How to get a list of security updates on the command line in Debian/Ubuntu

Question

In the GUI tool you can get a list packages with security updates. Can this be done on the command line in Debian or Ubuntu?

Normally I might use "apt-get upgrade" which would show me what is being upgraded, but I would like to know which ones are security updates.

just for Ubuntu 14.04, 16.04 and 18.04 LTS: https://askubuntu.com/a/1128270/92504 — Angel, Mar 24 '19 at 12:13
Such a simple and frequent task and not a single functional (out of the box, at least) or standard way of doing it... Yay! Linux is amazing! Not. — NoOne, Sep 26 '20 at 11:46

score 45 · Answer 1 · answered Sep 05 '12 at 13:54

45

apt-get upgrade -s | grep -i security

... is what the Nagios check-apt plugin uses to count pending security updates which is similar to what you're looking for.

answered Sep 05 '12 at 13:54

smin

771
4
5

1

But it cannot find bash security update for shellshock? – linjunhalida Sep 28 '14 at 02:18
6

This gives false positives on packages with "security" in the name, such as "xml-security-c-utils", "debian-security-support", "modsecurity-crs", "node-security", etc. – Shnatsel Dec 16 '14 at 18:55
2

@Shnatsel for a command line check, it's very easy... you can easily see whether it's a false positive or not. Also if you know the current name of your OS, you could write `grep -i xenial-security` and it should reduce the false positive to pretty much zero. – Alexis Wilke Jun 27 '17 at 19:48
2

@Shnatsel so `grep Debian-Security` would be a better solution? – Pablo A Jan 28 '19 at 15:59
This is useful for getting the number of `regular;security` updates available. The `-p` option to list the package names available for update does not distinguish between regular and security updates however (at least on 16.04)...so this is not a viable way to get a list of security updates available as far as I can tell. – mattpr Feb 27 '19 at 08:31

score 11 · Answer 2 · answered Sep 05 '12 at 12:22

11

On ubuntu you should be able to use apt-check, it's the one that populates your motd with the number of security updates available.

answered Sep 05 '12 at 12:22

topdog

3,520
17
13

2

I can't see that on debian or ubuntu. – Stephen Paulger Oct 22 '12 at 15:33
6

apt-check is in /usr/lib/update-notifier/. Try /usr/lib/update-notifier/apt-check --human-readable for a straightforward message. – u2702 Oct 18 '14 at 01:30
2

I'm not convinced that shows anything useful. To get the list, you need to add `--package-names` (`-p`), but then it doesn't seem to differentiate between regular updates and security updates. – Auspex Jul 25 '16 at 16:51

score 6 · Accepted Answer · answered Sep 05 '12 at 12:18

6

Use the unattended-upgrade application.

sudo unattended-upgrade

This lets you install only security updates automatically, but you can call it manually if needed.

answered Sep 05 '12 at 12:18

Andy H

382
1
4

I like this answer as you've actually thought about what I might be trying to do and unattended-upgrade is something I've installed today to try out. – Stephen Paulger Sep 05 '12 at 20:38
23

It doesn't actually answer the question though. – reinierpost Aug 11 '16 at 14:46
5

If this is the answer, then the question was wrong. At the least, it evolved, and should be edited accordingly and/or marked as a duplicate of https://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line – mc0e Jun 20 '17 at 09:07
My Debian `apt` repository only lists a `unattended-upgrades` (plural) package. Was that package renamed or what? – NoOne Dec 11 '21 at 11:24
Ah! The package name is in plural and calling it is in singular... Weird. – NoOne Dec 11 '21 at 11:34

Fabrizio Regini · Answer 4 · 2016-08-31T09:12:28.897

5

You can get a list with this command:

sudo unattended-upgrade --dry-run -d 2> /dev/null | grep 'Checking' | awk '{ print $2 }'

edited Aug 31 '16 at 09:12

answered Dec 09 '14 at 08:28

Fabrizio Regini

151
1
3

2

You sent ALL output to `/dev/null` so you won't be grepping anything! – Auspex Jul 25 '16 at 16:52
This seems doesn't work with trusty. it shows all packages that need update instead. – Dreaded semicolon Dec 18 '16 at 08:52
I guess it would show you what unattended-upgrade was going to do, and if you'd configured it to only do security updates, maybe this recipe would work. The answer though is at best woefully incomplete. – mc0e Apr 11 '17 at 14:27
Today I solved this need modifying a little bit apt-check. Check this gist: https://gist.github.com/thesp0nge/94f9d336a081a3fefba6ca61d787a28b – Paolo Perego Oct 18 '18 at 11:59

score 3 · Answer 5 · answered Jul 06 '16 at 23:32

I have a modified version of update-notifier that takes an additional switch: --security-package-names which outputs only the security related package names. I have it as a gist (until I create a merge request in the relevant project in launchpad). Until then it can be run as follows:

