 0:2.23.2-16.22.amzn1 will be obsoleting
--> Processing Dependency: libblkid = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libuuid = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libblkid.so.1(BLKID_2.21)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1(MOUNT_2.21)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1(MOUNT_2.23)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1(MOUNT_2.19)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1(MOUNT_2.22)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libblkid.so.1(BLKID_2.20)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1(MOUNT_2.20)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
--> Processing Dependency: libmount.so.1()(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64
---> Package util-linux-ng.x86_64 0:2.17.2-13.16.amzn1 will be obsoleted
--> Running transaction check
---> Package libblkid.x86_64 0:2.17.2-13.16.amzn1 will be updated
---> Package libblkid.x86_64 0:2.23.2-16.22.amzn1 will be an update
---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated
--> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
--> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update
---> Package libmount.x86_64 0:2.23.2-16.22.amzn1 will be installed
---> Package libtasn1.x86_64 0:2.3-6.6.amzn1 will be installed
---> Package libuuid.x86_64 0:2.17.2-13.16.amzn1 will be updated
---> Package libuuid.x86_64 0:2.23.2-16.22.amzn1 will be an update
--> Running transaction check
---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated
---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update
--> Processing Conflict: util-linux-2.23.2-16.22.amzn1.x86_64 conflicts sysvinit < 2.87-5
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package upstart.x86_64 0:0.6.5-12.10.amzn1 will be updated
---> Package upstart.x86_64 0:0.6.5-13.3.13.amzn1 will be an update
--> Processing Conflict: util-linux-2.23.2-16.22.amzn1.x86_64 conflicts sysvinit < 2.87-5
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package sysvinit.x86_64 0:2.87-4.dsf.10.amzn1 will be updated
---> Package sysvinit.x86_64 0:2.87-5.dsf.14.amzn1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================
 Package                      Arch               Version                                                Repository                Size
=======================================================================================================================================
Installing:
 coreutils                    x86_64             8.21-13.31.amzn1                                       amzn-main                5.6 M
     replacing  coreutils-libs.x86_64 8.4-19.15.amzn1
 kernel                       x86_64             3.14.48-33.39.amzn1                                    amzn-updates              16 M
 util-linux                   x86_64             2.23.2-16.22.amzn1                                     amzn-main                2.8 M
     replacing  util-linux-ng.x86_64 2.17.2-13.16.amzn1
Updating:
 ca-certificates              noarch             2014.1.98-65.0.13.amzn1                                amzn-main                1.2 M
 cyrus-sasl                   x86_64             2.1.23-13.16.amzn1                                     amzn-main                 85 k
 cyrus-sasl-lib               x86_64             2.1.23-13.16.amzn1                                     amzn-main                151 k
 cyrus-sasl-plain             x86_64             2.1.23-13.16.amzn1                                     amzn-main                 32 k
 dracut                       noarch             004-336.24.amzn1                                       amzn-main                122 k
 e2fsprogs                    x86_64             1.42.12-4.35.amzn1                                     amzn-updates             1.1 M
 e2fsprogs-libs               x86_64             1.42.12-4.35.amzn1                                     amzn-updates             182 k
 elfutils-libelf              x86_64             0.158-3.16.amzn1                                       amzn-main                316 k
 file                         x86_64             5.22-2.29.amzn1                                        amzn-main                 64 k
 file-libs                    x86_64             5.22-2.29.amzn1                                        amzn-main                520 k
 gnupg2                       x86_64             2.0.28-1.30.amzn1                                      amzn-updates             2.6 M
 gpgme                        x86_64             1.4.3-5.15.amzn1                                       amzn-updates             234 k
 krb5-libs                    x86_64             1.12.2-14.43.amzn1                                     amzn-updates             964 k
 krb5-workstation             x86_64             1.12.2-14.43.amzn1                                     amzn-updates             828 k
