yum – Yellowdog Updater Modified
yum [options] [command] [package ...]
yum is an interactive, rpm based, package manager. It can automatically perform system updates, including dependency analysis and obsolete pro‐
cessing based on “repository” metadata. It can also perform installation of new packages, removal of old packages and perform queries on the
installed and/or available packages among many other commands/services (see below). yum is similar to other high level package managers like apt-get and smart.
While there are some graphical interfaces directly to the yum code, more recent graphical interface development is happening with PackageKit
and the gnome-packagekit application.
command is one of:
* install package1 [package2] […]
* update [package1] [package2] […]
* update-to [package1] [package2] […]
* update-minimal [package1] [package2] […]
* upgrade [package1] [package2] […]
* upgrade-to [package1] [package2] […]
* distribution-synchronization [package1] [package2] […]
* remove | erase package1 [package2] […]
* autoremove [package1] […]
* list […]
* info […]
* provides | whatprovides feature1 [feature2] […]
* clean [ packages | metadata | expire-cache | rpmdb | plugins | all ]
* makecache [fast]
* groups […]
* search string1 [string2] […]
* shell [filename]
* resolvedep dep1 [dep2] […]
(maintained for legacy reasons only – use repoquery or yum provides)
* localinstall rpmfile1 [rpmfile2] […]
(maintained for legacy reasons only – use install)
* localupdate rpmfile1 [rpmfile2] […]
(maintained for legacy reasons only – use update)
* reinstall package1 [package2] […]
* downgrade package1 [package2] […]
* deplist package1 [package2] […]
* repolist [all|enabled|disabled]
* repoinfo [all|enabled|disabled]
* repository-packages <enabled-repoid> <install|remove|remove-or-reinstall|remove-or-distribution-synchronization> [package2] […]
* version [ all | installed | available | group-* | nogroups* | grouplist | groupinfo ]
* history [info|list|packages-list|packages-info|summary|addon-info|redo|undo|rollback|new|sync|stats]
* load-transaction [txfile]
* updateinfo [summary | list | info | remove-pkgs-ts | exclude-updates | exclude-all | check-running-kernel]
* fssnapshot [summary | list | have-space | create | delete]
* fs [filters | refilter | refilter-cleanup | du]
* help [command]
Unless the –help or -h option is given, one of the above commands must be present.
Repository configuration is honored in all operations.
Is used to install the latest version of a package or group of packages while ensuring that all dependencies are satisfied. (See Specifying package names for more information) If no package matches the given package name(s), they are assumed to be a shell glob and any matches are then installed. If the name starts with @^ then it is treated as an environment group (group install @^foo), an @ character and it’s treated as a group (plain group install).
If the name starts with a “-” character, then a search is done within the transaction and any matches are removed. Note that Yum options use the same syntax and it may be necessary to use “–” to resolve any possible conflicts.
If the name is a file, then install works like localinstall. If the name doesn’t match a package, then package “provides” are searched (e.g. “_sqlitecache.so()(64bit)”) as are filelists (Eg. “/usr/bin/yum”). Also note that for filelists, wildcards will match multiple packages.
Because install does a lot of work to make it as easy as possible to use, there are also a few specific install commands “install-n”, “install-na” and “install-nevra”. These only work on package names, and do not process wildcards etc.
update If run without any packages, update will update every currently installed package. If one or more packages or package globs are speci‐
fied, Yum will only update the listed packages. While updating packages, yum will ensure that all dependencies are satisfied. (See Specifying package names for more information) If the packages or globs specified match to packages which are not currently installed then update will not install them. update operates on groups, files, provides and filelists just like the “install” command.
If the main obsoletes configure option is true (default) or the –obsoletes flag is present yum will include package obsoletes in its calculations – this makes it better for distro-version changes, for example: upgrading from somelinux 8.0 to somelinux 9.
Note that “update” works on installed packages first, and only if there are no matches does it look for available packages. The difference is most noticeable when you do “update foo-1-2” which will act exactly as “update foo” if foo-1-2 is installed. You can use the “update-to” if you’d prefer that nothing happen in the above case.
This command works like “update” but always specifies the version of the package we want to update to.
This works like the update command, but if you have the package foo-1 installed and have foo-2 (bugfix) and foo-3 (enhancement) available with updateinfo.xml then update-minimal –bugfix will update you to foo-2.
Implemented so you could know if your machine had any updates that needed to be applied without running it interactively. Returns exit value of 100 if there are packages available for an update. Also returns a list of the packages to be updated in list format. Returns 0 if no packages are available for update. Returns 1 if an error occurred. Running in verbose mode also shows obsoletes.
Is the same as the update command with the –obsoletes flag set. See update for more details.
This command works like “upgrade” but always specifies the version of the package we want to update to.
distribution-synchronization or distro-sync
Synchronizes the installed package set with the latest packages available, this is done by either obsoleting, upgrading or downgrading as appropriate. This will “normally” do the same thing as the upgrade command however if you have the package FOO installed at version 4, and the latest available is only version 3, then this command will downgrade FOO to version 3.
If you give the optional argument “full”, then the command will also reinstall packages where the install checksum and the available checksum do not match. And remove old packages (can be used to sync. rpmdb versions). The optional argument “different” can be used to specify the default operation.
This command does not perform operations on groups, local packages or negative selections.
remove or erase
Are used to remove the specified packages from the system as well as removing any packages which depend on the package being removed.
remove operates on groups, files, provides and filelists just like the “install” command.(See Specifying package names for more information)
Note that “yum” is included in the protected_packages configuration, by default. So you can’t accidentally remove yum itself.
The remove_leaf_only configuration changes the behaviour of this command to only remove packages which aren’t required by something else.
The clean_requirements_on_remove configuration changes the behaviour of this command to also remove packages that are only dependencies of this package.
Because remove does a lot of work to make it as easy as possible to use, there are also a few specific remove commands “remove-n”, “remove-na” and “remove-nevra”. These only work on package names, and do not process wildcards etc.
With one or more arguments this command works like running the “remove” command with the clean_requirements_on_remove turned on. However
you can also specify no arguments, at which point it tries to remove any packages that weren’t installed explicitly by the user and which aren’t required by anything (so called leaf packages).
Because autoremove does a lot of work to make it as easy as possible to use, there are also a few specific autoremove commands “autoremove-n”, “autoremove-na” and “autoremove-nevra”. These only work on package names, and do not process wildcards etc.
list Is used to list various information about available packages; more complete details are available in the List Options section below.
provides or whatprovides
Is used to find out which package provides some feature or file. Just use a specific name or a file-glob-syntax wildcards to list the packages available or installed that provide that feature or file.
search This is used to find packages when you know something about the package but aren’t sure of it’s name. By default search will try searching just package names and summaries, but if that “fails” it will then try descriptions and url.
Yum search orders the results so that those packages matching more terms will appear first.
You can force searching everything by specifying “all” as the first argument.
info Is used to list a description and summary information about available packages; takes the same arguments as in the List Options section below.
clean Is used to clean up various things which accumulate in the yum cache directory over time. More complete details can be found in the Clean Options section below.
Is used to download and make usable all the metadata for the currently enabled yum repos. If the argument “fast” is passed, then we just try to make sure the repos. are current (much like “yum clean expire-cache”).
groups A command, new in 3.4.2, that collects all the subcommands that act on groups together. Note that recent yum using distributions (Fedora-19+, RHEL-7+) have configured group_command=objects which changes how group commands act in some important ways.
“group install” is used to install all of the individual packages in a group, of the specified types (this works as if you’d taken each of those package names and put them on the command line for a “yum install” command). The group_package_types configuration option specifies which types will be installed.
If you wish to “reinstall” a group so that you get a package that is currently blacklisted the easiest way to do that currently is to install the package manually and then run “groups mark packages-sync mygroup mypackagename” (or use yumdb to set the group_member of the
“group update” is just an alias for group install, when using group_command=compat. This will install packages in the group not already
installed and upgrade existing packages. With group_command=simple it will just upgrade already installed packages. With group_command=objects it will try to upgrade the group object, installing any available packages not blacklisted (marked ‘-‘ in group info) and will upgrade the installed packages.
“group list” is used to list the available groups from all yum repos. When group_command=objects the group is installed if the user explicitly installed it (or used the group mark* commands to mark it installed). It does not need to have any packages installed. When not using group_command=objects groups are shown as “installed” if all mandatory packages are installed, or if a group doesn’t have any mandatory packages then it is installed if any of the optional or default package are installed (when not in group_command=objects mode). You can pass optional arguments to the list/summary commands: installed, available, environment, language, packages, hidden and ids (or any of those prefixed by “no” to turn them off again). Note that groups that are available but hidden will not be listed unless
´hidden´ keyword is passed to the command. If you pass the -v option, to enable verbose mode, then the groupids are displayed by default (but “yum group list ids” is often easier to read).
“group remove” is used to remove all of the packages in a group, unlike “groupinstall” this will remove everything regardless of group_package_types. It is worth pointing out that packages can be in more than one group, so “group install X Y” followed by “group remove Y” does not do give you the same result as “group install X”.
The groupremove_leaf_only configuration changes the behaviour of this command to only remove packages which aren’t required by something
“group info” is used to give the description and package list of a group (and which type those packages are marked as). Note that you can use the yum-filter-data and yum-list-data plugins to get/use the data the other way around (i.e. what groups own packages need updating). If you pass the -v option, to enable verbose mode, then the package names are matched against installed/available packages similar to the list command.
When using group_command=objects, the info command will display markers next to each package saying how that package relates to the group object. The meaning of these markers is:
“-” = Package isn’t installed, and won’t be installed as part of the group (Eg. “yum group install foo -pkgA” or “yum group install
foo; yum remove pkgA” … this will have pkgA marked as ‘-‘)
“+” = Package isn’t installed, but will be the next time you run “yum upgrade” or “yum group upgrade foo”
” ” = Package is installed, but wasn’t installed via the group (so “group remove foo” won’t remove it).
“=” = Package is installed, and was installed via the group.
you can move an installed package into an installed group using either “group mark package-sync/package-sync-forced” or “yumdb set group_member”.
“group summary” is used to give a quick summary of how many groups are installed and available.
“group mark” and “group unmark” are used when groups are configured in group_command=objects mode. These commands then allow you to alter yum’s idea of which groups are installed, and the packages that belong to them.
“group mark install” mark the group as installed. When installed “yum upgrade” and “yum group upgrade” will install new packages for the group (only those packages already installed will be marked as members of the installed group to start with).
“group mark remove” the opposite of mark install.
“group mark packages” takes a group id (which must be installed) and marks any given installed packages (which aren’t members of a group) as members of the group. Note that the data from the repositories does not need to specify the packages as a member of the group.
“group mark packages-force” works like mark packages, but doesn’t care if the packages are already members of another group.
“group mark blacklist” will blacklist all packages marked to be installed for a group. After this command a “yum group upgrade” will not install any new packages as part of the group.
“group mark convert-blacklist”
“group mark convert-whitelist”
“group mark convert” converts the automatic data you get without using groups as objects into groups as objects data, in other words this will make “yum –setopt=group_command=objects groups list” look as similar as possible to the current output of “yum –setopt=group_command=simple groups list”. This makes it much easier to convert to groups as objects without having to reinstall. For groups that are installed the whitelist variant will mark all uninstalled packages for the group as to be installed on the next “yum
group upgrade”, the blacklist variant (current default) will mark them all as blacklisted.
“group unmark packages” remove a package as a member from any groups.
shell Is used to enter the ‘yum shell’, when a filename is specified the contents of that file is executed in yum shell mode. See yum-shell(8) for more info.
Is used to list packages providing the specified dependencies, at most one package is listed per dependency. This command is maintained for legacy reasons only, use repoquery instead.
Is used to install a set of local rpm files. If required the enabled repositories will be used to resolve dependencies. Note that the install command will do a local install, if given a filename. This command is maintained for legacy reasons only.
Is used to update the system by specifying local rpm files. Only the specified rpm files of which an older version is already installed will be installed, the remaining specified packages will be ignored. If required the enabled repositories will be used to resolve dependencies. Note that the update command will do a local update, if given a filename. This command is maintained for legacy reasons only.
Will reinstall the identically versioned package as is currently installed. This does not work for “installonly” packages, like Kernels. reinstall operates on groups, files, provides and filelists just like the “install” command.
Will try and downgrade a package from the version currently installed to the previously highest version (or the specified version). The depsolver will not necessarily work, but if you specify all the packages it should work (thus, all the simple cases will work). Also this does not work for “installonly” packages, like Kernels. downgrade operates on groups, files, provides, filelists and rpm files just like the “install” command.
swap At it’s simplest this is just a simpler way to remove one set of package(s) and install another set of package(s) without having to use
the “shell” command. However you can specify different commands to call than just remove or install, and you can list multiple packages
(it splits using the “–” marker). Note that option parsing will remove the first “–” in an argument list on the command line.
swap foo bar
swap — remove foo — install bar
swap foo group install bar-grp
swap — group remove foo-grp — group install bar-grp
Produces a list of all dependencies and what packages provide those dependencies for the given packages. As of 3.2.30 it now just shows the latest version of each package that matches (this can be changed by using –showduplicates) and it only shows the newest providers (which can be changed by using –verbose).
