402

sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?

muru
  • 197,895
  • 55
  • 485
  • 740
crenshaw-dev
  • 31,762
  • I assume you meant to refer to apt-get (dist-)upgrade? – andol Jul 28 '10 at 22:52
  • 2
    I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager. – crenshaw-dev Jul 28 '10 at 22:59
  • 1
    Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up! – crenshaw-dev Jul 28 '10 at 23:02
  • 7
    You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important. – Kees Cook Sep 21 '10 at 18:37
  • 1
    I don't think @KeesCook is correct. According to apt docs you want to use apt-get upgrade unless you are moving between distributions. Only under rare conditions should a dist-upgrade be necessary v. and upgrade when running a released (e.g. not currently beta/rc) ubuntu. – Jay _silly_evarlast_ Wren Apr 13 '12 at 13:44
  • 3
    dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back. – chronitis Nov 16 '12 at 14:25
  • 4
    Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server – Karthik T Oct 29 '13 at 01:30
  • Actually ILIV answer below is really good. First you can list the packages that are to be updated, then you can run sudo apt-get install <name> of only the packages to be upgraded. That allows you to only upgrade packages that represent a security issue. – Alexis Wilke Oct 29 '14 at 22:37
  • 1
    Two duplicate threads (with different solutions & different explanations). – jpaugh Nov 05 '16 at 13:15

10 Answers10

373

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d # Idem --debug

If you want to run it quietly instead:

sudo unattended-upgrade

Note: When you call unattended-upgrade you leave the "s" off the end (on newer versions there is a symlink to avoid this).

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

Pablo Bianchi
  • 15,657
blueyed
  • 8,965
  • 1
    For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so – Jaime Hablutzel Oct 23 '14 at 03:33
  • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default. – Raptor Apr 22 '15 at 02:41
  • 24
    Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message. – ADTC Mar 20 '16 at 09:00
  • i learned a few things about unattended-upgrades today. thanks! – Randy L May 17 '16 at 18:19
  • "for monitoring how it goes", it is just debug non-interactive messages right? – Aquarius Power May 14 '17 at 21:12
  • For me, the README was gzipped, so to read it, I used gzip -dc /usr/share/doc/unattended-upgrades/README.md.gz | less. – Gogowitsch Dec 01 '19 at 15:22
  • 1
    @Gogowitsch: you'll be happy to know there's a purpose-built tool for this: zless /usr/share/doc/unattended-upgrades/README.md.gz (https://www.thegeekstuff.com/2009/05/zcat-zless-zgrep-zdiff-zcmp-zmore-gzip-file-operations-on-the-compressed-files/) – mwfearnley Jun 03 '21 at 07:56
  • I tried the command, it seems it's updating everything. For example, it's updating vim right now. How is vim related to security package? – sgon00 Aug 21 '23 at 15:33
  • @sgon00 Vim recently had a security bug in it: https://ubuntu.com/security/notices/USN-6195-1 – Ti Strga Oct 17 '23 at 19:13
144

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

  • Show security updates only :

    apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

    or

    sudo unattended-upgrade --dry-run -d

    or

    /usr/lib/update-notifier/apt-check -p

  • Show all upgradeable packages

    apt-get -s dist-upgrade | grep "^Inst"

  • Install security updates only

    apt-get -s dist-upgrade | grep "^Inst" | 
    grep -i securi | awk -F " " {'print $2'} | 
    xargs apt-get install

Notes:

  • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

    If that's the case, you can do the following to show security updates only:

    sudo sh -c 'grep ^deb /etc/apt/sources.list | 
    grep security > /etc/apt/sources.security.only.list'

    and

    apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
    grep "^Inst" | awk -F " " {'print $2'}

  • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.

    checkrestart -v

    However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

    Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

    It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.

    ps xh -o pid |
while read PROCID; do
       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
       if [ $? -eq 0 ]; then
               CMDLINE=$(sed -e 's/\x00/ /g' < /proc/$PROCID/cmdline)
               echo -e "\tPID $PROCID $CMDLINE\n"
       fi
done
lemonsqueeze
  • 1,634
ILIV
  • 1,567
  • 1
  • 9
  • 9
  • 2
    I notice only now this post. It is extremely precise. Thanks a lot (+1) – Danduk82 May 13 '16 at 07:59
  • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions? – Ben XO Aug 19 '16 at 11:29
  • It can be found in debian-goodies package: https://packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart – ILIV Aug 20 '16 at 03:51
  • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided? – Nathan Hornby Sep 30 '16 at 09:53
  • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you? – ILIV Oct 01 '16 at 05:00
  • Your grep for grep -i securi, never seems to work. Packages don't seem to be labeled that way. – vcardillo Oct 03 '16 at 17:08
  • $ apt-get -s dist-upgrade |grep "^Inst" |grep -i securi Inst liboxideqt-qmlplugin [1.17.9-0ubuntu0.16.04.1] (1.18.3-0ubuntu0.16.04.1 Ubuntu:16.04/xenial-updates, Ubuntu:16.04/xenial-security [i386]) [] ... in other words - it works. – ILIV Nov 04 '16 at 08:47
  • 2
    for me if I don't include -y on apt-get install it quits on the first yes/no question fyi – Mike Q Feb 12 '19 at 11:58
  • I believe the apt-get | grep | xargs apt-get will change the packages your system thinks you must have installed. While apt-get upgrade will upgrade everything, it won't list some random dependency as a "required" package by doing so, whereas running apt-get install <pkg> does do that. – Christopher Schultz Feb 20 '19 at 02:20
  • Very helpful!

