How to Apply Critical Security Patches Across Linux Distributions

Introduction

Keeping your Linux system secure requires timely application of security patches. Recently, multiple distributions—including AlmaLinux, Debian, Fedora, Mageia, Slackware, and SUSE—have released important updates addressing vulnerabilities in packages like the kernel, OpenSSH, Nginx, Firefox, Chromium, and many others. This guide provides a step-by-step process to apply these updates regardless of your distribution, ensuring your system remains protected.

What You Need

• A Linux distribution from the list: AlmaLinux, Debian, Fedora, Mageia, Slackware, or SUSE (openSUSE/SLES).
• Root or sudo privileges.
• An active internet connection.
• Basic familiarity with terminal commands.

Step-by-Step Guide

Step 1: Identify Your Distribution

Before updating, confirm your exact distribution and version. Run:

cat /etc/os-release

This command shows distribution name and version. Note it down for the correct package manager commands.

Step 2: Update Package Repositories

Refresh your local package list to include the latest security patches. Use the appropriate command for your distribution:

• AlmaLinux / Fedora / Mageia (RPM-based): sudo dnf update or sudo yum update (AlmaLinux).
• Debian / Ubuntu (Debian-based): sudo apt update
• Slackware: sudo slackpkg update
• SUSE (openSUSE/SLES): sudo zypper refresh

This ensures your system knows the latest available versions.

Step 3: Apply All Available Updates

Upgrade all packages to their latest versions. This will install security fixes for packages listed in the advisory, such as kernel, OpenSSH, Nginx, Firefox, Chromium, and others. Use the following distribution-specific commands:

• AlmaLinux: sudo dnf upgrade — updates freerdp, gimp:2.8, jq, kernel, rsync (and others).
• Debian: sudo apt upgrade — patches chromium, ffmpeg, firewalld, kernel, nginx, openjpeg2, openssh, php7.4, redis.
• Fedora: sudo dnf upgrade — covers apptainer, chromium, coturn, dnsmasq, firefox, kernel, libgit2_1.8, libmetal, nginx* modules, open-amp, perl-Net-CIDR-Lite, pgbouncer, pypy, python-jupytext, rsync, rust-astral-tokio-tar, uriparser, uv, valkey, yelp.
• Mageia: sudo urpmi --auto-update (or use Mageia Control Center) — includes dpkg, firefox, thunderbird, golang, haproxy, samba.
• Slackware: sudo slackpkg upgrade-all — updates dnsmasq, kernel.
• SUSE: sudo zypper update — patches a large set including apache-commons-configuration2, apache2, apptainer, chromedriver, cups-filters, curl, dnsmasq, expat, ffmpeg-4, ffmpeg-7, firebird, firewalld, flux2-cli, glibc, go1.25, go1.26, gosec, grub2, ImageMagick, java-* variants, kdenlive, kernel, keylime-config, krb5, libIex-3_4-33, mozjs115, mozjs78, nginx, openssh, openvswitch, ovmf, PackageKit, perl-* packages, podman, postgresql17, postgresql18, python-pyOpenSSL, python310, rsync, sed, tekton-cli, valkey, xen, zypper-docker.

For any distribution, you can also use a distribution-agnostic tool like sudo apt upgrade (Debian) or sudo dnf upgrade (RHEL).

Step 4: Reboot if Necessary

After updating core components like the kernel, glibc, or system libraries, a reboot is strongly recommended. Check if a reboot is needed:

• Debian/Ubuntu: sudo checkrestart or sudo needrestart (install if needed).
• Fedora/AlmaLinux: sudo dnf needs-restarting -r
• SUSE: sudo zypper ps lists processes using old files.
• Generic: If the kernel was updated, reboot with sudo reboot.

Step 5: Verify Package Versions

Ensure critical packages are updated. For example, check the kernel version:

uname -r

Compare with the latest version in the advisory. Verify OpenSSH:

ssh -V

Check other packages like Nginx, Firefox, or Chromium using package --version.

Step 6: Restart Affected Services

For services that were not covered by a reboot, restart them manually. Common services include:

• SSH: sudo systemctl restart ssh
• Nginx: sudo systemctl restart nginx
• Firewalld: sudo systemctl restart firewalld
• Apache: sudo systemctl restart httpd

Check which packages update daemons and restart accordingly.

Tips for Ongoing Security

• Set up automatic updates for security patches only (e.g., unattended-upgrades on Debian, dnf-automatic on Fedora).
• Subscribe to security mailing lists for your distribution to receive immediate alerts.
• Test updates in a staging environment before applying to production systems.
• Use a configuration management tool like Ansible or Puppet to orchestrate updates across many machines.
• Always keep backups before major kernel or core library updates.
• For packages like Java or Python, check for compatibility with your applications after updates.

By following these steps, you can efficiently apply all critical security patches listed in the latest round of updates, keeping your Linux environment secure against known vulnerabilities.