CEFS: CentOS Errata for Spacewalk
This fine piece of software allows you to import errata information from the CentOS-Announce mailing list into
For security announcements details from Red Hat (RHSA) can be imported optionally.
20120504: The errata-import script has been updated. It is now capable to import descriptions from Red Hat's OVAL file which you can find
HERE (Trent Johnson suggested this on the Spacewalk Mailing-List, thanks)
20120520: Added missing Security Announcements from CentOS 5.8
20120610: Added a command-line option to publish errata after creation. Added options to select type of errata (Security, Bug Fix, Enhancement)
20120619: Added missing Product Enhancement Announcements from CentOS 5.8
20120718: Added missing Bug Fix Announcements from CentOS 5.8
20120917: The errata-import script has been updated. I fixed the --publish option to work as expected. CVEs are now added to Security Advisories.
20120922: The errata-import script has been updated. It now checks the users permissions before publishing.
20120925: Checksums are now available as SHA1 and MD5
20120926: The errata-import script has been updated. User permission check has been improved.
20121005: Errata XML generation has been fully automated.
20121020: Errata XML is now also available in compressed formats: gzip and bzip2
20130114: The errata-import script has been updated. Removed patched Frontier-Client.pm.
20130211: You can now flattr this website.
20130218: The errata-import script has been updated to support Debian Advisories
20130301: The errata-import script and XML have been updated to support the reboot_suggested keyword.
20130313: The errata-import script has been updated to work with API version 12 in Spacewalk 1.9 (Thanks, James)
20130323: The errata-import script has been updated to add packages to existing Errata (new feature)
20130326: Errata XML now contains issue_date and severity fields. It no longer contains advisories from 2006 and before.
20130909: The errata-import script has been updated to work with API version 13 in Spacewalk 2.0 (Thanks, Alex)
20131121: Added missing Announcements from CentOS 5.10
20131208: Errata XML now contains information from the cr-announce-list (Thanks, Kris)
20131210: The addition of the CR Errata broke the parsing for the last two days. Should be fixed now. Sorry. (Thanks, Shawn)
20131213: The errata-import script has been updated to include a --quiet option (Thanks, Aron)
20140311: The errata-import script has been updated to work with API version 14 in Spacewalk 2.1 (Thanks, Rolf)
20140316: Fixed support for API version 14 (Thanks, Christian)
20140711: Errata XML now contains CentOS 7 announcements. And also: Happy Birthday, Mom!
20140723: Errata XML now contains proper announcements for Xen4CentOS (Thanks, Scott)
20140724: The errata-import script has been update to work with API version 15. A --ignore-api-version has been added. (Thanks, Martin and Christian)
20140825: Errata XML now contains CentOS unique announcements (e.g. CEBA-2014:C001)
20140904: To further improve the Errata quality I have started some semi-automated QA. You may therefore see old Errata being added/updated where RPM file names had been incorrect and now fixed.
20140930: The errata-import script has been updated to support exclusion of errata (--exclude-errata)
20141002: There seems to be an issue with importing errata into Spacewalk 2.2. If you experience it, please let me know and report it on the Spacewalk Mailing List
20141002: The errata-import script has been updated to fix the new exclude errata feature
20141007: The errata-import script has been updated to support Satellite 5.6. Satellite apparently uses slightly different API version strings (Thanks, Christian)
20141121: The XML update process had failed for the past two weeks. This is now fixed and everything should be back to normal.
20150105: The first XML update of 2015 is now available, so Happy New Year!
20150420: The errata-import script has been updated to support Spacewalk 2.3 (Thanks, Ugur and Bren)
20150630: The errata-import script has been updated to fix a wrong error message when missing modules
20150719: The errata-import script has been updated to satisfy Perl::Critic on level 4
20150731: The errata-import script has been updated to set the issue date of errata
20150903: The errata-import script has been updated to fix a bug with setting the issue data (Thanks, Tom!)
