According to an article on debian-administration.org,

If the dependencies have changed on one of the packages you have installed so that a new package must be installed to perform the upgrade then that will be listed as "kept-back".

Cautious solution 1:

Per Pablo's answer, you can run sudo apt-get --with-new-pkgs upgrade, and it will install the kept-back packages.

This has the benefit of not marking the kept-back packages as "manually installed," which could force more user intervention down the line (see comments).

If Pablo's solution works for you, please upvote it. If not, please comment what went wrong.

Cautious solution 2:

The cautious solution is to run sudo apt-get install <list of packages kept back>. In most cases this will give the kept-back packages what they need to successfully upgrade.

Aggressive solution:

A more aggressive solution is to run sudo apt-get dist-upgrade, which will force the installation of those new dependencies.

But dist-upgrade can be quite dangerous. Unlike upgrade it may remove packages to resolve complex dependency situations. Unlike you, APT isn't always smart enough to know whether these additions and removals could wreak havoc.

So if you find yourself in a place where the "cautious solution" doesn't work, dist-upgrade may work... but you're probably better off learning a bit more about APT and resolving the dependency issues "by hand" by installing and removing packages on a case-by-case basis.

Think of it like fixing a car... if you have time and are handy with a wrench, you'll get some peace of mind by reading up and doing the repair yourself. If you're feeling lucky, you can drop your car off with your cousin dist-upgrade and hope she knows her stuff.

Whenever you receive from the command apt-get upgrade the message

The following packages have been kept back:

then to upgrade one or all of the kept-back packages, without doing a distribution upgrade (this is what dist-upgrade does, if I remember correctly) is to issue the command:

apt-get install <list of packages kept back>

this will resolve the kept-back issues and will ask to install additional packages, etc. as was explained by other answers.

See also: Why use apt-get upgrade instead of apt-get dist-upgrade?

I answered a similar question here, explaining a bit more about the reasons behind this issue.

Try this Unix SE answer:

sudo apt-get --with-new-pkgs upgrade

This allows new packages to be installed. It will let you know what packages would be installed and prompt you before actually doing the install.

apt command (friendly alternative to apt-get) share this option.

Using apt install <pkg> instead will mark pkg as "manually installed"!! To mark it again as "automatically installed" use apt-mark auto <pkg> (see also subcommand showmanual). More info on this answer.

apt-get dist-upgrade is dangerous for stable environment,

1. wrong source.list setting and you end up with broken ubuntu.
2. you might get entire application upgraded to version you dont want.

Use case: kernel upgrade kept back, you just want to upgrade the kernel, dont want to upgrade entire distribution.

Better way to handle kept back package:

sudo aptitude

If you have kept back package you should see Upgradable Packages on top of the list.

• Hit + on that list
• Hit g twice
• Answer debconf stuff if asked
• Press return to continue
• Press Q
• Press yes

Your kept back package installed.

There are normally two reasons you may see this message.

If upgrading the program (via sudo apt-get upgrade) would cause packages to be added or removed, then the program will be held back. You can use sudo apt-get dist-upgrade in this case, which will then offer to add or remove the additional packages.

This is pretty common and usually not an issue. Occasionally (particularly during an Ubuntu alpha) a dist-upgrade will offer to remove a lot of other programs, in which case you probably want to cancel it.

If the package depends on packages or versions that are not available, then the program will be held back. You really can't do anything but wait in this circumstance, since the package is basically uninstallable. This can happen when packages get added to the repository out of order, when a package is renamed, or when a package stops providing a virtual package.

You can also try aptitude. First install it:

sudo apt-get install aptitude -y

then:

sudo aptitude safe-upgrade

It's safer than full-upgrade (originally named dist-upgrade) because "packages will not be removed unless they are unused".

From man aptitude:

safe-upgrade

Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused [...] Packages which are not currently installed may be installed to resolve dependencies unless the --no-new-installs command-line option is supplied.

Most likely these packages are held back because their installation would create dependency inconsistencies. This can either happen because you are using archives under active development, ppas, or because the mirror you uses is not fully updated.

In the last case, just wait, when the dependencies are resolved it will be installed the next time.

Edit:

There is another possibility, packages might be held back if there is put a hold on them, or if they are pinned.

Ubuntu 18.04, 20.04, 22.04, … provide a streamlined syntax via apt full-upgrade which functions like sudo apt-get dist-upgrade.

sudo apt full-upgrade

sudo apt upgrade is used to install available upgrades of all packages currently installed on the system from the sources configured via sources.list(5). New packages will be installed if required to satisfy dependencies, but existing packages will never be removed. If an upgrade for a package requires the remove of an installed package the upgrade for this package isn't performed.

sudo apt full-upgrade performs the function of upgrade but will remove currently installed packages if this is needed to upgrade the system as a whole.

Note: full-upgrade remains on the current distribution.

See: apt man page: 18.04, 20.04, 22.04

This worked for me

sudo aptitude full-upgrade

I'm adding this answer because I'm not satisfied with how other answers handle the why part of the question to understand what's going on and choose the appropriate course of action.

Hopefully this will help someone avoid blindly running apt dist-upgrade in despair!

