How to update security patches in Linux using the CLI

last updated in Categories , , , , , ,

How do I apply and update security patches in Linux operating systems? Can you tell Linux command that update security patches?

A potential security vulnerability in Linux exists. Various Linux distros release security updates and patches to mitigate the potential vulnerability. This page shows you how to apply those security patches in Linux using the command line option to keep your server or desktop secure.

How to update security patches in Linux

  1. Open the terminal application
  2. For remote Linux server use ssh: ssh user@server-name
  3. RHEL/CentOS/Oracle Linux user run: sudo yum update
  4. Debian/Ubuntu Linux user run: sudo apt update && sudo apt upgrade
  5. OpenSUSE/SUSE Linux user run: sudo zypper up

Let us see all commands and examples in details.

Apply security patches in a CentOS/RHEL/Oracle Linux

Type the following yum command:
sudo yum check-update ## check for updates ##
sudo yum updateinfo ## list updates available for the RHEL/CentOS ##

Sample outputs:

Last metadata expiration check: 0:01:26 ago on Tuesday 12 November 2019 08:27:52 PM UTC.
Updates Information Summary: available
     2 Security notice(s)
         2 Important Security notice(s)
    71 Bugfix notice(s)
    14 Enhancement notice(s)
Security: kernel-core-4.18.0-147.el8.x86_64 is an installed security update
Security: kernel-core-4.18.0-80.11.2.el8_0.x86_64 is the currently running version

Apply all those updates on RHEL 8/7 box:
sudo yum update
How to update security patches in Linux using yum
Since kernel security update was installed, reboot the Linux system:
sudo shutdown -r 0

A note about Fedora Linux users

Run dnf command:
sudo dnf update
Reboot the Linux box if new kernel or microcode update was installed:
sudo reboot

Debian/Ubuntu/Linux mint apply updates

Run the following apt command:
sudo apt update
List available security patches or updates:
sudo apt list --upgradable

ansible/bionic 2.9.0-1ppa~bionic all [upgradable from: 2.7.10-1ppa~bionic]
apt/bionic-updates 1.6.12 amd64 [upgradable from: 1.6.10]
apt-transport-https/bionic-updates 1.6.12 all [upgradable from: 1.6.10]
apt-utils/bionic-updates 1.6.12 amd64 [upgradable from: 1.6.10]
base-files/bionic-updates 10.1ubuntu2.7 amd64 [upgradable from: 10.1ubuntu2.4]
bash/bionic-updates 4.4.18-2ubuntu1.2 amd64 [upgradable from: 4.4.18-2ubuntu1]
bsdutils/bionic-updates 1:2.31.1-0.4ubuntu3.4 amd64 [upgradable from: 1:2.31.1-0.4ubuntu3.3]
console-setup/bionic-updates 1.178ubuntu2.9 all [upgradable from: 1.178ubuntu2.8]
console-setup-linux/bionic-updates 1.178ubuntu2.9 all [upgradable from: 1.178ubuntu2.8]
debconf/bionic-updates 1.5.66ubuntu1 all [upgradable from: 1.5.66]
debconf-i18n/bionic-updates 1.5.66ubuntu1 all [upgradable from: 1.5.66]
dmsetup/bionic-updates 2:1.02.145-4.1ubuntu3.18.04.1 amd64 [upgradable from: 2:1.02.145-4.1ubuntu3]

Next, apple those security patches on a Debian/Ubuntu server:
sudo apt upgrade
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  ieee-data python-certifi python-chardet python-jmespath python-kerberos python-libcloud python-lockfile python-netaddr python-openssl
  python-requests python-selinux python-simplejson python-urllib3 python-xmltodict wget
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  ansible apt apt-transport-https apt-utils base-files bash bsdutils console-setup console-setup-linux debconf debconf-i18n dmsetup dpkg
  dpkg-dev fdisk grep initramfs-tools initramfs-tools-bin initramfs-tools-core iputils-ping keyboard-configuration language-pack-en
  libapt-inst2.0 libapt-pkg5.0 libblkid1 libdevmapper1.02.1 libdns-export1100 libdpkg-perl libfdisk1 libisc-export169 libldap-2.4-2
  libldap-common libmount1 libnss-systemd libpam-systemd libprocps6 libsmartcols1 libsystemd0 libudev1 libuuid1 login mount netplan.io nplan
  passwd procps python-apt-common python-pip-whl python3-apt python3-distutils python3-lib2to3 python3-pip python3-software-properties
  software-properties-common systemd systemd-sysv ubuntu-minimal udev unattended-upgrades util-linux xkb-data
61 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.5 MB of archives.
After this operation, 26.8 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Again reboot the system if Linux kernel was updated or patched for security issues:
sudo reboot

OpenSUSE or SUSE Enterprise Linux apply security patches and updates

Firsr, refresh all repos using the zypper command:
sudo zypper refresh
Sample outputs:

