How to tell exactly what packages have security updates in Ubuntu?

Question

I'm trying to get a list of packages that are marked as having "security updates"

My base system is Ubuntu 14.04

For example, there is a script on Ubuntu 14.04 which will list number of updates available. The dynamic-ish motd uses it.

/usr/lib/update-notifier/apt-check

Running that with no args gives semicolon-separated output to stderr, e.g.:

$ /usr/lib/update-notifier/apt-check
60;11   <-- (this is actually standard error)

There are "human readable" and "package names" flags for this script. Great! But "package names" just dumps out the packages being updated, it doesn't put them into security/non-security piles.

How can I tell what's in the "security updates" bucket?

I've tried things like:

apt-get -s dist-upgrade | grep "^Inst" | grep -i security

That one isn't working for me.

I'm considering taking the apt-check script apart and re-using it, but I'd like to know if there's an existing facility to do what I want before I do that.

Update

I ended up modifying the python script "/usr/lib/update-notifier/apt-check" and basically adding output to print the package details whenever that script did a check with the "isSecurityUpgrade()" function. (See that script for details)

Answer 1

EDIT: And my apologies for not asking in comments but I'm too new and don't have the rep.

If you're looking for just those coming from security repos I use the below with cron to email me once a week from our un-monitored servers.

#!/bin/bash

#-------------------------------------------------------------------------------------------------#
#- Name....: checkSecurityupdates.sh
#- Notes...:
#-------------------------------------------------------------------------------------------------#

# create fresh securities file each run
grep "-security" /etc/apt/sources.list | sudo grep -v "#" > /etc/apt/security.sources.list
echo "created security specific source list"


# Create the security file list
echo 'n' | apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list >> /root/securities-to-update.txt
echo "created list of security updates"



# What's the mimetype
get_mimetype(){
  # warning: assumes that the passed file exists
  file --mime-type "$1" | sed 's/.*: //'
}


# some variables

from="SecUpdates-Report@example.com"
to="monitor-this-mailbox@example.com"
subject=`hostname`
boundary="ZZ_/afg6432dfgkl.94531q"
body="Please see attached"
declare -a attachments
attachments=( "securities-to-update.txt" )

# Build headers
{

printf '%s\n' "From: $from
To: $to
Subject: $subject
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=\"$boundary\"

--${boundary}
Content-Type: text/plain; charset=\"US-ASCII\"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

$body
"

# now loop over the attachments, guess the type
# and produce the corresponding part, encoded base64
for file in "${attachments[@]}"; do

  [ ! -f "$file" ] && echo "Warning: attachment $file not found, skipping" >&2 && continue

  mimetype=$(get_mimetype "$file")

  printf '%s\n' "--${boundary}
Content-Type: $mimetype
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=\"$file\"
"

  base64 "$file"
  echo
done

# print last boundary with closing --
printf '%s\n' "--${boundary}--"

} | sendmail -t -oi   
echo "sent security updates list"



# cleanup security files
rm /etc/apt/security.sources.list
rm /root/securities-to-update.txt