3

On a Ubuntu 20.04 machine, when I ssh in I see

59 updates can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable

Now, I'd like to install only the "standard security update".

I have tried with unattended-upgrade (sudo unattended-upgrade -d) but I get

...
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
Packages blacklist due to conffile prompts: []
No packages found that can be upgraded unattended and no pending auto-removals
...

From my online research unattended-upgrade is the way to install security updates. What am I missing here? Is it because the security update is a "standard" one?

UPDATE 1

~$ sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Sig
  • 131
  • https://askubuntu.com/a/1261960/15811 does what you ask – Rinzwind Aug 09 '21 at 13:27
  • Thanks for the reply. See UPDATE 1. – Sig Aug 09 '21 at 13:29
  • The data used for the login text (called 'motd' for Message Of The Day) may be stale. Aptdaemon is NOT fired up at each login just to refresh those numbers. – user535733 Aug 09 '21 at 13:31
  • @user535733 Thanks for your reply. Is there a way to manually refresh those numbers to make sure there are no security updates to be applied? PS I have rebooted the server, but the message is still the same. – Sig Aug 09 '21 at 13:43
  • Simple-but-misleading direct answer: You can refresh the numbers themselves with a simple sudo apt update. since that command does fire up aptdaemon. It's misleading because that number does NOT include Snaps nor pips nor flatpaks nor AppImages nor wheels or compiled software. And Unattended Upgrades will handle the deb security updates anyway; the point of the number is that you only need to get involved if the number is shockingly large. – user535733 Aug 09 '21 at 14:12
  • Thanks for the reply. As per our internal SOP, we have to install (and document it) all security updates (even if there is just one) periodically. We assumed the motd was reliable. However, I now understand that is not the case. Should we trust unattended-upgrade to install all security updates regardless what motd says? – Sig Aug 09 '21 at 14:18
  • Yes, Unattended Upgrades can be trusted. To see what packages it upgraded, review /var/log/unattended-upgrades/unattended-upgrades.log. The default setting for that log is to rotate monthly and to keep old logs for 6 months. With those package names in hand, you can pull the apt-changelog for each package, which will give you the CVEs that were patched. Then, when your auditor names a CVE, you have a back-trail to the package-name and the date-of-install for the patch. Alternately, you can also pull that CVE back-trail from https://ubuntu.com/security and avoid maintaining a spreadsheet. – user535733 Aug 09 '21 at 14:30

0 Answers0