How to Apply Critical Security Patches on Linux: A Step-by-Step Guide
Introduction
Keeping your Linux system secure requires regularly applying security updates. Distributions like AlmaLinux, Debian, Fedora, SUSE, and Ubuntu release patches for vulnerabilities in core packages—such as freerdp, glib2, libsoup3, openexr, dnsmasq, p7zip, p7zip-rar, python-authlib, rails, chromium, firefox, httpd, nss, java-25-openj9, krb5, libmodsecurity3, mcphost, imagemagick, and multiple linux kernels. This guide will walk you through checking, reviewing, and installing these updates safely.
What You Need
- A Linux system running AlmaLinux, Debian, Fedora, SUSE, or Ubuntu (or a derivative)
- Root or sudo access
- An active internet connection
- Basic familiarity with the terminal
Step-by-Step Instructions
Step 1: Refresh Your Package Metadata
Start by updating the list of available packages. This ensures you see the latest security patches.
- Debian / Ubuntu:
sudo apt update - Fedora / AlmaLinux:
sudo dnf check-update(orsudo dnf makecachefor a full refresh) - SUSE:
sudo zypper refresh
Step 2: Review Available Security Updates
List packages that have updates, focusing on security advisories.
- Debian / Ubuntu:
apt list --upgradable
Look for packages like dnsmasq, p7zip, python-authlib, rails, imagemagick, and linux-* kernels. - Fedora / AlmaLinux:
dnf updateinfo list
Check for chromium, firefox, httpd, nss, freerdp, glib2, libsoup3, openexr. - SUSE:
zypper list-patches
Pay attention to patches mentioning java-25-openj9, krb5, libmodsecurity3, mcphost.
Step 3: Apply the Updates
Install all pending security updates. Use the following commands:
- Debian / Ubuntu:
sudo apt upgrade
For kernel updates (e.g., linux-image-*), usesudo apt full-upgradeif needed. - Fedora / AlmaLinux:
sudo dnf upgrade --security
This applies only security-related updates. Alternatively,sudo dnf upgradeupdates everything. - SUSE:
sudo zypper patch
Applies all recommended patches, including security ones.
Step 4: Reboot After Kernel Updates
If you installed a new kernel (common with linux-aws, linux-azure, linux-gcp, linux-nvidia, etc.), reboot to activate it.
- Verify the new kernel is installed:
uname -r(check version before rebooting). - Reboot:
sudo rebootorsudo systemctl reboot.
Step 5: Confirm Installation
After reboot (or if no reboot required), verify the updates took effect.
- Debian / Ubuntu:
dpkg -l | grep
Example:dpkg -l | grep dnsmasqshows installed version. - Fedora / AlmaLinux / SUSE:
rpm -qa | grep
Example:rpm -qa | grep chromiumorrpm -qa | grep java-25-openj9.
Compare versions with the advisory from your distro's security page.
Tips for Smooth Updates
- Schedule regular checks: Set a weekly cron job or use a tool like
unattended-upgrades(Debian/Ubuntu) ordnf-automatic(Fedora) to automate security updates. - Test in a staging environment before applying to production servers, especially for critical packages like httpd, nss, or kernel modules.
- Back up important data before major upgrades, particularly when a reboot is required.
- Monitor security advisories from AlmaLinux, Debian, Fedora, SUSE, and Ubuntu to stay informed.
- Use
needrestarton Debian/Ubuntu to check which services need restarting after library updates.
Related Articles
- Building a Virtuous Cycle: The Three Pillars of Platform Engineering
- gThumb 4.0 Alpha Drops with Radical GTK4 Redesign, WEBP and Censor Tools
- Ubuntu Twitter Hacked: Fake AI Agent Tweet Pushes Crypto Scam After DDoS Assault
- How Meta's AI-Powered Agents Supercharge Hyperscale Efficiency
- Ubuntu 26.10 Codename 'Stonking Stingray' Revealed – Here's What It Means
- Upgrade Your Fedora Silverblue to Fedora 44: A Complete Migration Guide
- Comprehensive Security Patch Roundup: Key Updates from Major Linux Distributions
- How to Stay Productive When Ubuntu Services Are Unavailable Due to a DDoS Attack