How to only install security updates on debian
Solution 1
For Squeeze use squeeze-lts if possible! (i386 and amd64 only...)
append this to your sources.list:
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
and then run
apt-get update
apt-get install -t squeeze-lts --only-upgrade bash
Here is more detail on squeeze-lts: https://wiki.debian.org/LTS/Using
If you really want to patch debian lenny check out this gist (but rather consider updating to a newer distro!)
Solution 2
You can use:
apt-get install --only-upgrade <package>
If is installed, this will upgrade only the specified package.
Solution 3
Ubuntu 12.04 “Precise” and 14.04 “Trusty”, Debian 7 “Wheezy”
apt-get update; apt-get install bash
Debian 6 “Squeeze”
/etc/apt/sources.list.d/squeezelts.list
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
/etc/apt/apt.conf.d/50squeezelts
APT::Default-Release "squeeze-lts";
Then run the update:
apt-get update; apt-get install bash
Patching older and unsupported systems as Lenny
# Retrieve and install dependencies first
apt-get update && apt-get install build-essential gettext bison
# Get bash 3.2 source
wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar zxvf bash-3.2.tar.gz
cd bash-3.2
# Download and apply all patches
# Includes patches for CVE-2014-6271 (52) *AND* CVE-2014-7169 (53) *AND* Florian Weimer patch (54)
for i in $(seq -f "%03g" 1 54); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
patch -p0 < bash32-$i
done
# Compile and install to /usr/local/bin/bash
./configure && make
make install
# Point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
Related videos on Youtube
Harrys Kavan
Simple components for expandability and interchangeability with whatever technologies favors the task.
Updated on September 18, 2022Comments
-
Harrys Kavan over 1 year
Because of the Shell Shock bug I need to make updates on some of our machines.
But I am not sure if all of the packages suggested inapt-get upgrade
are OK for my system. In other words I am not sure if there are any dependencies.Our system administrator is not here yet and we cannot contact him.
So my question is, how can I onlyapt-get upgrade
the security updates, without having to update everything to the newest available version in debian stable?EDIT SOLUTION
apt-get install --only-upgrade bash
did the thing for me.
On one of our servers, there was still just Debian Squeeze installed.
Changing squeeze to wheezy in/etc/apt/sources.list
and then running:
-apt-get update
-apt-get install --only-upgrade bash
installed the fixed bash into this older squeeze system.-
Alen Milakovic over 9 years"the newest available version in debian stable" usually is the security updates. Stable typically does not change otherwise. There are some packages that are just upgraded to the newest release (e.g. chromium) because it is too hard for the security team to backport security fixes (I think), but you should upgrade that too.
-
Grim... over 9 yearsHi - I'm also using Squeeze but I'm having trouble getting Bash to upgrade. Can you post the line(s) you changed in the sources.list file, in case the squeeze version is missing from mine?
-
Rob over 9 yearsI would warn readers not to casually change squeeze to wheezy, because that is a major Debian upgrade. The 'wheezy' version of bash depends on newer versions of several core libraries, such as libc6, so you would be risking instability. You are not merely upgrading bash, but shared libraries that almost everything else in Debian will be using. Use Squeeze LTS instead (see answer below).
-
-
Rob over 9 yearsAccording to the man page for apt-get, the only-upgrade option merely prevents installation of the specified package if it wasn't installed. Note that it does not prevent dependencies being installed. (NB The bash package in Debian is always installed, so the option would have no effect.)
-
terdon over 9 yearsThis is not a good idea. Next time the OP runs
apt-get upgrade
the entire system will be moved to sid. -
Florian Fida over 9 yearsPlease note: this makes you switch to
squezze-lts
, the next time you runapt-get upgrade
- Which is a good idea, but something you should be aware of. If you'r building bash-3.2 for older systems, make sure thatmake
went well before issuingmake install
-
Ales over 9 yearsI agree, execute commands sequentially is better. Caution is never enough.