How to get a list of all pending security updates?

Question

I need to list (not count or install) all pending security updates on an Ubuntu 14.04 system. I've read the post How to create a list of of only security updates with apt-get? and its accepted answer (apt-show-versions | grep upgradeable | grep security) does indeed give me a list.

However, that command lists 62 pending security updates. /usr/lib/update-notifier/apt-check tells me that I have 75 pending security updates, but doesn't seem to have a way to list them. How can I reconcile these two numbers? Is one of the two commands doing something other than what I want?

score 19 · Answer 1 · edited Jun 28 '22 at 06:17

19

apt list --upgradable list all updates available
apt list --upgradable | grep "\-security" lists all updates that are security.
apt list --upgradable 2>/dev/null | grep "\-security" | wc -l counts number of security updates available. and redirects the stderr like "WARNING: apt does not have a stable CLI interface. Use with caution in scripts." to null

edited Jun 28 '22 at 06:17

bfontaine

144
11

answered Apr 25 '19 at 16:21

jtlindsey

1,952
2
19
29

This is not entirely correct. On a system of ours, it lists 7 packages, while /usr/lib/update-notifier/apt-check lists 12 security updates. Too bad it cannot list them. – Reinier Post May 11 '20 at 11:17
Works for me in a pinch. Thanks for the tip! – pepoluan Oct 21 '20 at 04:30
3

This only lists packages offered for upgrade, not packages offered for dist-upgrade. (see https://askubuntu.com/questions/441921/why-does-usr-lib-update-notifier-apt-check-not-agree-with-apt-get-upgrade) unattended-upgrades only upgrades the former (by default), while apt-check counts the latter. – Reinier Post Feb 05 '21 at 09:18

score 15 · Answer 2 · edited Aug 13 '21 at 07:07

15

If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -oDir::Etc::SourceParts=/some/valid/dir/false -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s | grep ^Inst | grep -i security

edited Aug 13 '21 at 07:07

tjanson

103
3

answered Nov 04 '16 at 21:10

flickerfly

7,279

why do you write ”_Still valid for older distros or if you have update repos off, but security on_“? if the piped solution does not work, maybe add the -V (-verbose-versions) option? – myrdd Jan 07 '19 at 11:04
@myrdd Because the first uses features that weren't available on distros that were going out of style back in 2016. Might not be a thing anymore. – flickerfly Jan 08 '19 at 17:00
so the latter solution should always work, no? – myrdd Jan 09 '19 at 08:43
2

@myrdd As long as the format of the output doesn't change in a newer version. The first is better because it isn't dependent upon format of output. – flickerfly Jan 17 '19 at 18:07

score 7 · Answer 3 · answered Mar 24 '19 at 12:08

there must be a way to request how many packages are updatable and how many security updates right now, but if you settle for asking it once a day you can simply read the file /var/lib/update-notifier/updates-available, which seems to be updated daily by the script /etc/cron.daily/update-notifier-common which belongs to the package update-notifier-common

Example:

$ sudo cat /var/lib/update-notifier/updates-available

355 packages can be updated.
1 update is a security update.

Tested in:

Ubuntu 14.04 LTS
Ubuntu 16.04 LTS
Ubuntu 18.04 LTS

Regards,

/Ángel

score 5 · Answer 4 · answered Jan 16 '19 at 20:23

5

sudo apt-get -s --no-download dist-upgrade -V | grep "^Inst.*security.*$" | cut -d " " -f 2

With some help from this question

answered Jan 16 '19 at 20:23

lolcode

151

3

Or if you want to avoid sudo: apt-get -s dist-upgrade -V | awk '/^Inst.*security/ {print $2}' – Reinier Post Feb 05 '21 at 09:21

score 4 · Answer 5 · answered Feb 05 '21 at 10:12

The other answers given here do not all list the same security upgrades.

Ubuntu has two standard policies for upgrading packages: apt-get upgrade is more conservative than apt-get dist-upgrade. The latter will generally upgrade more packages, and it may contain security upgrades that the former ignores.

The notification shown (by default) upon login is a cached copy of the output of apt-check:

$ /usr/lib/update-notifier/apt-check --human-readable
92 packages can be updated.
3 updates are security updates.

These numbers count packages that will be upgraded by apt-get dist-upgrade; you can list these security upgrades as follows:

sudo apt-get --no-download -s dist-upgrade -V | awk '/^Inst.*security/ {print $2}'

or

apt-get -s dist-upgrade -V | awk '/^Inst.*security/ {print $2}'

To see just the security upgrades in an apt-get upgrade, do

apt-get -s upgrade -V | awk '/^Inst.*security/ {print $2}'

or

apt list --upgradable

By default, unattended-upgrades only runs an upgrade, not dist-upgrade.

This explains why unattended-upgrades, even when configured to automatically install security upgrades, doesn't always install all security upgrades reported by apt-check.

All of these tools use the local package index - so to check the status on the Ubuntu mirror your host is using, first update it with sudo apt update.

A mirror can be out of date in principle, so if you want to check at the source, you need to check on Launchpad - at least for packages distributed by Ubuntu.

score 2 · Answer 6 · edited Nov 03 '17 at 12:44

2

This worked for me:

sudo unattended-upgrade --dry-run -d 2> /dev/null | awk '/Checking/ { print $2 }'

edited Nov 03 '17 at 12:44

David Foerster

36,264
56
94
147

answered Nov 03 '17 at 12:23

Samuel James

129
2

3

Shows all available updates, but doesnt limit to security-updates if i'm not mistaken. Still helpful. – delf Aug 27 '18 at 14:04

score 0 · Answer 7 · answered Oct 30 '18 at 12:02

0

sudo apt list --upgradable |grep "/$(lsb_release -cs)-security"

This lists all available updates which come via the security repository.

answered Oct 30 '18 at 12:02

zerwas

3,883

1

apt is for interactive use. You get a warning when used in a script. Use apt-get instead. – Bernard Feb 11 '19 at 06:51
This lists upgrades, not dist-upgrades. – Reinier Post Feb 05 '21 at 09:20

score 0 · Answer 8 · edited Dec 03 '20 at 08:48

Mystery solved: /usr/lib/update-notifier/apt-check counts "real" packages whereas apt list --upgradable counts virtual packages. Example:

8 updates can be installed immediately.
8 of these updates are security updates.
apt list --upgradable # only 3 lines
linux-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]
linux-headers-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]
linux-image-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]
apt upgrade
The following NEW packages will be installed:
  linux-headers-5.4.0-56 linux-headers-5.4.0-56-generic linux-image-5.4.0-56-generic
  linux-modules-5.4.0-56-generic linux-modules-extra-5.4.0-56-generic
The following packages will be upgraded:
  linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.

I don't think this is true. Rather, apt list only looks at upgrades, while apt-check looks at dist-upgrades. See https://askubuntu.com/questions/441921/why-does-usr-lib-update-notifier-apt-check-not-agree-with-apt-get-upgrade — Reinier Post, Feb 05 '21 at 08:57

How to get a list of all pending security updates?

8 Answers8

Linked

Related