Ubuntu security upgrade

Version 1

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the “s” off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

Version 2

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

  • Show security updates only :apt-get -s dist-upgrade |grep "^Inst" |grep -i securi orsudo unattended-upgrade --dry-run -d or/usr/lib/update-notifier/apt-check -p
  • Show all upgradeable packagesapt-get -s dist-upgrade | grep "^Inst"
  • Install security updates onlyapt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install


  • Sometimes Ubuntu shows security updates as if they’re coming from $release-updates repository. This is so, I’m told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.If that’s the case, you can do the following to show security updates only:sudo sh -c 'grep ^deb /etc/apt/sources.list | grep security > /etc/apt/sources.security.only.list' andapt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null | grep "^Inst" | awk -F " " {'print $2'}
  • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that’s been loaded into memory before you installed new package which fixes a security vulnerability or whatever.checkrestart -v However, keep in mind that checkrestart may list processes that shouldn’t necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn’t a valid reason to restart the service.Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.ps xh -o pid | while read PROCID; do grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null if [ $? -eq 0 ]; then CMDLINE=$(sed -e 's/\x00/ /g' < /proc/$PROCID/cmdline) echo -e "\tPID $PROCID $CMDLINE\n" fi done

Version 3

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

Similar Posts