How can I install just security updates from the command line?

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d # Idem --debug

If you want to run it quietly instead:

sudo unattended-upgrade

Note: When you call unattended-upgrade you leave the "s" off the end (on newer versions there is a symlink to avoid this).

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

• Show security updates only :

  apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 
  

  or

  sudo unattended-upgrade --dry-run -d
  

  or

  /usr/lib/update-notifier/apt-check -p
  

• Show all upgradeable packages

  apt-get -s dist-upgrade | grep "^Inst"
  

• Install security updates only

  apt-get -s dist-upgrade | grep "^Inst" | 
      grep -i securi | awk -F " " {'print $2'} | 
      xargs apt-get install
  

Notes:

• Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

  If that's the case, you can do the following to show security updates only:

  sudo sh -c 'grep ^deb /etc/apt/sources.list | 
      grep security > /etc/apt/sources.security.only.list'
  

  and

  apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
      grep "^Inst" | awk -F " " {'print $2'}
  

• Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.

  checkrestart -v
  

  However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

  Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

  It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.

  ps xh -o pid |
  while read PROCID; do
         grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
         if [ $? -eq 0 ]; then
                 CMDLINE=$(sed -e 's/\x00/ /g' < /proc/$PROCID/cmdline)
                 echo -e "\tPID $PROCID $CMDLINE\n"
         fi
  done
  

replace /etc/apt/preferences with the following:

Package: *
Pin: release a=lucid-security
Pin-Priority: 500

Package: *
Pin: release o=Ubuntu
Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.

You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
//  "${distro_id}:${distro_codename}-updates";
//  "${distro_id}:${distro_codename}-proposed";
//  "${distro_id}:${distro_codename}-backports";
};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

If you wish to install only security updates the following will work. First it lists all upgradeable packages, filter out only the ones coming from a security repo, cut the returned strings at the first field, and then passes them to apt-get install for package update.

sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

• apt-get update: just read the entries in repository - acording to existing list. Needed to check what is new.
• apt-get upgrade: all updates for installed packages without kernel modules. No release update.
• apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.
• apt-get with parameter -s: test only, no changes performed.

Here's a script that achieves this in a few different ways:

#!/usr/bin/env bash
set -e

# List upgradable packages
apt-get update
apt list --upgradable 2>/dev/null
# List security upgrades
test "$(apt-get upgrade -s -y)" && (apt-get upgrade -s -y)
# List upgradable apt packages then upgrade
apt-get update && apt-get upgrade -y  -V | grep '=>' | awk '{print$1}' && test "$(apt-get upgrade -y)"

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade. 
Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.