 libX11                       x86_64             1.6.0-2.2.12.amzn1                                     amzn-main                748 k
 libX11-common                x86_64             1.6.0-2.2.12.amzn1                                     amzn-main                230 k
 libXext                      x86_64             1.3.2-2.1.10.amzn1                                     amzn-main                 39 k
 libXi                        x86_64             1.7.2-2.2.9.amzn1                                      amzn-main                 40 k
 libXrender                   x86_64             0.9.8-2.1.9.amzn1                                      amzn-main                 26 k
 libXtst                      x86_64             1.2.2-2.1.9.amzn1                                      amzn-main                 20 k
 libcap-ng                    x86_64             0.7.3-5.13.amzn1                                       amzn-updates              24 k
 libcom_err                   x86_64             1.42.12-4.35.amzn1                                     amzn-updates              45 k
 libgcrypt                    x86_64             1.5.3-12.18.amzn1                                      amzn-updates             289 k
 libjpeg-turbo                x86_64             1.2.90-5.10.amzn1                                      amzn-updates             143 k
 libss                        x86_64             1.42.12-4.35.amzn1                                     amzn-updates              50 k
 libxcb                       x86_64             1.8.1-1.18.amzn1                                       amzn-main                143 k
 lua                          x86_64             5.1.4-4.1.9.amzn1                                      amzn-main                236 k
 openldap                     x86_64             2.4.23-34.23.amzn1                                     amzn-main                387 k
 pam                          x86_64             1.1.8-9.31.amzn1                                       amzn-main                803 k
 pcre                         x86_64             8.21-7.7.amzn1                                         amzn-updates             254 k
 readline                     x86_64             6.2-9.14.amzn1                                         amzn-main                214 k
 rsyslog                      x86_64             5.8.10-9.26.amzn1                                      amzn-main                774 k
 sudo                         x86_64             1.8.6p3-19.19.amzn1                                    amzn-updates             916 k
 sysvinit                     x86_64             2.87-5.dsf.14.amzn1                                    amzn-main                 64 k
 tcpdump                      x86_64             14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1                amzn-updates             372 k
 unzip                        x86_64             6.0-2.9.amzn1                                          amzn-updates             196 k
 upstart                      x86_64             0.6.5-13.3.13.amzn1                                    amzn-main                225 k
 wget                         x86_64             1.16.1-3.18.amzn1                                      amzn-main                729 k
Installing for dependencies:
 libmount                     x86_64             2.23.2-16.22.amzn1                                     amzn-main                173 k
 libpsl                       x86_64             0.6.2-1.2.amzn1                                        amzn-main                 52 k
 libpwquality                 x86_64             1.2.3-4.8.amzn1                                        amzn-main                 89 k
 libtasn1                     x86_64             2.3-6.6.amzn1                                          amzn-main                246 k
 libverto                     x86_64             0.2.5-4.9.amzn1                                        amzn-updates              16 k
 p11-kit                      x86_64             0.18.5-2.3.amzn1                                       amzn-main                123 k
 p11-kit-trust                x86_64             0.18.5-2.3.amzn1                                       amzn-main                 79 k
Updating for dependencies:
 gdisk                        x86_64             0.8.10-1.5.amzn1                                       amzn-main                302 k
 keyutils-libs                x86_64             1.5.8-3.12.amzn1                                       amzn-main                 25 k
 libblkid                     x86_64             2.23.2-16.22.amzn1                                     amzn-main                168 k
 libicu                       x86_64             50.1.2-11.12.amzn1                                     amzn-main                9.6 M
 libuuid                      x86_64             2.23.2-16.22.amzn1                                     amzn-main                 71 k

