I've inherited the following Virtual Machine scenario and am new to Linux Administration and Patch Management.

The Host Operating System is Windows 2003 Enterprise, which has VMware Server 2.0.2 installed. Under the VMware Server 2.0.2 I have a Ubuntu 32-bit OS web server running Apache2 Web Services.

When I log onto the Ubuntu server (9.10 32-bit) I see the following two lines just above the new mail/last logon lines.

85 packages can be updated
55 updates are security updates

I would like to see at least a summary of each update and its urgency so I can notify the various developers/server owners to get their input regarding whether we should or should not apply that particular update to the server. We apply the patches in our test/dev environment first then once vetted there we roll them out to our production servers.

What I am looking for is a way to automate the gathering of the information and once approval has been received automating the actual patching process so that I do not have to manually perform the apt-get process for each separate package needed/approved.

Ideally I would like a recommendation for a GUI based package to manage this process and that is capable of generating the appropriate reports for the 'powers that be' regarding the current security/patch management environment.

For proof of concept I would like a free version that is not hamstrung in functionality but is not too costly to procure the production version with no limitations.

If you have any recommendations please feel free to apply to this post.

You could automate that using some scripting.

You can browse through the available updates using aptitude. Once you installed them, you can use the following command to get a definitive list of installed packages (with their respective version numbers):
This can be used as command line input for apt-get/aptitude "install" command the other boxes.

On a debian system, I would just install all security upgrades without hesitating because debian guarantees there will never be any incompatibilities by not accepting newer versions as security updates but -- if necessary -- porting the patches back to the current stable distribution's version. But I'm not entirely sure Ubuntu follows the same safe policy

I appreciate your input but I still need to give a summation of the proposed patches to the approvers before I install the updates.

So I need to see a comprehensive list of what needs to be applied to the server, put together a list of these patches with a high level summation of what each one will fix and once I receive approval I need to apply these patches in an automated manner if possible.

In your reply you state "You can browse through the available updates using aptitude". Is there a particular file that contains the list of updates? Or is that a particular directory that contains all of the proposed updates? If so what is the file/directory location? Or what is the command syntax to browse through the updates?

As I indicated I am extremely new at Linux Admin tasks and just not familiar enough at the present time with where everything is located and the proper syntax to use for the aptitude command to browse the list of patches.

Ok, then I didn't fully understand what you want. aptitude will show you the package descriptions of all updates (including security updates in a first group), but not the descriptions of the bugs/fixes...

Maybe the tool "apt-listbugs" comes closest, it shows a list of found and fixed bugs directly before installation is started and allows to cancel the whole action. But you'd probably have a lot of scripts to write for getting it to do what you want. Sorry, I don't think there's an existing software doing that.

I was able to obtain the information I sought by manually going through the Aptitude module and using the following procedures.

1. Logged onto the server with an account with admin rights.
a. I entered sudo aptitute update, entered my accounts password when prompted, to update the current list of available updates and patches.

b. Once the update was done I entered sudo aptitude to launch the aptitude application.

i. From within Aptitude application highlighted the Critical updates and drilled down through each level to view what each proposed critical package was about and document the brief description provided by the Aptitude program about the package in an Excel spreadsheet for the 'powers that be' to review.

c. Once I received permission to apply the updates I ran the sudo aptitude safe-upgrade command to update the critical updates. When I was prompted I entered ‘Yes’ to continue the upgrade process.

d. After the download and installation was completed I rebooted the system then ran the sudo aptitude update and sudo aptitude commands once again to verify there were no other critical updates needed at this time.


While the above process was not ideal, it did allow me to accomplish my task of documenting the critical updates for the Ubuntu 9.04 LAMP servers in my environment and get buy-in from the various departments to apply the patches to these servers.


I consider this post closed at this time.