upgrade only vulnerable packages with apt

Since I’m using Debian Sid (unstable), every now and then, some stuff gets broken. I have no problem with that — using Sid, it’s expected behaviour. However, sometimes I *really* don’t have time for a broken setup, so I quit upgrading for a week or so.

The problem will be clear already to most: what with security-wise vulnerabe packages? What if that SSH version I’m not installing in fact contains a fix for a remote root exploit I’m not aware of?

So I went looking for a solution, and thought I’d found one in the debsecan package. Here’s debsecan’s description, from Debian’s page of the package:

debsecan is a tool to generate a list of vulnerabilities which affect a particular Debian installation. debsecan runs on the host which is to be checked, and downloads vulnerability information over the Internet. It can send mail to interested parties when new vulnerabilities are discovered or when security updates become available.

However, that’s really all it does: it just reports the package. It doesn’t upgrade them. It doesn’t even only show packages for which updates are available. It also duplicates packages a lot in the list as multiple vulnerabilities apply to them, so without using cut/awk in combination with uniq, it’s not really easy to get a clear overview of what needs upgrading.

So I set out to write a small bash script which, with the help of debsecan, would simply upgrade what packages it can. Also, it won’t upgrade packages which are marked as “on hold”. For instance, I have an old version of ettercap installed, since I’m not used to the total functionality overhaul which happened somewhere post 0.6.b. I thought it’d interest other Debian/Ubuntu users, so here it is:

#!/usr/bin/env bash

# BASH script created by Ludovic <ludovic dot aelbrecht at gmail dot com>
# released under the GNU General Public License version 2.

#set -x #for debugging output

function checkfile()
for i in "$@"; do
which $i &> /dev/null

if [ ! "$?" -eq 0 ]; then
echo "error: missing $i. please install it, or check its permissions."
exit 1

checkfile debsecan apt-get #our dependencies

#we need a list of all the packages which security vulnerabilities:
pkgs=$(debsecan --format packages | uniq)
pkgs=$(for i in $pkgs; do echo -n "$i "; done)

#we need a list of packages which are marked 'hold' - i.e. not allowed to upgrade
hold_list=$(dpkg --get-selections|grep hold | awk '{print $1}')

#we remove the held back packages from the list of vulnerable packages:
for i in $hold_list; do
pkgs=$(echo $pkgs | sed -e "s/$i //")

apt-get install $pkgs

exit 0

Hope someone can use this. (For those who don’t know, just save this in a file, chmod +x it, and place it somewhere in your $PATH, e.g. /usr/bin.)

Edit: aww great, wordpress doesn’t even preserve the indentation when I use <code> tags. AFAIK this shouldn’t matter for bash script, though. I’ve gotta say I’m very, very dissapointed by WP (not just for this reason). Makes me wonder if Blogspot wouldn’t have been the way to go.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: