How to apply Debian security patches

Posted on in Categories , , , last updated August 8, 2017

I am new to Debian and confused about how to get access to the Debian security updates. How do I apply security patches to my Debian Linux server using the command line option?

If you are new to Debian and confused about how to get access to the Debian security updates. This tutorial tells you how to keep your server or the cloud computer powered by Debian Linux 9.x or 8.x current with the latest security updates. You need to use either apt-get command or apt command to apply patches to Debian Linux server or desktop based system.

Syntax

The syntax is:
$ sudo apt update
$ sudo apt upgrade

OR use the apt-get command to fetch repo updates:
$ sudo apt-get update
Sample outputs:

Get:2 http://security.debian.org stretch/updates InRelease [62.9 kB]
Ign:1 http://cdn-fastly.deb.debian.org/debian stretch InRelease
Get:3 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB]
Get:4 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2,373 B]
Get:5 http://security.debian.org stretch/updates/main amd64 Packages [128 kB]
Get:6 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [7,095 kB]
Get:7 http://security.debian.org stretch/updates/main Translation-en [52.7 kB]   
Get:8 http://security.debian.org stretch/updates/contrib amd64 Packages [556 B]       
Get:9 http://security.debian.org stretch/updates/contrib Translation-en [256 B] 
Get:10 http://cdn-fastly.deb.debian.org/debian stretch/main Translation-en [5,393 kB]                                                                                                                                                 
Get:11 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Contents (deb) [31.4 MB]                                                                                                                                            
Get:12 http://cdn-fastly.deb.debian.org/debian stretch/non-free amd64 Packages [77.9 kB]                                                                                                                                              
Get:13 http://cdn-fastly.deb.debian.org/debian stretch/non-free Translation-en [79.2 kB]                                                                                                                                              
Get:14 http://cdn-fastly.deb.debian.org/debian stretch/non-free amd64 Contents (deb) [810 kB]                                                                                                                                         
Fetched 45.3 MB in 49s (906 kB/s)                                                                                                                                                                                                     
Reading package lists... Done

Now install patches:
$ sudo apt-get upgrade
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  adwaita-icon-theme apache2 apache2-bin apache2-data apache2-utils apt apt-utils base-files bind9 bind9-host bind9utils devscripts dnsutils gnuplot gnuplot-data gnuplot-nox host imagemagick imagemagick-6-common imagemagick-6.q16
  libapt-inst2.0 libapt-pkg5.0 libbind9-140 libc-ares2 libdns-export162 libdns162 libgnutls-openssl27 libgnutls30 libirs-export141 libirs141 libisc-export160 libisc160 libisccc-export140 libisccc140 libisccfg-export140
  libisccfg140 liblwres141 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickwand-6.q16-3 libpam-systemd libperl5.24 libpulse0 libsystemd0 libudev1 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64
  linux-headers-4.9.0-3-common linux-headers-amd64 linux-image-4.9.0-3-amd64 linux-image-amd64 linux-kbuild-4.9 linux-libc-dev openssh-client openssh-server openssh-sftp-server os-prober perl perl-base perl-modules-5.24 socat
  systemd systemd-sysv udev unrar
65 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 91.4 MB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:2 http://security.debian.org stretch/updates/main amd64 apache2 amd64 2.4.25-3+deb9u2 [235 kB]
Get:1 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 base-files amd64 9.9+deb9u1 [67.2 kB]
Get:3 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 libperl5.24 amd64 5.24.1-3+deb9u1 [3,524 kB]
.....
...
....
Get:37 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 os-prober amd64 1.76~deb9u1 [30.0 kB]                                                                                                                               
Get:38 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 socat amd64 1.7.3.1-2+deb9u1 [353 kB]                                                                                                                               
Get:65 http://security.debian.org stretch/updates/main amd64 linux-libc-dev amd64 4.9.30-2+deb9u3 [1,252 kB]                                                                                                                          
Fetched 91.4 MB in 1min 9s (1,311 kB/s)                                                                                                                                                                                               
Reading changelogs... Done
Extracting templates from packages: 100%
Preconfiguring packages ...
(Reading database ... 115129 files and directories currently installed.)
Preparing to unpack .../base-files_9.9+deb9u1_amd64.deb ...
Unpacking base-files (9.9+deb9u1) over (9.9) ...
Setting up base-files (9.9+deb9u1) ...
Installing new version of config file /etc/debian_version ...
.....
...
....
Setting up libirs141:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up linux-image-amd64 (4.9+80+deb9u1) ...
Setting up gnuplot (5.0.5+dfsg1-6+deb9u1) ...
Setting up openssh-sftp-server (1:7.4p1-10+deb9u1) ...
Setting up libmagickcore-6.q16-3-extra:amd64 (8:6.9.7.4+dfsg-11+deb9u1) ...
Setting up imagemagick (8:6.9.7.4+dfsg-11+deb9u1) ...
Setting up libbind9-140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up bind9utils (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up bind9-host (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up linux-headers-amd64 (4.9+80+deb9u1) ...
Setting up apache2 (2.4.25-3+deb9u2) ...
insserv: warning: current start runlevel(s) (empty) of script `apache-htcacheclean' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `apache-htcacheclean' overrides LSB defaults (0 1 6).
Setting up host (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up bind9 (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up dnsutils (1:9.10.3.dfsg.P4-12.3+deb9u2) ...
Setting up openssh-server (1:7.4p1-10+deb9u1) ...
Processing triggers for initramfs-tools (0.130) ...
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
cryptsetup: WARNING: failed to detect canonical device of /dev/md0
cryptsetup: WARNING: could not determine root device from /etc/fstab
W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
W: but no matching swap device is available.
I: The initramfs will attempt to resume from /dev/md1p1
I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
I: Set the RESUME variable to override this.
Processing triggers for libc-bin (2.24-11+deb9u1) ..

Please note that while installing patches you might be prompted to install or keep existing config files:

Click to enlarge
Click to enlarge

I suggest that you reboot the Linux box to verify that update was successful or to load new Linux kernel:
$ sudo reboot
OR
$ sudo shutdown -r now
This entry is 1 of 2 in the Applying Debian Security Updates/Patches series. Keep reading the rest of the series:
  1. How to apply Debian security patches
  2. How to keep Debian Linux patched with latest security updates automatically

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.