Produces a list of configured repositories. The default is to list all enabled repositories. If you pass -v, for verbose mode, or use repoinfo then more information is listed. If the first argument is ´enabled´, ´disabled´ or ´all´ then the command will list those types of repos.
You can pass repo id or name arguments, or wildcards which to match against both of those. However if the id or name matches exactly then the repo will be listed even if you are listing enabled repos. and it is disabled.
In non-verbose mode the first column will start with a ´*´ if the repo. has metalink data and the latest metadata is not local and will start with a ´!´ if the repo. has metadata that is expired. For non-verbose mode the last column will also display the number of packages in the repo. and (if there are any user specified excludes) the number of packages excluded.
One last special feature of repolist, is that if you are in non-verbose mode then yum will ignore any repo errors and output the information it can get (Eg. “yum clean all; yum -C repolist” will output something, although the package counts/etc. will be zeroed out).
This command works exactly like repolist -v.
Treat a repo. as a collection of packages (like “yum groups”) allowing the user to install or remove them as a single entity.
“repository-packages <repo> list” – Works like the “yum list” command, but only shows packages from the given repository.
“repository-packages <repo> info” – Works like the “yum info” command, but only shows packages from the given repository.
“repository-packages <repo> check-update” – Works like the “yum check-update” command, but only shows packages from the given repository.
“repository-packages <repo> install” – Install all of the packages in the repository, basically the same as: yum install $(repoquery–repoid=<repo> -a). Specific packages/wildcards can be specified.
“repository-packages <repo> upgrade” – Update all of the packages in the repository, basically the same as: yum upgrade $(repoquery–repoid=<repo> -a). Specific packages/wildcards can be specified.
“repository-packages <repo> upgrade-to” – Update all of the packages in the repository, basically the same as: yum upgrade $(repoquer–repoid=<repo> -a). Without arguments it works the same as upgrade, with arguments it just interprets them as the versions you want to move to.
“repository-packages <repo> reinstall-old” – ReInstall all of the packages that are installed from the repository and available in the repository, similar to: yum reinstall $(yumdb search-quiet from_repo <repo>).
“repository-packages <repo> move-to” – ReInstall all of the packages that are available in the repository, basically the same as: yum reinstall $(repoquery –repoid=<repo> -a).
“repository-packages <repo> reinstall” – Tries to do reinstall-old, but if that produces no packages then tries move-to.
“repo-pkgs <repo> remove” – Remove all of the packages in the repository, very similar to: yum remove $(repoquery –repoid=<repo> -a). However the repopkgsremove_leaf_only option is obeyed.
“repo-pkgs <repo> remove-or-reinstall” – Works like remove for any package that doesn’t have the exact same version in another repository. For any package that does have the exact NEVRA in another repository then that version will be reinstalled.
“repo-pkgs <repo> remove-or-distro-sync” – Works like remove for any package that doesn’t exist in another repository. For any package that does exist it tries to work as if distro-sync was called (with the repo. disabled).
Produces a “version” of the rpmdb, and of the enabled repositories if “all” is given as the first argument. You can also specify version groups in the version-groups configuration file. If you pass -v, for verbose mode, more information is listed. The version is calculated by taking an SHA1 hash of the packages (in sorted order), and the checksum_type/checksum_data entries from the yumdb. Note that this rpmdb version is now also used significantly within yum (esp. in yum history).
The version command will now show “groups” of packages as a separate version, and so takes sub-commands:
“version grouplist” – List the defined version groups.
“version groupinfo” – Get the complete list of packages within one or more version groups.
“version installed” – This is the default, only show the version information for installed packages.
“version available” – Only show the version information for available packages.
“version all” – Show the version information for installed and available packages.
“version nogroups | nogroups-*” – Just show the main version information.
“version group-*” – Just show the grouped version information, if more arguments are given then only show the data for those groups.
The history command allows the user to view what has happened in past transactions (assuming the history_record config. option is set).
You can use info/list/packages-list/packages-info/summary to view what happened, undo/redo/rollback to act on that information and new to start a new history file.
