Ubuntu: How can I install just security updates from the command line? Question: sudo apt-get upgrade installs all updates, not just security updates. I know
that I can use Update Manager to select only important security updates, but is
there a way to do this from the command line?
Solutions Sample (Please watch the whole video to see all solutions, in order of how many people found them helpful):
== This solution helped 111 people ==
***** A Few Tips On How To Manage Updates *****
This applies both to Debian and Ubuntu, but more specific instructions for
Ubuntu follow.
* Show security updates only :
apt-get -s dist-upgrade |grep "^Inst" |grep -i securi
or
sudo unattended-upgrade --dry-run -d
or
/usr/lib/update-notifier/apt-check -p
* Show all upgradeable packages
apt-get -s dist-upgrade | grep "^Inst"
* Install security updates only
apt-get -s dist-upgrade | grep "^Inst" |
grep -i securi | awk -F " " {'print $2'} |
xargs apt-get install
Notes:
* Sometimes Ubuntu shows security updates as if they're coming from
$release-updates repository. This is so, I'm told, because Ubuntu
developers push security updates to $release-updates repository as well
to expedite their availability.
If that's the case, you can do the following to show security updates
only:
sudo sh -c 'grep ^deb /etc/apt/sources.list |
grep security > /etc/apt/sources.security.only.list'
and
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/
sources.security.only.list -o Dir::Etc::SourceParts=/dev/null |
grep "^Inst" | awk -F " " {'print $2'}
* Check what services need to be restarted after package upgrades. Figure
out what packages you are going to upgrade beforehand and schedule your
restarts/reboots. The problem here is that unless you restart a service
it still may be using an older version of a library (most common reason)
that's been loaded into memory before you installed new package which
fixes a security vulnerability or whatever.
checkrestart -v
However, keep in mind that checkrestart may list processes that shouldn't
necessarily be restarted. For example, PostgreSQL service may be keeping
in its memory reference to an already deleted xlog file, which isn't a
valid reason to restart the service.
Therefore, another, more reliable, way to check this using standard utils
is the following little bash script that I shamelessly stole from https:/
/locallost.net/?p=233
It checks if running processes on a system are still using deleted
libraries by virtue of keeping copies of those in active memory.
ps xh -o pid |
while read PROCID; do
grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
if [ $? -eq 0 ]; then
CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
echo -e "tPID $PROCID $CMDLINEn"
fi
done
With thanks & praise to God! With thanks to the many people who have made this project possible! | Content (except music & images) licensed under cc by-sa 3.0 | Music: | Images: & others | With thanks to user vcardillo ( user Stephen RC ( user Ressu ( user muru ( user mac9416 ( user lemonsqueeze ( user ILIV ( user fuser ( user Eric Carvalho ( user blueyed ( user A.B. ( and the Stack Exchange Network ( Trademarks are property of their respective owners. Disclaimer: All information is provided "AS IS" without warranty of any kind. You are responsible for your own actions. Please contact me if anything should be amiss at Roel D.OT VandePaar A.T gmail.com.
0 Comments