Transaction Summary
=======================================================================================================================================
Install   3 Packages (+7 Dependent packages)
Upgrade  38 Packages (+5 Dependent packages)

Total download size: 50 M
Is this ok [y/d/N]:

依存関係で上がってしまうパッケージもありますが、概ね事前に確認したパッケージ群が表示されました。

脆弱性対応したパッケージの中でもSecurityリスクがmediumレベルの脆弱性対応したパッケージのみアップデート

--sec-severityオプションでSecurityリスクのレベルを指定できます。

# yum update --sec-severity=medium
Loaded plugins: priorities, update-motd, upgrade-helper
33 package(s) needed (+0 related) for security, out of 204 available
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.7.amzn1 will be updated
---> Package ca-certificates.noarch 0:2014.1.98-65.0.13.amzn1 will be an update
--> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch
--> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch
---> Package cyrus-sasl.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.10.amzn1 will be updated
---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.16.amzn1 will be an update
---> Package dracut.noarch 0:004-303.18.amzn1 will be updated
---> Package dracut.noarch 0:004-336.24.amzn1 will be an update
---> Package e2fsprogs.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package e2fsprogs.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package e2fsprogs-libs.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package e2fsprogs-libs.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package elfutils-libelf.x86_64 0:0.152-1.12.amzn1 will be updated
---> Package elfutils-libelf.x86_64 0:0.158-3.16.amzn1 will be an update
---> Package file.x86_64 0:5.11-4.12.amzn1 will be updated
---> Package file.x86_64 0:5.22-2.29.amzn1 will be an update
---> Package file-libs.x86_64 0:5.11-4.12.amzn1 will be updated
---> Package file-libs.x86_64 0:5.22-2.29.amzn1 will be an update
---> Package gnupg2.x86_64 0:2.0.19-8.21.amzn1 will be updated
---> Package gnupg2.x86_64 0:2.0.28-1.30.amzn1 will be an update
---> Package kernel.x86_64 0:3.14.48-33.39.amzn1 will be installed
---> Package krb5-libs.x86_64 0:1.10.3-10.26.amzn1 will be updated
---> Package krb5-libs.x86_64 0:1.12.2-14.43.amzn1 will be an update
--> Processing Dependency: keyutils-libs >= 1.5.8 for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
--> Processing Dependency: libkeyutils.so.1(KEYUTILS_1.5)(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
--> Processing Dependency: libverto.so.1()(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64
---> Package krb5-workstation.x86_64 0:1.10.3-10.26.amzn1 will be updated
---> Package krb5-workstation.x86_64 0:1.12.2-14.43.amzn1 will be an update
---> Package libX11.x86_64 0:1.5.0-4.10.amzn1 will be updated
---> Package libX11.x86_64 0:1.6.0-2.2.12.amzn1 will be an update
---> Package libX11-common.x86_64 0:1.5.0-4.10.amzn1 will be updated
---> Package libX11-common.x86_64 0:1.6.0-2.2.12.amzn1 will be an update
---> Package libXext.x86_64 0:1.3.1-2.8.amzn1 will be updated
---> Package libXext.x86_64 0:1.3.2-2.1.10.amzn1 will be an update
---> Package libXi.x86_64 0:1.6.1-3.7.amzn1 will be updated
---> Package libXi.x86_64 0:1.7.2-2.2.9.amzn1 will be an update
---> Package libXrender.x86_64 0:0.9.7-2.7.amzn1 will be updated
---> Package libXrender.x86_64 0:0.9.8-2.1.9.amzn1 will be an update
---> Package libXtst.x86_64 0:1.2.1-2.7.amzn1 will be updated
---> Package libXtst.x86_64 0:1.2.2-2.1.9.amzn1 will be an update
---> Package libcap-ng.x86_64 0:0.6.4-3.8.amzn1 will be updated
---> Package libcap-ng.x86_64 0:0.7.3-5.13.amzn1 will be an update
---> Package libcom_err.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package libcom_err.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package libgcrypt.x86_64 0:1.4.5-9.12.amzn1 will be updated
---> Package libgcrypt.x86_64 0:1.5.3-12.18.amzn1 will be an update
---> Package libjpeg-turbo.x86_64 0:1.2.1-1.2.amzn1 will be updated
---> Package libjpeg-turbo.x86_64 0:1.2.90-5.10.amzn1 will be an update
---> Package libss.x86_64 0:1.42.3-3.17.amzn1 will be updated
---> Package libss.x86_64 0:1.42.12-4.35.amzn1 will be an update
---> Package libxcb.x86_64 0:1.8.1-1.14.amzn1 will be updated