20150904: The XML update process had failed since August 28th after lists.centos.org had turned TLS on. This is now fixed. (Thanks, Joao)
20151011: The errata-import script has been updated to support Spacewalk 2.4
20151208: Thanks to Lets Encrypt this site is now available via SSL.
20151211: Since this site has not received a single Flattr click, I have removed the link to Flattr.
20160219: The XML file is now pushed to GitHub. I have set up a redirect from my download URL to GitHub.
20160309: Added a link to centos-package-cron in the Links section and expanded the FAQ.
20160317: The errata-import script has been updated to fix a bug that removed packages it should not have. Upgrading is recommended. (Thanks, Helmut and Martin)
20161028: The errata for "Dirty COW" (CVE-2016-5195) are CESA-2016:2124 (CentOS 5.x), CESA-2016:2105 (CentOS 6.x) and CESA-2016:2110 (CentOS 7.x). Happy patching!
20161211: This site has moved to a new server. This may have caused some missing files or incorrect checksums, sorry.
20161218: The errata-import script has been updated to support Spacewalk 2.6 and better handle HTML encoding (for Debian advisories).
20161220: The errata-import script has been updated to fix an issue introduced in the previous update (Thanks, Robert)
20161221: The errata-import script has been updated to fix warning regarding missing issue_date on Debian errata
20170101: Happy New Year! The XML no longer contains errata for CentOS 4 (and below) only. For the digital archeologists, the latest commit including these can be found on GitHub
20170212: The errata-import script has been updated to fix an issue with HTML enconding for Debian again. (Thanks, Bernhard)
20170223: There is a new local root exploit that will need patching: CVE-2017-6074.
20170327: As CentOS 5 will reach its EOL on March 31st, I will remove errata for CentOS 5 and older on May 1st.
Download the latest errata XML file HERE (last updated: March 25, 2017)
Download the latest Red Hat OVAL file HERE (optional)
Download the errata-import.tar script HERE or the included script HERE
Extract the downloaded tarball in an empty directory (tar xf errata-import.tar)
Make the main script executeable (chmod 755 errata-import.pl)
Run the script and follow the instructions (./errata-import.pl)
Depending on the performance of your server the inventory process may take multiple minutes per channel (Hint: use --include-channels)
All errata are created but not published so you can review them (Hint: look at --publish)
You can publish errata via the Web and/or API
Frequently Asked Questions
How (often) is the XML file generated?
The file is generated by first parsing the CentOS-Announce Archives. A few glitches I found are then fixed and information for CentOS 5.8 (sent unparseable) is added. Finally there are a few sanity checks before the file is released. This process is now fully automated.
Can I download the file regularly?
Yes, of course. If you use wget please use -N to download only if it has changed.
Can I get the script that generates the XML file?
Something isn't working. Where can I get help?
Please run the script with --debug and send me the output via email or upload it to some place like Pastebin and send me a link to it. I will try to help you as time permits.
How do I set username and password for the script?
Set the environment variables SPACEWALK_USER and SPACEWALK_PASS accordingly. Example:I get a "500 read timeout" error when importing errata. Why?
Your server is likely underpowered. Spacewalk runs a webserver, an application server and a database, all of which need RAM and I/O resources. Check the prerequisites section in the Spacewalk Wiki.
I get "Authentication FAILED" errors but the password is correct?
Make sure that you put your password in parantheses. Otherwise your shell will turn PASSWORD=super$ecret into "super" as $ecret is not defined. Bummer, I know.
Then run the script.
Also note that the script requires a username/password combination for the Spacewalk API and NOT for the underlying Postgres/Oracle database.
I would like to hear how this tool works for you. You can contact me via email:
email (at) steve (dash) meier (dot) de
If you find this tool helpful and would like to show your appreciation you can do so via PayPal:
A good blog entry describing CEFS (in german AND english)
A bachelor thesis on Spacewalk that mentions CEFS
A tool to generate an updateinfo.xml from my errata XML file
A python script that can be used without Spacewalk to generate update emails