Join Log in
Score:2
avatar Ubuntu

Install only standard security updates

de flag
Sig

On a Ubuntu 20.04 machine, when I ssh in I see

59 updates can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable

Now, I'd like to install only the "standard security update".

I have tried with unattended-upgrade (sudo unattended-upgrade -d) but I get

...
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
Packages blacklist due to conffile prompts: []
No packages found that can be upgraded unattended and no pending auto-removals
...

From my online research unattended-upgrade is the way to install security updates. What am I missing here? Is it because the security update is a "standard" one?

UPDATE 1

~$ sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
1411
0 + 7
cn flag
Rinzwind
https://askubuntu.com/a/1261960/15811 does what you ask
0
Reply
de flag
Sig
Thanks for the reply. See UPDATE 1.
0
Reply
user535733 avatar
cn flag
user535733
The data used for the login text (called 'motd' for Message Of The Day) may be stale. Aptdaemon is NOT fired up at each login just to refresh those numbers.
0
Reply
de flag
Sig
@user535733 Thanks for your reply. Is there a way to manually refresh those numbers to make sure there are no security updates to be applied? PS I have rebooted the server, but the message is still the same.
0
Reply
user535733 avatar
cn flag
user535733
Simple-but-misleading direct answer: You can refresh the numbers themselves with a simple `sudo apt update`. since that command *does* fire up aptdaemon. It's misleading because that number does NOT include Snaps nor pips nor flatpaks nor AppImages nor wheels or compiled software. And Unattended Upgrades will handle the deb security updates anyway; the point of the number is that you only need to get involved if the number is shockingly large.
0
Reply
de flag
Sig
Thanks for the reply. As per our internal SOP, we have to install (and document it) all security updates (even if there is just one) periodically. We assumed the `motd` was reliable. However, I now understand that is not the case. Should we trust `unattended-upgrade` to install all security updates regardless what `motd` says?
0
Reply
user535733 avatar
cn flag
user535733
Yes, Unattended Upgrades can be trusted. To see what packages it upgraded, review `/var/log/unattended-upgrades/unattended-upgrades.log`. The default setting for that log is to rotate monthly and to keep old logs for 6 months. With those package names in hand, you can pull the apt-changelog for each package, which will give you the CVEs that were patched. Then, when your auditor names a CVE, you have a back-trail to the package-name and the date-of-install for the patch. Alternately, you can also pull that CVE back-trail from https://ubuntu.com/security and avoid maintaining a spreadsheet.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.