---> Package libxcb.x86_64 0:1.8.1-1.18.amzn1 will be an update
---> Package lua.x86_64 0:5.1.4-4.1.8.amzn1 will be updated
---> Package lua.x86_64 0:5.1.4-4.1.9.amzn1 will be an update
---> Package openldap.x86_64 0:2.4.23-32.21.amzn1 will be updated
---> Package openldap.x86_64 0:2.4.23-34.23.amzn1 will be an update
---> Package pam.x86_64 0:1.1.1-13.20.amzn1 will be updated
---> Package pam.x86_64 0:1.1.8-9.31.amzn1 will be an update
--> Processing Dependency: libpwquality >= 0.9.9 for package: pam-1.1.8-9.31.amzn1.x86_64
---> Package rsyslog.x86_64 0:5.8.10-7.24.amzn1 will be updated
---> Package rsyslog.x86_64 0:5.8.10-9.26.amzn1 will be an update
---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.8.amzn1 will be updated
---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 will be an update
---> Package unzip.x86_64 0:6.0-1.7.amzn1 will be updated
---> Package unzip.x86_64 0:6.0-2.9.amzn1 will be an update
---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated
---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update
--> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64
--> Running transaction check
---> Package keyutils-libs.x86_64 0:1.4-4.10.amzn1 will be updated
---> Package keyutils-libs.x86_64 0:1.5.8-3.12.amzn1 will be an update
---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed
--> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64
---> Package libpwquality.x86_64 0:1.2.3-4.8.amzn1 will be installed
---> Package libverto.x86_64 0:0.2.5-4.9.amzn1 will be installed
---> Package p11-kit.x86_64 0:0.18.5-2.3.amzn1 will be installed
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3)(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64
--> Processing Dependency: libtasn1.so.3()(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64
---> Package p11-kit-trust.x86_64 0:0.18.5-2.3.amzn1 will be installed
--> Running transaction check
---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated
--> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
--> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update
---> Package libtasn1.x86_64 0:2.3-6.6.amzn1 will be installed
--> Running transaction check
---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated
---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================
 Package                      Arch               Version                                                Repository                Size
=======================================================================================================================================
Installing:
 kernel                       x86_64             3.14.48-33.39.amzn1                                    amzn-updates              16 M
Updating:
 ca-certificates              noarch             2014.1.98-65.0.13.amzn1                                amzn-main                1.2 M
 cyrus-sasl                   x86_64             2.1.23-13.16.amzn1                                     amzn-main                 85 k
 cyrus-sasl-lib               x86_64             2.1.23-13.16.amzn1                                     amzn-main                151 k
 cyrus-sasl-plain             x86_64             2.1.23-13.16.amzn1                                     amzn-main                 32 k
 dracut                       noarch             004-336.24.amzn1                                       amzn-main                122 k
 e2fsprogs                    x86_64             1.42.12-4.35.amzn1                                     amzn-updates             1.1 M
 e2fsprogs-libs               x86_64             1.42.12-4.35.amzn1                                     amzn-updates             182 k
 elfutils-libelf              x86_64             0.158-3.16.amzn1                                       amzn-main                316 k
 file                         x86_64             5.22-2.29.amzn1                                        amzn-main                 64 k
 file-libs                    x86_64             5.22-2.29.amzn1                                        amzn-main                520 k
 gnupg2                       x86_64             2.0.28-1.30.amzn1                                      amzn-updates             2.6 M
