Ubuntu – Effects on applications caused by security updates

aptunattended-upgradesupdate-managerupdatesupgrade

I want my Server to run unattended-upgrades regularly and keep my server auto updated and install only security updates.

But I don't want to update the main versions of several packages.

For Example:
I want my server to have PHP 5.4 running I am OK with minor updates such as:

5.4.30 to 5.4.37 or 5.4.xx to 5.4.yy

But I don't want to change the main version updates, such as:

5.4.48 to 5.5.1 or 5.x.a to 5.y.a

Can this be done with unattended-upgrades?

Right now what I have done is exclude PHP5-* from being auto updated by unattended-upgrades. Is there a better way to do this?

Or is there a standard on Ubuntu Security Updates, like they do not upgrade the main version of an application, such as 5.4.48 to 5.5.1 or 5.x.a to 5.y.a, etc

Best Answer

I found this post on Ubuntu Forums somewhat helpful. thought its worth sharing:

Your system isn't smart enough to know if a particular update includes a new feature, a bugfix, or a security patch. It only knows the software's repository. Happily, you can tell (and filter) based on the repository.

If the upstream project releases a security patch for a CVE, the Ubuntu Security Team applies it to the current version, and it goes into the *-security repository.

*-security does not include updates. CVE patches only. The upstream version number does not change, the Debian or Ubuntu version number does change: Foo 1.2.3-1ubuntu2 becomes Foo 1.2.3-1ubuntu3

You can easily enable automatic updates for *-security repos in /etc/apt/apt.conf.d/50unattended-upgrades or in Ubuntu's Software & Updates control panel.

Also: If you enable the *-updates repository, then you will get those minor improvements you don't mind. But the system has no way to determine if an update is too much for your comfort...it's not psychic...so perhaps you should disable that repository.

Finally: Some users get confused when a famous vulnerability gets discovered, and the upstream project seems to recommend upgrading to the latest version to fix it. Follow the CVE number at security.ubuntu.com instead of following the hype.

Related Solutions

Ubuntu – How do software updates work

Ubuntu has a policy where (usually) only small security fixes to programs will be updated in the Ubuntu repositories (that you access through apt-get).

This is to ensure maximum stability in production enivronments - this is particularly important on servers. This means you won't see version updates to software such as PostgreSQL and Nginx until Ubuntu Server 11.04 is released.

You can find out information on the Ubuntu wiki about Stable Releases Updates.

Ubuntu – Prevent postgresql from restarting via automatic updates

With the unattended-upgrades package, you can blacklist packages you do not wish it to upgrade.

Not sure how deep down the dependency tree this goes.

See: Ubuntu: Automatic Updates

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
        "postgresql-.*";
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

Best Answer

Related Solutions

Ubuntu – How do software updates work

Ubuntu – Prevent postgresql from restarting via automatic updates

Related Question