Why is a package kept back?

To my knowledge, there are 2 categories of reasons for packages being kept back during apt upgrade.

It is marked as held back

apt-mark can do this:

sudo apt-mark hold <package>

hold is used to mark a package as held back, which will prevent the package from being automatically installed, upgraded or removed.

To list all packages marked on hold or find out if a package is on hold use:

apt-mark showhold
apt-mark showhold <package>

To remove a hold on a package and allow it to be upgraded:

sudo apt-mark unhold <package>

apt detects a dependency change

The best authoritative source of information I could find regarding this is marked as obsolete, but it says:

[Kept back] means that there are new versions of these packages which will not be installed for some reason. Possible reasons are broken dependencies (a package on which it depends doesn't have a version available for download) or new dependencies (the package has come to depend on new packages since the last version)

This will tell you the current and candidate upgrade versions of the package:

$ apt list <package>

# example output:
vim/bionic-updates,bionic-security 2:8.0.1453-1ubuntu1.4 amd64 [upgradable from: 2:8.0.1453-1ubuntu1.3]
N: There are 2 additional versions. Please use the '-a' switch to see them.

With the current version (e.g. 2:8.0.1453-1ubuntu1.3) and new version (e.g. 2:8.0.1453-1ubuntu1.4), we can figure out the changed dependencies with apt show:

apt show <package>=<old version> <package>=<new version>

# example:
apt show vim=2:8.0.1453-1ubuntu1.3 vim=2:8.0.1453-1ubuntu1.4

(or just use apt show -a to view all versions directly, but it makes the version comparison harder in my opinion)

The important parts are the Depends and Recommends package lists. If there are new packages in those lists in the new version of the kept back package, apt won't automatically upgrade it.

At this point there are 2 options to upgrade the kept back package. Note that both solutions below have the proper arguments to avoid erroneously changing a package from "automatically installed" to "manually installed".

1. To upgrade the package and install any new "Recommended" packages (i.e. as if newly installed with apt install <package>, use --only-upgrade:

   sudo apt install --only-upgrade <package>
   

   (Tip: add --dry-run to see what will happen before doing it)

2. To upgrade the package without installing any newly added "Recommended" packages, use --with-new-pkgs.

   sudo apt upgrade --with-new-pkgs <package>
   

Case study: upgrading the docker-ce package

Upgrading the docker-ce package on Ubuntu 18.04 is what brought me here in the first place so I thought it would be interesting to have a full concrete example.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  docker-ce
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

$ apt list docker-ce
Listing... Done
docker-ce/bionic 5:20.10.3~3-0~ubuntu-bionic amd64 [upgradable from: 5:19.03.12~3-0~ubuntu-bionic]
N: There are 34 additional versions. Please use the '-a' switch to see them.

Ok let's see what's holding back docker-ce:

$ apt show docker-ce=5:19.03.12~3-0~ubuntu-bionic docker-ce=5:20.10.3~3-0~ubuntu-bionic
Package: docker-ce
Version: 5:19.03.12~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <[email protected]>
Installed-Size: 107 MB
Depends: docker-ce-cli, containerd.io (>= 1.2.2-3), iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: aufs-tools, ca-certificates, cgroupfs-mount | cgroup-lite, git, pigz, xz-utils, libltdl7, apparmor
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage: https://www.docker.com
Download-Size: 22.5 MB
APT-Manual-Installed: yes
APT-Sources: https://download.docker.com/linux/ubuntu bionic/stable amd64 Packages
Description: Docker: the open-source application container engine
 Docker is a product for you to build, ship and run any application as a
 lightweight container
 .
 Docker containers are both hardware-agnostic and platform-agnostic. This means
 they can run anywhere, from your laptop to the largest cloud compute instance and
 everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.

Package: docker-ce
Version: 5:20.10.3~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <[email protected]>
Installed-Size: 121 MB
Depends: containerd.io (>= 1.4.1), docker-ce-cli, iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: apparmor, ca-certificates, docker-ce-rootless-extras, git, libltdl7, pigz, xz-utils
Suggests: aufs-tools, cgroupfs-mount | cgroup-lite
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage: https://www.docker.com
Download-Size: 24.8 MB
APT-Sources: https://download.docker.com/linux/ubuntu bionic/stable amd64 Packages
Description: Docker: the open-source application container engine
 Docker is a product for you to build, ship and run any application as a
 lightweight container
 .
 Docker containers are both hardware-agnostic and platform-agnostic. This means
 they can run anywhere, from your laptop to the largest cloud compute instance and
 everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.

Version 5:20.10.3~3-0~ubuntu-bionic has added docker-ce-rootless-extras as a new recommended dependency. I wish apt would be more helpful and simply suggest installing it or something instead of leaving me with an old version... Anyhow, here are the 2 possible fixes (with --dry-run for illustration purposes):

$ sudo apt upgrade --with-new-pkgs --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  docker-ce
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])

$ sudo apt install --only-upgrade --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  docker-ce-rootless-extras
Recommended packages:
  slirp4netns
The following NEW packages will be installed:
  docker-ce-rootless-extras
The following packages will be upgraded:
  docker-ce
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Inst docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])