    The double grep can be replaced like this: grep "^Inst.*securi.*" That is, it starts with Inst and contains securi(ty).

     – Steven the Easily Amused Jan 23 '20 at 19:02
  • 1
    Install security updates only fails with an error in zsh or bash unless I add the non-interactive flag: xargs apt install -y – ctpenrose Jan 24 '23 at 23:56
48

replace /etc/apt/preferences with the following:

Package: *
Pin: release a=lucid-security
Pin-Priority: 500

Package: *
Pin: release o=Ubuntu
Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.

You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

A.B.
  • 90,397
Ressu
  • 13,546
  • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you. – crenshaw-dev Jul 29 '10 at 13:14
  • 1
    You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason. – Ressu Jul 29 '10 at 16:24
  • 2
    I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER! – Shade Aug 22 '14 at 08:33
14

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
//  "${distro_id}:${distro_codename}-updates";
//  "${distro_id}:${distro_codename}-proposed";
//  "${distro_id}:${distro_codename}-backports";
};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Sources: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html and https://help.ubuntu.com/community/AutomaticSecurityUpdates

SebMa
  • 2,291
vcardillo
  • 362
12

If you wish to install only security updates the following will work. First it lists all upgradeable packages, filter out only the ones coming from a security repo, cut the returned strings at the first field, and then passes them to apt-get install for package update.

sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y
Micah Butler
  • 171
  • 2
    @keypress has a great improvement for this elegant solution: using --only-upgrade to make sure no new packages will be installed. I just tested it with apt and it works. – int_ua Aug 13 '20 at 10:26
  • If I understand correctly, sudo apt update needs to be run beforehand, to make sure sudo apt list finds everything new. – mjbeyeler Mar 15 '22 at 10:10
  • Yes that's correct; apt-get update should have already been ran before being able to list any security updates. – Micah Butler Mar 16 '22 at 13:14
  • Note that if any of the installs require interactive input (e.g. to decide if existing user-edited config files should be overwritten with new ones), then this one-liner may stop half-way through with an error (it did in my case). Might be best to omit the |xargs sudo ... part and just list out the packages so you can install them one-by-one (assuming there aren't tooo many) – joe Mar 17 '22 at 06:27
  • working for me, thanks. – water_ak47 Jan 06 '23 at 04:34
8

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )
keypress
  • 191
  • 1
  • 2
  • This (accidentally?) does not include the various linux-{modules,images,headers}-* packages. Which is prefect for my purpose, where a pretty much unattended system has an out of tree kernel module that's tedious to compile after each kernel update. – Henk Poley Feb 16 '21 at 18:06
  • Yes, this is accidentally - I thought that security updates of linux-* packages also come from security repositories. But I have not checked it. – keypress Feb 18 '21 at 15:36
  • Yeah, the Long Term Support HardWare Enablement stack updates come from the *-updates repos. So there the text 'security' is not in there. – Henk Poley Feb 23 '21 at 12:13
4

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

Stephen RC
  • 4,812
  • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it. – crenshaw-dev Jul 29 '10 at 00:07
  • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks! – crenshaw-dev Jul 29 '10 at 00:39
4
  • apt-get update: just read the entries in repository - acording to existing list. Needed to check what is new.
  • apt-get upgrade: all updates for installed packages without kernel modules. No release update.
  • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.
  • apt-get with parameter -s: test only, no changes performed.
Eric Carvalho
  • 54,385
fuser
  • 57
  • 1
1

Here's a script that achieves this in a few different ways:

#!/usr/bin/env bash
set -e

# List upgradable packages
apt-get update
apt list --upgradable 2>/dev/null
# List security upgrades
test "$(apt-get upgrade -s -y)" && (apt-get upgrade -s -y)
# List upgradable apt packages then upgrade
apt-get update && apt-get upgrade -y  -V | grep '=>' | awk '{print$1}' && test "$(apt-get upgrade -y)"
Seth Bergman
  • 336
  • An explanation of how this is supposed to achieve the goal would be nice. Because it doesn't actually work -- it does nothing to select security upgrades only, it just does all upgrades, security or not. – mathrick Mar 20 '24 at 17:00
0

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade. 
Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

Mitch
  • 107,631
Ross
  • 1,812
  • 2
    It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to -security. Like the OP of that question, that method installs all upgrades, not just security upgrades.

    Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

     – crenshaw-dev Jul 28 '10 at 23:38