Skip links

Ubuntu applies security fixes for all versions back to 14.04

Ubuntu has issued a batch of updates that cover the default as well as the AWS and KVM flavours for the current short-term release 21.10, both the original 5.04 and OEM 5.14 builds for the current 20.04 LTS release, as well as 18.04, and, surprisingly, even 16.04 and 14.04.

While kernel releases trickle out all the time, the last two members of that list – 2016’s Xenial Xerus and 2014’s Trusty Tahr – emphasise that even very old releases in Extended Security Maintenance or ESM sometimes need a bit of TLC.

It also might surprise some that multiple different Linux kernels are available for a single product release. Although Ubuntu pushes out a new Long-Term Support (LTS) release every even-numbered year, those get five years of bugfixes.

If you run an LTS release but you need features from newer releases, there are two ways forward. If there’s a newer LTS release, upgrade to that – but maybe play it safe and wait for the point-one release, as with any OS. For instance, for 20.04, 20.04.1 arrived the following August.

In the meantime, though, if you need features from a newer short-term release, there’s the Hardware Enablement (HWE) stack. So, for example, although 20.04 shipped with kernel 5.04, if you install the HWE update, you’ll get the kernel, drivers, and some of the display stack of the current release. Right now, that’s 21.10 with kernel 5.13. Ubuntu publishes instructions and it’s a simple job.

If even that isn’t new enough, Ubuntu also maintains what it describes as the OEM kernel series. As the company’s page says, installing that is as simple as:

apt install linux-oem-20.04b

Note, though, that the final letter changes over time, so you should search for later letters on the end. As of the time of writing, linux-oem-20.04d will get you kernel

These methods also work on Ubuntu derivatives such as Linux Mint as well.

Don’t want to be caught out by updates on desktops and laptops? The Reg FOSS desk suggests doing it every day – and that applies to Windows, too. Around here, we generally turn non-server boxes right off at night, so first thing in the morning, turn it on and immediately do a full update, complete with a reboot if necessary. If you share our cavalier attitude towards outdated dependencies, here’s how to do it from the command line:

sudo -s ← this gets you a root shell.

apt update ← refresh the database of available updates.

apt full-upgrade -y ← the modern way to update everything.

apt autoremove -y ← removes any now-superfluous packages, without asking. (Take the -y off the end if you are more cautious.)

apt purge ← deletes any system-provided config files from removed packages.

apt clean ← empties APT’s package cache, which can clear a lot of disk space.

snap refresh ← does the same for those newfangled Snap packages, such as Firefox.

For convenience, you can concatenate them all together:

sudo -s
apt update ; apt full-upgrade -y ; apt autoremove -y ; apt purge ; apt clean ; snap refresh

(Yes, we know, using && instead of ; might be more prudent, but it means extra typing.)

If you use Flatpaks as well, stick flatpak update on the end too.

Usually, Ubuntu keeps the shell history for the root account, so each day, you can just press the up-arrow until the last invocation reappears, then press Enter. ®