The info/list/summary commands take either a transaction id or a package (with wildcards, as in Specifying package names), all three can also be passed no arguments. list can be passed the keyword “all” to list all the transactions.
The info command can also take ranges of transaction ids, of the form start..end, which will then display a merged history as if all the transactions in the range had happened at once.
Eg. “history info 1..4” will merge the first four transactions and display them as a single transaction.
The packages-list/packages-info commands takes a package (with wildcards, as in Specifying package names). And show data from the point of view of that package.
The undo/redo/rollback commands take either a single transaction id or the keyword last and an offset from the last transaction (Eg. if you’ve done 250 transactions, “last” refers to transaction 250, and “last-4” refers to transaction 246). The redo command can also take some optional arguments before you specify the transaction. “force-reinstall” tells it reinstall any packages that were installed in that transaction (via install, upgrade or downgrade). “force-remove” tells it to forcibly remove any packages that were updated or downgraded.
The undo/redo commands act on the specified transaction, undo’ing or repeating the work of that transaction. While the rollback command will undo all transactions up to the point of the specified transaction. For example, if you have 3 transactions, where package A; B and C where installed respectively. Then “undo 1” will try to remove package A, “redo 1” will try to install package A (if it is not still installed), and “rollback 1” will try to remove packages B and C. Note that after a “rollback 1” you will have a fourth transaction, although the ending rpmdb version (see: yum version) should be the same in transactions 1 and 4.
The addon-info command takes a transaction ID, and the packages-list command takes a package (with wildcards).
The stats command shows some statistics about the current history DB.
The sync commands allows you to change the rpmdb/yumdb data stored for any installed packages, to whatever is in the current rpmdb/yumdb (this is mostly useful when this data was not stored when the package went into the history DB).
In “history list” you can change the behaviour of the 2nd column via the configuration option history_list_view.
In “history list” output the Altered column also gives some extra information if there was something not good with the transaction (this is also shown at the end of the package column in the packages-list command).
– The rpmdb was changed, outside yum, after the transaction.
< – The rpmdb was changed, outside yum, before the transaction.
* – The transaction aborted before completion.
# – The transaction completed, but with a non-zero status.
E – The transaction completed fine, but had warning/error output during the transaction.
P – The transaction completed fine, but problems already existed in the rpmdb.
s – The transaction completed fine, but –skip-broken was enabled and had to skip some packages.
check Checks the local rpmdb and produces information on any problems it finds. You can pass the check command the arguments “dependencies”, “duplicates”, “obsoletes” or “provides”, to limit the checking that is performed (the default is “all” which does all).
help Produces help, either for all commands or if given a command name then the help for that particular command.
Most command line options can be set using the configuration file as well and the descriptions indicate the necessary configuration option to
Help; display a help message and then quit.
Assume yes; assume that the answer to any question which would be asked is yes.
Configuration Option: assumeyes
Assume no; assume that the answer to any question which would be asked is no. This option overrides assumeyes, but is still subject to alwaysprompt.
Configuration Option: assumeno
-c, –config=[config file]
Specifies the config file location – can take HTTP and FTP URLs and local file paths.
Run without output. Note that you likely also want to use -y.
Run with a lot of debugging output.
Sets the debugging level to [number] – turns up or down the amount of things that are printed. Practical range: 0 – 10
Configuration Option: debuglevel
Sets the error level to [number] Practical range 0 – 10. 0 means print only critical errors about which you must be told. 1 means print all errors, even ones that are not overly important. 1+ means print more errors (if any) -e 0 is good for cron jobs.
Configuration Option: errorlevel
Sets the debug level to [name] for rpm scriptlets. ‘info’ is the default, other options are: ‘critical’, ’emergency’, ‘error’, ‘warn’ and ‘debug’.
Configuration Option: rpmverbosity
-R, –randomwait=[time in minutes]
Sets the maximum amount of time yum will wait before performing a command – it randomizes over the time.
Tells yum to run entirely from system cache – does not download or update any headers unless it has to to perform the requested action.
Doesn’t limit packages to their latest versions in the info, list and search commands (will also affect plugins which use the doPackage‐
Specifies an alternative installroot, relative to which all packages will be installed. Think of this like doing “chroot <root> yum” except using –installroot allows yum to work before the chroot is created. Note: You may also want to use the option –releasever=/when creating the installroot as otherwise the $releasever value is taken from the rpmdb within the installroot (and thus. will be empty, before creation).