Repository 'SLE-Module-Basesystem15-SP1-Pool' is up to date.                                                                                  
Repository 'SLE-Module-Basesystem15-SP1-Updates' is up to date.                                                                               
Repository 'SLE-Module-Containers15-SP1-Pool' is up to date.                                                                                  
Repository 'SLE-Module-Containers15-SP1-Updates' is up to date.                                                                               
Repository 'SLE-Module-Desktop-Applications15-SP1-Pool' is up to date.                                                                        
Repository 'SLE-Module-Desktop-Applications15-SP1-Updates' is up to date.                                                                     
Repository 'SLE-Module-DevTools15-SP1-Pool' is up to date.                                                                                    
Repository 'SLE-Module-DevTools15-SP1-Updates' is up to date.                                                                                 
Repository 'SLE-Module-Legacy15-SP1-Pool' is up to date.                                                                                      
Repository 'SLE-Module-Legacy15-SP1-Updates' is up to date.                                                                                   
Repository 'SLE-Module-Public-Cloud15-SP1-Pool' is up to date.                                                                                
Repository 'SLE-Module-Public-Cloud15-SP1-Updates' is up to date.                                                                             
Repository 'SLE-Module-Python2-15-SP1-Pool' is up to date.                                                                                    
Repository 'SLE-Module-Python2-15-SP1-Updates' is up to date.                                                                                 
Repository 'SLE-Module-CAP-Tools15-SP1-Pool' is up to date.                                                                                   
Repository 'SLE-Module-CAP-Tools15-SP1-Updates' is up to date.                                                                                
Repository 'SLE-Product-SLES15-SP1-Pool' is up to date.                                                                                       
Repository 'SLE-Product-SLES15-SP1-Updates' is up to date.                                                                                    
Repository 'SLE-Module-Server-Applications15-SP1-Pool' is up to date.                                                                         
Repository 'SLE-Module-Server-Applications15-SP1-Updates' is up to date.                                                                      
Repository 'SLE-Module-Web-Scripting15-SP1-Pool' is up to date.                                                                               
Repository 'SLE-Module-Web-Scripting15-SP1-Updates' is up to date.                                                                            
All repositories have been refreshed.

Next, show a list of all available updates and patches on OpenSUSE or SUSE Enterprise Linux server:
zypper list-updates
Sample outputs:

Loading repository data...
Reading installed packages...
S | Repository                          | Name              | Current Version             | Available Version            | Arch  
--+-------------------------------------+-------------------+-----------------------------+------------------------------+-------
v | SLE-Module-Basesystem15-SP1-Updates | command-not-found | 0.2.1+20181004.20a0aae-4.28 | 0.2.2+20190613.e6c2668-6.3.2 | noarch
v | SLE-Module-Basesystem15-SP1-Updates | rsyslog           | 8.33.1-3.17.1               | 8.33.1-3.22.4                | x86_64
v | SLE-Module-Basesystem15-SP1-Updates | scout             | 0.2.1+20181004.20a0aae-4.28 | 0.2.2+20190613.e6c2668-6.3.2 | noarch
v | SLE-Module-Basesystem15-SP1-Updates | yast2-dns-server  | 4.1.2-7.83                  | 4.1.4-9.3.2                  | noarch

Finally, apply those updates, run:
sudo zypper update
Sample outputs:

The following 4 packages are going to be upgraded:
  command-not-found rsyslog scout yast2-dns-server
 
4 packages to upgrade.
Overall download size: 848.7 KiB. Already cached: 0 B. After the operation, additional 19.7 KiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package rsyslog-8.33.1-3.22.4.x86_64                                                          (1/4), 625.5 KiB (  2.2 MiB unpacked)
Retrieving: rsyslog-8.33.1-3.22.4.x86_64.rpm ...........................................................................................[done]
Retrieving package scout-0.2.2+20190613.e6c2668-6.3.2.noarch                                             (2/4),  85.5 KiB (248.7 KiB unpacked)
Retrieving: scout-0.2.2+20190613.e6c2668-6.3.2.noarch.rpm ..............................................................................[done]
Retrieving package yast2-dns-server-4.1.4-9.3.2.noarch                                                   (3/4),  92.0 KiB (433.9 KiB unpacked)
Retrieving: yast2-dns-server-4.1.4-9.3.2.noarch.rpm ....................................................................................[done]
Retrieving package command-not-found-0.2.2+20190613.e6c2668-6.3.2.noarch                                 (4/4),  45.7 KiB (116.0 KiB unpacked)
Retrieving: command-not-found-0.2.2+20190613.e6c2668-6.3.2.noarch.rpm ..................................................................[done]
 
Checking for file conflicts: ...........................................................................................................[done]
(1/4) Installing: rsyslog-8.33.1-3.22.4.x86_64 .........................................................................................[done]
Additional rpm output:
Updating /etc/sysconfig/syslog ...
 
 
(2/4) Installing: scout-0.2.2+20190613.e6c2668-6.3.2.noarch ............................................................................[done]
(3/4) Installing: yast2-dns-server-4.1.4-9.3.2.noarch ..................................................................................[done]
(4/4) Installing: command-not-found-0.2.2+20190613.e6c2668-6.3.2.noarch ................................................................[done]

See zypper man page here.

Conclusion

This page described the process of keeping your Linux based system up-to-date, which involves installing updates and security patches.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com

Historical Comment Archive