41

I need to list (not count or install) all pending security updates on an Ubuntu 14.04 system. I've read the post How to create a list of of only security updates with apt-get? and its accepted answer (apt-show-versions | grep upgradeable | grep security) does indeed give me a list.

However, that command lists 62 pending security updates. /usr/lib/update-notifier/apt-check tells me that I have 75 pending security updates, but doesn't seem to have a way to list them. How can I reconcile these two numbers? Is one of the two commands doing something other than what I want?

user3553031
  • 571
  • 1
  • 6
  • 14

8 Answers8

22
  • apt list --upgradable list all updates available
  • apt list --upgradable | grep "\-security" lists all updates that are security.
  • apt list --upgradable 2>/dev/null | grep "\-security" | wc -l counts number of security updates available. and redirects the stderr like "WARNING: apt does not have a stable CLI interface. Use with caution in scripts." to null
bfontaine
  • 197
jtlindsey
  • 2,100
16

If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -oDir::Etc::SourceParts=/some/valid/dir/false -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s | grep ^Inst | grep -i security
tjanson
  • 103
flickerfly
  • 7,509
9

there must be a way to request how many packages are updatable and how many security updates right now, but if you settle for asking it once a day you can simply read the file /var/lib/update-notifier/updates-available, which seems to be updated daily by the script /etc/cron.daily/update-notifier-common which belongs to the package update-notifier-common

Example:

$ sudo cat /var/lib/update-notifier/updates-available

355 packages can be updated.
1 update is a security update.

Tested in:

  • Ubuntu 14.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 18.04 LTS

Regards,

/Ángel

Angel
  • 264
6

The other answers given here do not all list the same security upgrades.

Ubuntu has two standard policies for upgrading packages: apt-get upgrade is more conservative than apt-get dist-upgrade. The latter will generally upgrade more packages, and it may contain security upgrades that the former ignores.

The notification shown (by default) upon login is a cached copy of the output of apt-check:

$ /usr/lib/update-notifier/apt-check --human-readable
92 packages can be updated.
3 updates are security updates.

These numbers count packages that will be upgraded by apt-get dist-upgrade; you can list these security upgrades as follows:

sudo apt-get --no-download -s dist-upgrade -V | awk '/^Inst.*security/ {print $2}'

or

apt-get -s dist-upgrade -V | awk '/^Inst.*security/ {print $2}'

To see just the security upgrades in an apt-get upgrade, do

apt-get -s upgrade -V | awk '/^Inst.*security/ {print $2}'

or

apt list --upgradable

By default, unattended-upgrades only runs an upgrade, not dist-upgrade.

This explains why unattended-upgrades, even when configured to automatically install security upgrades, doesn't always install all security upgrades reported by apt-check.

All of these tools use the local package index - so to check the status on the Ubuntu mirror your host is using, first update it with sudo apt update.

A mirror can be out of date in principle, so if you want to check at the source, you need to check on Launchpad - at least for packages distributed by Ubuntu.

Reinier Post
  • 505
5
sudo apt-get -s --no-download dist-upgrade -V | grep "^Inst.*security.*$" | cut -d " " -f 2

With some help from this question

lolcode
  • 151
2

This worked for me:

sudo unattended-upgrade --dry-run -d 2> /dev/null | awk '/Checking/ { print $2 }'
David Foerster
  • 36,890
  • 56
  • 97
  • 151
Samuel James
  • 129
0
sudo apt list --upgradable |grep "/$(lsb_release -cs)-security"

This lists all available updates which come via the security repository.

zerwas
  • 3,943
0

Mystery solved: /usr/lib/update-notifier/apt-check counts "real" packages whereas apt list --upgradable counts virtual packages. Example:

8 updates can be installed immediately.
8 of these updates are security updates.

apt list --upgradable # only 3 lines
linux-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]
linux-headers-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]
linux-image-generic/focal-updates,focal-security 5.4.0.56.59 amd64 [upgradable from: 5.4.0.53.56]


apt upgrade
The following NEW packages will be installed:
  linux-headers-5.4.0-56 linux-headers-5.4.0-56-generic linux-image-5.4.0-56-generic
  linux-modules-5.4.0-56-generic linux-modules-extra-5.4.0-56-generic
The following packages will be upgraded:
  linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Kulfy
  • 18,154
MarcH
  • 121