• 13
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I'm trying to get a list of packages that are marked as having "security updates"

My base system is Ubuntu 14.04

For example, there is a script on Ubuntu 14.04 which will list number of updates available. The dynamic-ish motd uses it.

/usr/lib/update-notifier/apt-check

Running that with no args gives semicolon-separated output to stderr, e.g.:

$ /usr/lib/update-notifier/apt-check
60;11   <-- (this is actually standard error)

There are "human readable" and "package names" flags for this script. Great! But "package names" just dumps out the packages being updated, it doesn't put them into security/non-security piles.

How can I tell what's in the "security updates" bucket?

I've tried things like:

apt-get -s dist-upgrade | grep "^Inst" | grep -i security

That one isn't working for me.

I'm considering taking the apt-check script apart and re-using it, but I'd like to know if there's an existing facility to do what I want before I do that.

Update

I ended up modifying the python script "/usr/lib/update-notifier/apt-check" and basically adding output to print the package details whenever that script did a check with the "isSecurityUpgrade()" function. (See that script for details)

    • Your command works for me on both Ubuntu and Debian systems. If you run apt-get -s upgrade, do you see "security" in the output?
      • 2
    • Nope, I do not see "security" in the output. I figured I would. I've tried this on a handful of boxes, including ones that "apt-check" thinks has security updates available

EDIT: And my apologies for not asking in comments but I'm too new and don't have the rep.

If you're looking for just those coming from security repos I use the below with cron to email me once a week from our un-monitored servers.

#!/bin/bash

#-------------------------------------------------------------------------------------------------#
#- Name....: checkSecurityupdates.sh
#- Notes...:
#-------------------------------------------------------------------------------------------------#

# create fresh securities file each run
grep "-security" /etc/apt/sources.list | sudo grep -v "#" > /etc/apt/security.sources.list
echo "created security specific source list"


# Create the security file list
echo 'n' | apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list >> /root/securities-to-update.txt
echo "created list of security updates"



# What's the mimetype
get_mimetype(){
  # warning: assumes that the passed file exists
  file --mime-type "$1" | sed 's/.*: //'
}


# some variables

from="SecUpdates-Report@example.com"
to="monitor-this-mailbox@example.com"
subject=`hostname`
boundary="ZZ_/afg6432dfgkl.94531q"
body="Please see attached"
declare -a attachments
attachments=( "securities-to-update.txt" )

# Build headers
{

printf '%s\n' "From: $from
To: $to
Subject: $subject
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=\"$boundary\"

--${boundary}
Content-Type: text/plain; charset=\"US-ASCII\"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

$body
"

# now loop over the attachments, guess the type
# and produce the corresponding part, encoded base64
for file in "${attachments[@]}"; do

  [ ! -f "$file" ] && echo "Warning: attachment $file not found, skipping" >&2 && continue

  mimetype=$(get_mimetype "$file")

  printf '%s\n' "--${boundary}
Content-Type: $mimetype
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=\"$file\"
"

  base64 "$file"
  echo
done

# print last boundary with closing --
printf '%s\n' "--${boundary}--"

} | sendmail -t -oi   
echo "sent security updates list"



# cleanup security files
rm /etc/apt/security.sources.list
rm /root/securities-to-update.txt
  • 2
Reply Report
      • 2
    • Thanks. I think using the apt-get flag "--assume-no" may be cleaner than piping 'n' to the command. but this is helpful, thanks
      • 1
    • I tested this method and the output list of packages being upgraded does not at all match the list that is produced when just using the security sources.list. I really don't understand why this would be
      • 1
    • You're right about the list not matching and I believe that is due to the dependencies being shown but double check that. If you run the actual update against that security sources file generated though I get a set of packages kept back but the rest upgraded... Post your solution as an answer too in case it helps out others.

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags