The Linux Page

How to only upgrade packages with a security requirement in Ubuntu/Debian?

Today I wanted to upgrade some packages that had security issues. Ubuntu (like Debian) provides the apt-get tool that allows you to do upgrades the easy way:

sudo apt-get upgrade

However, that upgrades all the packages present. In some cases, you may want to skip on some packages because you know they are not ready (i.e. your own packages).

In order to only upgrade security issues, you want to get a list of packages that are to be upgraded for security issues:

apt-get -s dist-upgrade | grep "^Inst" | grep -i securi

That apt-get command line lists all the packages ready for upgrade and other features. Then we grep for just installation and within those, just for the packages marked as in need of upgrade for security reasons.

That list can then be used to upgrade your system as in:

sudo apt-get install <package(s)>

To do that in a script, you can save the list from the dist-upgrade run as in:

PACKAGES=`apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'}`
sudo apt-get install $PACKAGES

To make an advanced script that asks you whether you want to upgrade those packages, one can use:

echo "Packages to update:"
PACKAGES=`apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'}`
if test "$PACKAGES" = ""
    echo "None..."
    echo "Process aborted."
    exit 1;
echo -n "Ready to upgrade? (y/N) "
read answer
if test "$answer" = "y" -o "$anwer" = "Y"
    sudo apt-get install $PACKAGES
    echo "Upgrade aborted..."
    exit 1;

The script will first show you the list of packages to be upgraded, then offer you to upgrade them. If you do not type 'y' or 'Y', then the process is aborted and nothing is modified.