Updating & Upgrading Linux Distributions: Essential Security Practices 5 - 9 min read

 Applying security updates promptly after they are released is critically important for us Linux admins, as this practice helps protect against vulnerabilities that malicious actors could exploit. Failing to update could expose your Linux systems to cyberattacks, data breaches, and other severe security risks.

In this article, I'll guide you through checking installed versions of packages and performing security updates on popular Linux distributions, including Ubuntu, Fedora, Debian, Arch Linux, and openSUSE, thus reducing potential risks that could threaten the security and availability of your systems and your critical data. This is precisely the type of resource I was seeking as a junior sysadmin, and I hope these instructions will help make your Linux administration journey simpler and safer when you need to upgrade Linux. Let’s get started!

What Are the Implications of Continuing to Use a Linux Distro Beyond Its Supported Date?

Using a Linux distro past its supported date leaves your system unpatched, unsupported, and increasingly vulnerable to new security threats.

Running a Linux distro beyond its supported date is risky for any admin. Once a distribution has reached its end of life (EOL), it no longer receives security updates, patches, or bug fixes. This leaves your system vulnerable to new security threats that won't be addressed. 

Over time, this lack of updates can lead to compatibility issues with newer software, which might require dependencies that won't be updated on EOL systems. In practice, it also means that if you encounter any problems, getting help from the community or official support channels will be much harder as the focus shifts to newer, supported versions.

Running outdated software can also have compliance implications, especially in regulated industries where maintaining updated and secure systems is required. As a sysadmin, planning and scheduling regular upgrades is crucial to avoid downtime and ensure your systems remain safe and supported. This involves staying aware of your distro’s release and support schedules, testing new versions in staging environments, and having a clear upgrade path so you’re never caught off guard by an expired support window.

Once repositories age out or metadata stops receiving updates, hash mismatches and signature failures also become more common, making it necessary to fall back on standard Linux integrity verification methods to validate files directly.

Updates vs. Upgrades: Understanding the Difference

While seemingly similar, updating and upgrading a Linux distribution refer to different operations within the context of system maintenance. Understanding this difference is a key part of preventing system drift in Linux and maintaining a stable environment.

Updating a Linux distribution typically involves fetching and installing the latest versions of the installed software packages from the repositories. When you run an update command (such as sudo apt-get update or apt update), the package manager syncs the local list of available packages with the remote repositories. After running apt-get upgrade or apt upgrade, the system retrieves and installs the updated versions of the packages without changing any major versions of the operating system itself.

In contrast, upgrading a Linux distribution usually means moving to a newer version of the distribution itself. This involves more significant changes and can include new features, new kernel versions, and more up-to-date software stacks. In Debian-based systems, this is often performed using commands like apt-get dist-upgrade or do-release-upgrade, which handle complexities beyond simple package updates like dependencies and system configuration changes.

Benefits of Updating Packages Manually vs. Relying on Automatic Updates

Manual updates offer several advantages, such as selective control, allowing admins to prioritize critical security patches while avoiding updates that could disrupt existing configurations. They also enhance change management by letting updates be scheduled during maintenance windows, minimizing downtime, and enabling testing in staging environments before deployment. This ensures smoother operation and reduced risk.

Additionally, manual updates provide customization options tailored to the system's specific needs, ensuring optimal performance. They also foster increased security awareness, as staying hands-on with updates keeps admins informed about the latest vulnerabilities and mitigations. Collectively, these benefits enable us admins to maintain a robust, secure, and well-managed environment suited to our operational requirements.

How To Enable Automatic Updates for Your Linux Distro

Should you choose to enable automatic updates for your Linux distro, here's a practical guide for doing so. This will ensure your systems are consistently updated with the latest security patches and improvements. Follow these steps for Ubuntu, Fedora, Debian, Arch Linux, and openSUSE to streamline your update process.

Ubuntu

First, install Unattended-Upgrades:

sudo apt install unattended-upgrades

Then enable it:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Edit:

/etc/apt/apt.conf.d/50unattended-upgrades

Ensure required lines such as:

"origin=Debian,codename=${distro_codename}-security";

are uncommented.

Optional auto-removal:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Configure periodic updates in:

/etc/apt/apt.conf.d/20auto-upgrades

Add:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Fedora

Install DNF-Automatic:

sudo dnf install dnf-automatic

Edit:

/etc/dnf/automatic.conf

Set:

apply_updates = yes

Enable the timer:

sudo systemctl enable --now dnf-automatic.timer

Debian

Install Unattended-Upgrades:

sudo apt install unattended-upgrades

Enable it:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Edit:

/etc/apt/apt.conf.d/50unattended-upgrades

Set schedule in:

/etc/apt/apt.conf.d/20auto-upgrades

Add:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Arch Linux

Install cron:

sudo pacman -S cronie

Enable cron:

sudo systemctl enable --now cronie

Add a cron job:

crontab -e

0 3 * * * sudo pacman -Syu --noconfirm

Or configure a systemd timer with:

/etc/systemd/system/pacman-update.timer

/etc/systemd/system/pacman-update.service

Enable timer:

sudo systemctl enable --now pacman-update.timer

openSUSE

Install automatic updates:

sudo zypper install zypper-automatic

Edit:

/etc/zypp/zypp.conf

Set:

autoupdater=true

Enable timer:

sudo systemctl enable --now zypper-automatic.timer

How Can I Upgrade Ubuntu & Update Packages?