Configuration Option: installroot
Enables specific repositories by id or glob that have been disabled in the configuration file using the enabled=0 option.
Configuration Option: enabled
Disables specific repositories by id or glob.
Configuration Option: enabled
This option only has affect for an update, it enables yum´s obsoletes processing logic. For more information see the update command
Configuration Option: obsoletes
Exclude a specific package by name or glob from all repositories, so yum works as if that package was never in the repositories. This is commonly used so a package isn’t upgraded or installed accidentally, but can be used to remove packages in any way that “yum list”
will show packages.
Can be disabled using –disableexcludes. Configuration Option: exclude, includepkgs
Display colorized output automatically, depending on the output terminal, always (using ANSI codes) or never. Note that some commands (Eg. list and info) will do a little extra work when color is enabled. Configuration Option: color
Disable the excludes defined in your config files. Takes one of three options:
all == disable all excludes
main == disable excludes defined in [main] in yum.conf
repoid == disable excludes defined for that repo
Disable the includes defined in your config files. Takes one of two options:
all == disable all includes
repoid == disable includes defined for that repo
Run with one or more plugins disabled, the argument is a comma separated list of wildcards to match against plugin names.
Run with all plugins disabled.
Configuration Option: plugins
Run with GPG signature checking disabled.
Configuration Option: gpgcheck
Resolve depsolve problems by removing packages that are causing problems from the transaction.
Configuration Option: skip_broken
Pretend the current release version is the given string. This is very useful when combined with –installroot. You can also use –relea‐sever=/ to take the releasever information from outside the installroot. Note that with the default upstream cachedir, of /var/cache/yum, using this option will corrupt your cache (and you can use $releasever in your cachedir configuration to stop this).
This option makes yum go slower, checking for things that shouldn’t be possible making it more tolerant of external errors.
Don’t update, just download. This is done in the background, so the yum lock is released for other operations. This can also be chosen by typing ‘d’ownloadonly at the transaction confirmation prompt.
Specifies an alternate directory to store packages.
Set any config option in yum config or repo files. For options in the global config just use: –setopt=option=value for repo options use: –setopt=repoid.option=value
This option includes packages that say they fix a security issue, in updates.
This option includes in updates packages corresponding to the advisory ID, Eg. FEDORA-2201-123.
This option includes in updates packages that say they fix a Bugzilla ID, Eg. 123.
This option includes in updates packages that say they fix a CVE – Common Vulnerabilities and Exposures ID
(http://cve.mitre.org/about/), Eg. CVE-2201-0123.
This option includes in updates packages that say they fix a bugfix issue.
This option includes in updates security relevant packages of the specified severity.
To list all updates that are security relevant, and get a return code on whether there are security updates use:
yum --security check-update
To upgrade packages that have security errata (upgrades to the latest available package) use:
yum --security update
To upgrade packages that have security errata (upgrades to the last security errata package) use:
yum --security update-minimal
To get a list of all BZs that are fixed for packages you have installed use:
yum updateinfo list bugzillas
To get a list of all security advisories, including the ones you have already installed use:
yum updateinfo list all security
To get the information on advisory FEDORA-2707-4567 use:
yum updateinfo info FEDORA-2707-4567
For Red Hat advisories, respin suffixes are also accepted in the ID, although they won’t have any effect on the actual respin selected by yum,
as it will always select the latest one available. For example, if you use:
yum updateinfo info RHSA-2016:1234-2
while RHSA-2016:1234-3 has been shipped already, yum will select the latter (provided your updateinfo.xml is current). The same would happen
if you just specified RHSA-2016:1234. That said, there’s no need for you to specify or care about the suffix at all.
To update packages to the latest version which contain fixes for Bugzillas 123, 456 and 789; and all security updates use:
yum --bz 123 --bz 456 --bz 789 --security update
To update to the packages which just update Bugzillas 123, 456 and 789; and all security updates use:
yum --bz 123 --bz 456 --bz 789 --security update-minimal
To get an info list of the latest packages which contain fixes for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories
FEDORA-2707-4567 and FEDORA-2707-7654 use:
yum --bz 123 --cve CVE-2207-0123 --cve CVE-2207-3210 --advisory FEDORA-2707-4567 --advisory FEDORA-2707-7654 info updates
To get a list of packages which are “new”.
yum updateinfo list new