 krb5-libs                    x86_64             1.12.2-14.43.amzn1                                     amzn-updates             964 k
 krb5-workstation             x86_64             1.12.2-14.43.amzn1                                     amzn-updates             828 k
 libX11                       x86_64             1.6.0-2.2.12.amzn1                                     amzn-main                748 k
 libX11-common                x86_64             1.6.0-2.2.12.amzn1                                     amzn-main                230 k
 libXext                      x86_64             1.3.2-2.1.10.amzn1                                     amzn-main                 39 k
 libXi                        x86_64             1.7.2-2.2.9.amzn1                                      amzn-main                 40 k
 libXrender                   x86_64             0.9.8-2.1.9.amzn1                                      amzn-main                 26 k
 libXtst                      x86_64             1.2.2-2.1.9.amzn1                                      amzn-main                 20 k
 libcap-ng                    x86_64             0.7.3-5.13.amzn1                                       amzn-updates              24 k
 libcom_err                   x86_64             1.42.12-4.35.amzn1                                     amzn-updates              45 k
 libgcrypt                    x86_64             1.5.3-12.18.amzn1                                      amzn-updates             289 k
 libjpeg-turbo                x86_64             1.2.90-5.10.amzn1                                      amzn-updates             143 k
 libss                        x86_64             1.42.12-4.35.amzn1                                     amzn-updates              50 k
 libxcb                       x86_64             1.8.1-1.18.amzn1                                       amzn-main                143 k
 lua                          x86_64             5.1.4-4.1.9.amzn1                                      amzn-main                236 k
 openldap                     x86_64             2.4.23-34.23.amzn1                                     amzn-main                387 k
 pam                          x86_64             1.1.8-9.31.amzn1                                       amzn-main                803 k
 rsyslog                      x86_64             5.8.10-9.26.amzn1                                      amzn-main                774 k
 tcpdump                      x86_64             14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1                amzn-updates             372 k
 unzip                        x86_64             6.0-2.9.amzn1                                          amzn-updates             196 k
 wget                         x86_64             1.16.1-3.18.amzn1                                      amzn-main                729 k
Installing for dependencies:
 libpsl                       x86_64             0.6.2-1.2.amzn1                                        amzn-main                 52 k
 libpwquality                 x86_64             1.2.3-4.8.amzn1                                        amzn-main                 89 k
 libtasn1                     x86_64             2.3-6.6.amzn1                                          amzn-main                246 k
 libverto                     x86_64             0.2.5-4.9.amzn1                                        amzn-updates              16 k
 p11-kit                      x86_64             0.18.5-2.3.amzn1                                       amzn-main                123 k
 p11-kit-trust                x86_64             0.18.5-2.3.amzn1                                       amzn-main                 79 k
Updating for dependencies:
 gdisk                        x86_64             0.8.10-1.5.amzn1                                       amzn-main                302 k
 keyutils-libs                x86_64             1.5.8-3.12.amzn1                                       amzn-main                 25 k
 libicu                       x86_64             50.1.2-11.12.amzn1                                     amzn-main                9.6 M

