Debian apt-get upgrade How to install only security updates?

Question

How to install only security updates in Debian? When I run apt-get upgrade, apt will offer all updates.

Answer 1

Debsecan (Debian Security Analyzer) is better for manual upgrade and it can produce clear output. There are CVEs for detail information too. At first install debsecan:

sudo apt-get install debsecan

Get your distribution codename of Debian. For example:

cat /etc/os-release

And now install all security updates (instead of buster choose your suite detected from previous command. Values can be 'woody', 'sarge', 'etch', 'lenny', 'squeeze', 'wheezy', 'jessie', 'stretch', 'buster', 'bullseye' ... etc):

sudo apt-get install $(debsecan --suite buster --format packages --only-fixed)

---

All CVEs can be listed before the upgrade (use --format detail for detailed output):

debsecan

for example part of summary output:

Answer 2

The package unattended-upgrades installs only security upgrades by default. You can configure it to install them automatically, or just call it with:

sudo unattended-upgrade

More information on how to get it running properly: https://wiki.debian.org/UnattendedUpgrades