How to Apply Critical Security Patches on Linux: A Step-by-Step Guide

By

Introduction

Keeping your Linux system secure requires regularly applying security updates. Distributions like AlmaLinux, Debian, Fedora, SUSE, and Ubuntu release patches for vulnerabilities in core packages—such as freerdp, glib2, libsoup3, openexr, dnsmasq, p7zip, p7zip-rar, python-authlib, rails, chromium, firefox, httpd, nss, java-25-openj9, krb5, libmodsecurity3, mcphost, imagemagick, and multiple linux kernels. This guide will walk you through checking, reviewing, and installing these updates safely.

What You Need

• A Linux system running AlmaLinux, Debian, Fedora, SUSE, or Ubuntu (or a derivative)
• Root or sudo access
• An active internet connection
• Basic familiarity with the terminal

Step-by-Step Instructions

Step 1: Refresh Your Package Metadata

Start by updating the list of available packages. This ensures you see the latest security patches.

• Debian / Ubuntu: sudo apt update
• Fedora / AlmaLinux: sudo dnf check-update (or sudo dnf makecache for a full refresh)
• SUSE: sudo zypper refresh

Step 2: Review Available Security Updates

List packages that have updates, focusing on security advisories.

• Debian / Ubuntu: apt list --upgradable
  Look for packages like dnsmasq, p7zip, python-authlib, rails, imagemagick, and linux-* kernels.
• Fedora / AlmaLinux: dnf updateinfo list
  Check for chromium, firefox, httpd, nss, freerdp, glib2, libsoup3, openexr.
• SUSE: zypper list-patches
  Pay attention to patches mentioning java-25-openj9, krb5, libmodsecurity3, mcphost.

Step 3: Apply the Updates

Install all pending security updates. Use the following commands:

• Debian / Ubuntu: sudo apt upgrade
  For kernel updates (e.g., linux-image-*), use sudo apt full-upgrade if needed.
• Fedora / AlmaLinux: sudo dnf upgrade --security
  This applies only security-related updates. Alternatively, sudo dnf upgrade updates everything.
• SUSE: sudo zypper patch
  Applies all recommended patches, including security ones.

Step 4: Reboot After Kernel Updates

If you installed a new kernel (common with linux-aws, linux-azure, linux-gcp, linux-nvidia, etc.), reboot to activate it.

1. Verify the new kernel is installed: uname -r (check version before rebooting).
2. Reboot: sudo reboot or sudo systemctl reboot.

Step 5: Confirm Installation

After reboot (or if no reboot required), verify the updates took effect.

• Debian / Ubuntu: dpkg -l | grep
  Example: dpkg -l | grep dnsmasq shows installed version.
• Fedora / AlmaLinux / SUSE: rpm -qa | grep
  Example: rpm -qa | grep chromium or rpm -qa | grep java-25-openj9.

Compare versions with the advisory from your distro's security page.

Tips for Smooth Updates

• Schedule regular checks: Set a weekly cron job or use a tool like unattended-upgrades (Debian/Ubuntu) or dnf-automatic (Fedora) to automate security updates.
• Test in a staging environment before applying to production servers, especially for critical packages like httpd, nss, or kernel modules.
• Back up important data before major upgrades, particularly when a reboot is required.
• Monitor security advisories from AlmaLinux, Debian, Fedora, SUSE, and Ubuntu to stay informed.
• Use needrestart on Debian/Ubuntu to check which services need restarting after library updates.

Related Articles

• Fedora Linux 44: What's New and How to Upgrade
• Streamlining Linux Kernel Configuration with Kconfirm: A Practical Guide
• Firefox’s Free VPN Expands: Users Can Now Choose Server Location – Major Privacy Upgrade
• Fedora Atomic Desktops in Fedora 44: Key Updates and Q&A
• Testing Sealed Bootable Images on Fedora Atomic Desktops: A Step-by-Step Guide
• Fedora Releases Sealed Bootable Container Images for Atomic Desktops – Enhanced Security with Verified Boot Chain
• Fedora 44 Arrives: GNOME 50, Plasma 6.6, and Enhanced Gaming
• Let-Go: A Fast, Embeddable Clojure-Like Language Built on Go