60

How do you use apt-get to only install critical security updates on ubuntu?

We'd like to only upgrade packages that need to be upgraded for security reasons, without upgrading all other packages.

readonly
  • 3,209
  • 4
  • 24
  • 23
  • 8
    There is a great answer to this on askubuntu http://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line – user9517 May 16 '11 at 18:55
  • Perhaps I'm stating the obvious, but if you are running a stable distribution, the only updates you get will be critical updates (mostly security, occasionally fixing crucial breakage in a package). – tripleee Jan 22 '13 at 11:30
  • Two [duplicate](http://askubuntu.com/q/194/20358) [threads](http://stackoverflow.com/a/35825436/712526) (with different solutions & different explanations). – jpaugh Nov 05 '16 at 13:16
  • For Debian [check **debsecan**](https://stackoverflow.com/a/35825436/4970442) ([homepage](https://security-team.debian.org/security_tracker.html)) and of course `unattended-upgrades` package. – Pablo A Dec 31 '18 at 20:33

5 Answers5

41

I read the apt-get man page carefully when I got tired of manually editing the sources.list every time I wanted to only apply security updates (that means the second time).

Figured this solution out:

sudo cp /etc/apt/sources.list /etc/apt/security.sources.list

Edit the latter to contain only security repositories, then:

sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

Tadaaaa... Scriptable stuff.

  • 6
    Very nice! You can also `grep security /etc/apt/sources.list | sudo tee /etc/apt/security.sources.list` to avoid manual editing. – jpaugh Nov 05 '16 at 12:57
  • Ressu shows a trick to do this in apt preferences by [pinning normal packages to a lower priority](http://askubuntu.com/a/272/20358), but that seems a bit hacky. YMMV – jpaugh Nov 05 '16 at 13:05
  • I prefer this to using `unattended-upgrades` because I don't like services restarting without permission. – Christopher Schultz Jul 24 '20 at 12:12
25

Try the unattended-upgrades or any of the other methods listed here. It can be used to configure automatic security updates (I believe it's used when asked during the installer) as well as other upgrades automatically. See the man pages for more details.

gravyface
  • 13,947
  • 16
  • 65
  • 100
19

If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s| grep ^Inst |grep Security 
flickerfly
  • 2,533
  • 3
  • 24
  • 27
2

I don't know if it will work, but apt has it's sources in /etc/apt/sources.list and/or /etc/sources.list.d/

Why not edit the file, and comment all lines that are not part of the security updates ?

The security lines for apt should be something like this:

deb http://security.ubuntu.com/ubuntu ..... ..... ...

Leave those lines alone and comment all the others.

Feiticeir0
  • 434
  • 3
  • 11
2

What I do:

apt-get update
apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )
keypress
  • 241
  • 2
  • 6