Run

curl -s https://gist.githubusercontent.com/ahmadnazir/c2444d6b09fd7bb4963a13bc577d92a3/raw/0231b94a4e46abe0a5959de5f84feda76ad2eb9d/apt-check.py \
  | python /dev/stdin --security-package-names \
  | column -t -s , \
  | sort

Output

This gives an output of the format: package name, installed version, and candidate version:

...
thunderbird                          1:38.6.0+build1-0ubuntu0.14.04.1     1:38.8.0+build1-0ubuntu0.14.04.1
thunderbird-gnome-support            1:38.6.0+build1-0ubuntu0.14.04.1     1:38.8.0+build1-0ubuntu0.14.04.1
thunderbird-locale-en                1:38.6.0+build1-0ubuntu0.14.04.1     1:38.8.0+build1-0ubuntu0.14.04.1
thunderbird-locale-en-us             1:38.6.0+build1-0ubuntu0.14.04.1     1:38.8.0+build1-0ubuntu0.14.04.1
...

score 3 · Answer 6 · answered Jul 22 '16 at 18:54

Based on Fabrizio Regini's answer above.

For 12.04 / Precise:

sudo unattended-upgrade --dry-run -d 2>&1 /dev/null | grep 'Checking' | grep security | awk '{ print $2 }'

For 14.04 /Trusty:

sudo unattended-upgrade --dry-run -d | grep 'Checking' | grep security | awk '{ print $2 }'

score 2 · Answer 7 · answered Sep 06 '17 at 00:28

And a variant clobbered together after reading the other responses - I believe this to cater to the false positive issue, and be reasonably lightweight.

sudo unattended-upgrade --dry-run -d 2>/dev/null  | awk '/Checking/ && /archive:..*-security. / {print $2}'

score 0 · Answer 8 · answered Jul 09 '15 at 21:11

0

I believe that Answering the question the OP asks is how to see the List of packages, and not how to install only security packages. Building on the answer of @topdog You should use: /usr/lib/update-notifier/apt-check -p Where the -p flag stands for packages

answered Jul 09 '15 at 21:11

alonisser

153
9

1

this lists all packages and not only security updates – confiq Jul 14 '15 at 14:11
apt-check seems unavailable in Debian Jessie. It remains on updated Wheezy-systems but fresh installs don't have the update-notifier-common anymore. Do you know an alternative? – jan Jan 27 '16 at 17:45
@jan it's still there, as part of `update-notifier-common` – Auspex Jul 25 '16 at 16:56
@Auspex That package does no longer exist in Jessie. There is only `update-notifier` which is an outdated transitional package for `gnome-packagekit`. See [here](https://packages.debian.org/jessie/update-notifier). – jan Jul 26 '16 at 14:07
1

@jan Sorry, I took debian's word for it. I searched for the file, https://packages.debian.org/search?searchon=contents&keywords=apt-check&mode=exactfilename&suite=stable&arch=any and it told me `You have searched for files named apt-check in suite jessie, all sections, and all architectures. Found 1 results.`, but then when you actually click on the link for that result, it tells you `Package not available in this suite.` – Auspex Jul 27 '16 at 13:35
@Auspex No problem, sounds like something that could be reported as a bug for the Debian page. – jan Jul 27 '16 at 17:53

score 0 · Answer 9 · answered Nov 04 '16 at 21:12

0

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s| grep ^Inst |grep Security

answered Nov 04 '16 at 21:12

flickerfly

2,753
3
25
27

1

Be careful. If you generate /tmp/security.list this way while running as root, then you are vulnerable to a symlink based attack. – mc0e Apr 23 '17 at 12:36
I can't get this approach (the first code block) on Ubuntu 14.04. The `-oDir::Etc::Sourcelist` option doesn't seem to disable the standard set of repositories. – mc0e Apr 23 '17 at 13:52

mc0e · Answer 10 · 2017-06-20T11:01:51.907

I think @smin 's answer is basically a good approach, but a bit loose with the regex, as noted by @Shnatsel.

How about this:

apt-get upgrade -q --dry-run \
| perl -ne 'm/^Inst (\S+) \S+ \(([^\)]+) Debian-Security:8/ && print "$1-$2\n"'

This lists the package names along with the versions you want to install. You can take -$2 out of the print statement if you don't want the versions there.

[This could probably be made just a little lighter-weight by using awk instead of perl]

score 0 · Answer 11 · answered Oct 18 '18 at 12:01

I solved modifying the apt-check script on my Ubuntu system. It takes care only about security updates, displaying also package names if -p flag it has been provided.

You can find the gist here: https://gist.github.com/thesp0nge/94f9d336a081a3fefba6ca61d787a28b

How to get a list of security updates on the command line in Debian/Ubuntu

11 Answers11