How do you use apt-get to only install critical security updates on ubuntu?
We'd like to only upgrade packages that need to be upgraded for security reasons, without upgrading all other packages.
5 Answers
I read the apt-get man page carefully when I got tired of manually editing the sources.list every time I wanted to only apply security updates (that means the second time).
Figured this solution out:
sudo cp /etc/apt/sources.list /etc/apt/security.sources.list Edit the latter to contain only security repositories, then:
sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list Tadaaaa... Scriptable stuff.
- 6Very nice! You can also
grep security /etc/apt/sources.list | sudo tee /etc/apt/security.sources.listto avoid manual editing.jpaugh– jpaugh2016-11-05 12:57:34 +00:00Commented Nov 5, 2016 at 12:57 - Ressu shows a trick to do this in apt preferences by pinning normal packages to a lower priority, but that seems a bit hacky. YMMVjpaugh– jpaugh2016-11-05 13:05:04 +00:00Commented Nov 5, 2016 at 13:05
- I prefer this to using
unattended-upgradesbecause I don't like services restarting without permission.Christopher Schultz– Christopher Schultz2020-07-24 12:12:54 +00:00Commented Jul 24, 2020 at 12:12 - i like how this doesn't involve fragile regexes. I also had to override Dir::Etc::SourceParts.Tweaked version:
grep -h security -R /etc/apt/sources.list /etc/apt/sources.list.d/ | sudo tee /etc/apt/sec && sudo apt-get upgrade -o Dir::Etc::SourceParts='' -o Dir::Etc::SourceList=/etc/apt/seckoo5– koo52023-06-25 14:49:58 +00:00Commented Jun 25, 2023 at 14:49
If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.
These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)
grep security /etc/apt/sources.list > /tmp/security.list sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s Still valid for older distros or if you have update repos off, but security on:
sudo apt-get upgrade -s| grep ^Inst |grep Security 
What I do:
apt-get update apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq ) A small description of what happens in the 2nd command:
apt-get install -y --only-upgrade $(CREATE_LIST_WITH_SECURITY_UPDATES) → Upgrade all packages in the list created with CREATE_LIST_WITH_SECURITY_UPDATES without asking for confirmation and make sure no new packages are installed.
Explanation of CREATE_LIST_WITH_SECURITY_UPDATES:
apt-get --just-print upgrade→ Show all packages of which there is a upgrade availableawk 'PARSING_COMMANDS'→ Parse the output in such a way that the output is transformed in to a list of lines that contain the packages that should be updatedsort | uniq→ Sort the list alphabetically and filter out packages mentioned twice (uniqdoesn`t work correctly without sorting first)
Explanation of PARSING_COMMANDS:
awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/→ Check if either the 4th or 5th column in the output containssecurity. By usingtolowerwe make sure that it doesn't matter whethersecuritycontains low or high case chars.
(Security updates will always havesecurityin the first 4th or 5th column){print $2}'→ If we found that it's a security update using the command above, print the 2nd column (which is the package name). If it's not a security update thisprint $2will not be executed and the line will be ignored.
I don't know if it will work, but apt has it's sources in /etc/apt/sources.list and/or /etc/sources.list.d/
Why not edit the file, and comment all lines that are not part of the security updates ?
The security lines for apt should be something like this:
deb http://security.ubuntu.com/ubuntu ..... ..... ...
Leave those lines alone and comment all the others.
unattended-upgradespackage.