Transaction Summary
=======================================================================================================================================
Install   1 Package  (+6 Dependent packages)
Upgrade  32 Packages (+3 Dependent packages)

Total download size: 39 M
Is this ok [y/d/N]:
CVE番号を指定したパッケージアップデート

--cvesオプションでCVE番号を指定可能です。

# yum updateinfo all
(略)
===============================================================================
  Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget
===============================================================================
  Update ID : ALAS-2014-442
    Release :
       Type : security
     Status : final
     Issued : 2014-11-05 12:19
    Updated : 2014-11-05 14:40       CVEs : CVE-2014-4877
Description : Package updates are available for Amazon Linux AMI that fix the
            : following vulnerabilities: CVE-2014-4877:
            :         1139181:
            : CVE-2014-4877 wget: FTP symlink arbitrary
            : filesystem access Absolute path traversal
            : vulnerability in GNU Wget before 1.16, when
            : recursion is enabled, allows remote FTP servers to
            : write to arbitrary files, and consequently execute
            : arbitrary code, via a LIST response that
            : references the same filename within two entries,
            : one of which indicates that the filename is for a
            : symlink.
   Severity : medium
  Installed : false

# yum update --cves=CVE-2014-4877
Loaded plugins: priorities, update-motd, upgrade-helper
1 package(s) needed (+0 related) for security, out of 204 available
Resolving Dependencies
--> Running transaction check
---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated
---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update
--> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64
--> Running transaction check
---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed
--> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64
--> Running transaction check
---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated
--> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
--> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update
--> Running transaction check
---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated
---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================
 Package                     Arch                        Version                                  Repository                      Size
=======================================================================================================================================
Updating:
 wget                        x86_64                      1.16.1-3.18.amzn1                        amzn-main                      729 k
Installing for dependencies:
 libpsl                      x86_64                      0.6.2-1.2.amzn1                          amzn-main                       52 k
Updating for dependencies:
 gdisk                       x86_64                      0.8.10-1.5.amzn1                         amzn-main                      302 k
 libicu                      x86_64                      50.1.2-11.12.amzn1                       amzn-main                      9.6 M

Transaction Summary
=======================================================================================================================================
Install             ( 1 Dependent package)
Upgrade  1 Package  (+2 Dependent packages)

Total download size: 11 M
Is this ok [y/d/N]:
ALAS番号を指定したパッケージアップデート

--advisoryオプションでALAS番号を指定可能です。

# yum updateinfo all
(略)
===============================================================================
  Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget
===============================================================================
  Update ID : ALAS-2014-442
    Release :
       Type : security
     Status : final
     Issued : 2014-11-05 12:19
    Updated : 2014-11-05 14:40       CVEs : CVE-2014-4877
Description : Package updates are available for Amazon Linux AMI that fix the
            : following vulnerabilities: CVE-2014-4877:
            :         1139181:
            : CVE-2014-4877 wget: FTP symlink arbitrary
            : filesystem access Absolute path traversal
            : vulnerability in GNU Wget before 1.16, when
            : recursion is enabled, allows remote FTP servers to
            : write to arbitrary files, and consequently execute
            : arbitrary code, via a LIST response that
            : references the same filename within two entries,
            : one of which indicates that the filename is for a
            : symlink.
   Severity : medium
  Installed : false

# yum update --advisory=ALAS-2014-442
Loaded plugins: priorities, update-motd, upgrade-helper
1 package(s) needed (+0 related) for security, out of 204 available
Resolving Dependencies
--> Running transaction check
---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated
---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update
--> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64
--> Running transaction check
---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed
--> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64
--> Running transaction check
---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated
--> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
--> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64
---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update
--> Running transaction check
---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated
---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================
 Package                     Arch                        Version                                  Repository                      Size
=======================================================================================================================================
Updating:
 wget                        x86_64                      1.16.1-3.18.amzn1                        amzn-main                      729 k
Installing for dependencies:
 libpsl                      x86_64                      0.6.2-1.2.amzn1                          amzn-main                       52 k
Updating for dependencies:
 gdisk                       x86_64                      0.8.10-1.5.amzn1                         amzn-main                      302 k
 libicu                      x86_64                      50.1.2-11.12.amzn1                       amzn-main                      9.6 M

Transaction Summary
=======================================================================================================================================
Install             ( 1 Dependent package)
Upgrade  1 Package  (+2 Dependent packages)

Total download size: 11 M
Is this ok [y/d/N]:

まとめ

いかがでしょうか?
大事なことなので繰り返し伝えますが、このプラグインを使ったからと言って脆弱性対応との戦いが解決するわけではありません。
システムを運用する上で脆弱性対応する体制は必要です。
ただ、このプラグインによって特定CVEへの確実なアップデート対応を行ったり、セキュリティパッチのアップデートだけに特化することで不要な機能拡張によるシステム不具合へのリスクを低減することができます。

参考サイト

Is it possible to limit yum so that it lists or installs only security updates? 7.2. yum-plugin-security の使い方