apt upgrade shows a warning about Intel microcode updates. Is there anything I need to do?

Question

When I run sudo apt upgrade in Kubuntu 23.10 I get this output:

user1@user1-Desktop1:~$ sudo apt upgrade 
Reading package lists... Done
Building dependency tree 
Reading state information... Done
Calculating upgrade... Done
#
# Canonical released microcode updates for both Intel (CVE-2022-40982) and AMD
# (CVE-2023-20593). ‘Unattended upgrades’ provide security updates by default.
# Ensure it remains enabled to always get all updates as they become available.
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Do I need to enable unattended upgrades as described in the warning? How to do that and why do I need to anything at all?

I am using Kubuntu and upgraded from 23.04. to 23.10 using the GUI tool (exactly as described here). My system installation is roughly one month old. I never changed anything in /etc/apt and everything is at default. This is my /etc/apt/sources.list:

# deb cdrom:[Kubuntu 23.04 _Lunar Lobster_ - Release amd64 (20230414.1)]/ lunar main multiverse restricted universe
See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ mantic main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar main restricted
Major bug fix updates produced after the final release of the
distribution.
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates main restricted
N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
team. Also, please note that software in universe WILL NOT receive any
review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar universe
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates universe
N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
team, and may not be under a free licence. Please satisfy yourself as to
your rights to use the software. Also, please note that software in
multiverse WILL NOT receive any review or updates from the Ubuntu
security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar multiverse
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates multiverse
N.B. software from this repository may not have been tested as
extensively as that contained in the main release, although it includes
newer versions of some applications which may provide useful features.
Also, please note that software in backports WILL NOT receive any review
or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu mantic-security main restricted
deb-src http://security.ubuntu.com/ubuntu lunar-security main restricted
deb http://security.ubuntu.com/ubuntu mantic-security universe
deb-src http://security.ubuntu.com/ubuntu lunar-security universe
deb http://security.ubuntu.com/ubuntu mantic-security multiverse
deb-src http://security.ubuntu.com/ubuntu lunar-security multiverse
This system was installed using small removable media
(e.g. netinst, live or single CD). The matching "deb cdrom"
entries were disabled at the end of the installation process.
For information about how to configure apt package sources,
see the sources.list(5) manual.

Answer 1

Your latest terminal output says intel-microcode is already the latest version and unattended upgrades are enabled. There are no error messages, so your Ubuntu is up-to-date and protected. Everything is OK, so you don't have to do anything. The ‘Unattended upgrades’ provide security updates by default. Ensure it remains enabled in your main question is not an error message, it's just a reminder to keep your security updates enabled in Ubuntu.

The message you received is a reminder from Ubuntu to enable the unattended upgrades feature. Unattended upgrades automatically downloads and installs security updates for your system without requiring any manual intervention from the user. Unattended upgrades is enabled by default in all currently supported versions of Ubuntu. It is a good practice to keep this feature enabled to ensure that your Ubuntu is always up-to-date and secure.

The following command will check if unattended upgrades is currently enabled in Ubuntu:

sudo apt-config dump | grep -E 'APT::Periodic::Update-Package-Lists|APT::Periodic::Unattended-Upgrade'

The output of this command should be:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The "1" at the end of both lines indicates that unattended upgrades are enabled, otherwise if either value is set to "0" unattended upgrades are disabled.

To enable unattended upgrades, run the following command:

sudo apt install unattended-upgrades

To check if the unattended-upgrades package is installed run the following command:

apt policy unattended-upgrades

Intel microcode updates in Ubuntu provides improved security, performance and stability in Ubuntu. It is a good practice to install Intel microcode updates in Ubuntu as soon as they are available. The Intel microcode update package can also be manually installed in Ubuntu by running the following command:

sudo apt install intel-microcode

The intel-microcode package get installed and updated automatically by unattended upgrades. To verify that this is the case, you can check the unattended upgrades configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Look for the line near the end of 50unattended-upgrades that starts with Unattended-Upgrade::Package-Blacklist. If the intel-microcode package is not listed after this line, then it is eligible for unattended upgrades.

Your sources.list file has some leftover lines in it from Ubuntu 23.04 lunar which are all commented out, so there is nothing to worry about there. The remaining lines that are not commented out are all for Ubuntu 23.10 mantic as they should be.