You can upgrade Ubuntu by updating your package lists, upgrading installed packages, and running the release upgrade tool.

Check Installed Version:

dpkg -s | grep Version

Update package list:

sudo apt update

Upgrade an individual package:

sudo apt install --only-upgrade

Upgrade Linux (Ubuntu):

sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade

Clean up:

sudo apt autoremove && sudo apt clean

Release upgrade:

sudo do-release-upgrade

Clarification:
apt upgrade installs routine package updates, while apt full-upgrade and apt-get dist-upgrade can remove or replace packages to complete a full system transition.

Ubuntu Release Schedule 

Ubuntu has a two-year release cycle, and LTS, or 'Long Term Support, ' releases are published in April. Ubuntu has both Long-Term Support (LTS) releases and interim releases. For desktop and server versions, LTS versions are supported for 5 years, while interim releases are supported for 9 months. 

How Can I Upgrade Fedora & Update Packages?

You can upgrade Fedora by updating packages, installing the system-upgrade plugin, downloading the new release, and rebooting to apply the upgrade.

Check version:

rpm -q

Update package:

sudo dnf update

Upgrade Fedora:

sudo dnf install dnf-plugin-system-upgrade

sudo dnf system-upgrade download --releasever=XX

sudo dnf system-upgrade reboot

Fedora Release Schedule

Fedora releases two major OS versions each year, aiming for the fourth Tuesday in April and October. Each release is supported for approximately 13 months.

How Can I Upgrade Debian & Update Packages?

You can upgrade Debian by updating package lists, upgrading current packages, updating your sources list to the next release, and completing a full upgrade.

Check version:

dpkg -s | grep Version

Update package list:

sudo apt update

Upgrade individual package:

sudo apt install --only-upgrade

Upgrade Debian:

sudo apt update && sudo apt upgrade -y && sudo apt full-upgrade

Edit sources:

/etc/apt/sources.list

Replace the old codename with the new release.

Finish upgrade:

sudo apt update

sudo apt upgrade

sudo apt full-upgrade

sudo reboot

Debian Release Schedule

Debian releases do not follow a fixed schedule. The Debian Project has released recent versions roughly every two years. Regular Debian releases are supported for about 3 years after the initial release, while LTS releases are supported for 5 years through the Long-Term Support project.

How Can I Upgrade Arch Linux & Update Packages?

You can upgrade Arch Linux by checking installed package versions and running a full system upgrade using pacman.

Check version:

pacman -Qi | grep Version

Update package:

sudo pacman -S

Upgrade system:

sudo pacman -Syu

ArchLinux Release Schedule

Arch Linux does not have a formal release schedule or a predetermined support timeline. Instead, the distro uses a "rolling release" system where new packages are released throughout the day. Its package management allows users to easily keep systems updated. There is no fixed support period as new packages and updates are regularly provided.

How Can I Upgrade openSUSE & Update Packages?

You can upgrade openSUSE by refreshing repositories, updating installed packages, and performing a distribution upgrade with zypper.

Check version:

rpm -q

Update package:

sudo zypper update

Upgrade system:

sudo zypper refresh

sudo zypper update

sudo zypper dist-upgrade

openSUSE Release Schedule

openSUSE Leap Micro is released twice a year and receives maintenance updates approximately every 12 months. openSUSE Leap is supported for about 18 months per minor release or until the next minor release. openSUSE Tumbleweed is a rolling release and is continuously updated without a fixed support period.

These steps will help you upgrade each of the listed Linux distributions to their latest versions. Always ensure you have backups of your important data before upgrading.

Our Final Thoughts on the Importance of Timely Linux Security Updates

Maintaining up-to-date Linux distributions with security patches and software upgrades is not only a best practice but also a necessary measure to protect your systems against potential threats. We’ve provided detailed instructions for checking and updating existing packages across popular distributions. Follow these steps to ensure your system remains robust and less susceptible to attacks. Regular updates and a disciplined cybersecurity approach help maintain operational integrity. Always back up important files before upgrading. 

Stay informed on the latest vulnerabilities, patches, and Linux security developments by following our live updates in the Linux Security News Hub.