How can I install just security updates from the command line?

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d # Idem --debug

If you want to run it quietly instead:

sudo unattended-upgrade

Note: When you call unattended-upgrade you leave the "s" off the end (on newer versions there is a symlink to avoid this).

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.


A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

  • Show security updates only :

    apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 
    

    or

    sudo unattended-upgrade --dry-run -d
    

    or

    /usr/lib/update-notifier/apt-check -p
    
  • Show all upgradeable packages

    apt-get -s dist-upgrade | grep "^Inst"
    
  • Install security updates only

    apt-get -s dist-upgrade | grep "^Inst" | 
        grep -i securi | awk -F " " {'print $2'} | 
        xargs apt-get install
    

Notes:

  • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

    If that's the case, you can do the following to show security updates only:

    sudo sh -c 'grep ^deb /etc/apt/sources.list | 
        grep security > /etc/apt/sources.security.only.list'
    

    and

    apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
        grep "^Inst" | awk -F " " {'print $2'}
    
  • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.

    checkrestart -v
    

    However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

    Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

    It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.

    ps xh -o pid |
    while read PROCID; do
           grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
           if [ $? -eq 0 ]; then
                   CMDLINE=$(sed -e 's/\x00/ /g' < /proc/$PROCID/cmdline)
                   echo -e "\tPID $PROCID $CMDLINE\n"
           fi
    done
    

replace /etc/apt/preferences with the following:

Package: *
Pin: release a=lucid-security
Pin-Priority: 500

Package: *
Pin: release o=Ubuntu
Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.

You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.