[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Efficient way to keep track of security updates

On Wed, Jan 28, 2015 at 1:59 AM, Paul Wise <pabs@debian.org> wrote:
> On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote:
> You could install and configure the unattended-upgrades package
> instead of using apticron. Please note that you still need to do
> reboots after Linux kernel updates and relevant restart processes
> after library upgrades. You can use needrestart (jessie and later) or
> checkrestart (from debian-goodies) to find out which processes to
> restart.

ISTM, this libc6 update should have triggered a
/var/run/reboot-required creation, but it didn't. (yeah, it's
debatable, but for the average person, you probably want them to
recognize a reboot is safest after a significant 'libc' security
update -- else more savvy users can figure out to restart critical
daemons if needed)

Here's a script, 'apt-whatsup', i use for showing me what patches are
outstanding (packages that are upgradeable and current and upgradeable
versions).  It operates similarly to 'aptitude's 'versions' argument,
but in a more concise layout.  It allows selection of security-only
updates via a '-s' option.

AFAICT, a *security* update is only a security update because of where
it comes from (sources.list) by convention/decree.
It's just the same as any other package (the package metadata does not
contain anything identifying the package as a "security" update).

So, my script may need some adjustment for your environment if your
Debian-Security 'deb' source doesn't look like mine.  Or, if you're
using 'squeeze-lts', which is presumed to be 'security only' updates
(Release file 'Label' field won't have "Security" in it), or if you
have 3rd party security repos, or a multi-release (e.g.
stable+testing)...   In that case, you should probably re-architect to
have an /etc/apt/source.list.d/security-updates.list  that contains
all your security repos which my script will use directly (if it
exists), rather than trying to ascertain which sources are security
sources and creating a temp sources.list.

If anyone has more insight, let me know.

# Get help
    # ./apt-whatsup -h
        apt-whatsup [ -d ] [ -n ] [ -s ] [ -k | {search-pattern} ]

    This program reports all the outstanding Debian Package Updates
    for this system.

        -d  debug
        -k  display kernel only updates pending
        -n  don't do 'aptitude update' phase
        -s  display security updates only
        {search-pattern}     any apt-regex search pattern
           e.g. "cups", "^apache2$"

# See what packages and versions (current/upgradeable) are in play for
upgradeable packages
    # ./apt-whatsup
    Warning, no aptitude update performed, results may be inaccurate...
    apache2-mpm-worker                  2.2.22-13+deb7u3
    apache2-utils                       2.2.22-13+deb7u3
    apache2.2-bin                       2.2.22-13+deb7u3
    apache2.2-common                    2.2.22-13+deb7u3

# How many upgradable packages are outstanding (use '-n' to avoid
aptitude update, since
# we already did that implicitly in the previous invocation)
    # ./apt-whatsup  -n | wc -l
    Warning, no aptitude update performed, results may be inaccurate...

# How many upgradable packages are from security repos
    # ./apt-whatsup  -s -n | wc -l
    Warning, no aptitude update performed, results may be inaccurate...

# see if we have a glibc/libc6 security update available
    # ./apt-whatsup -s -n '(glibc|libc6)'
    Warning, no aptitude update performed, results may be inaccurate...
    glibc-doc                           2.13-38+deb7u6
    libc6                               2.13-38+deb7u6
    libc6:i386                          2.13-38+deb7u6
    libc6-dev                           2.13-38+deb7u6
    libc6-i386                          2.13-38+deb7u6

Stephen Dowdy  -  Systems Administrator  -  NCAR/RAL
303.497.2869   -  sdowdy@ucar.edu        -  http://www.ral.ucar.edu/~sdowdy/

Attachment: apt-whatsup.sh
Description: Bourne shell script

Reply to: