apt upgrade shows a warning about Intel microcode updates. Is there anything I need to do?
When I run sudo apt upgrade in Kubuntu 23.10 I get this output:
user1@user1-Desktop1:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
#
# Canonical released microcode updates for both Intel (CVE-2022-40982) and AMD
# (CVE-2023-20593). ‘Unattended upgrades’ provide security updates by default.
# Ensure it remains enabled to always get all updates as they become available.
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Do I need to enable unattended upgrades as described in the warning? How to do that and why do I need to anything at all?
I am using Kubuntu and upgraded from 23.04. to 23.10 using the GUI tool (exactly as described here). My system installation is roughly one month old. I never changed anything in /etc/apt and everything is at default. This is my /etc/apt/sources.list:
# deb cdrom:[Kubuntu 23.04 _Lunar Lobster_ - Release amd64 (20230414.1)]/ lunar main multiverse restricted universe
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ mantic main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar universe
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar multiverse
deb http://de.archive.ubuntu.com/ubuntu/ mantic-updates multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lunar-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu mantic-security main restricted
# deb-src http://security.ubuntu.com/ubuntu lunar-security main restricted
deb http://security.ubuntu.com/ubuntu mantic-security universe
# deb-src http://security.ubuntu.com/ubuntu lunar-security universe
deb http://security.ubuntu.com/ubuntu mantic-security multiverse
# deb-src http://security.ubuntu.com/ubuntu lunar-security multiverse
# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
Your latest terminal output says intel-microcode is already the latest version and unattended upgrades are enabled. There are no error messages, so your Ubuntu is up-to-date and protected. Everything is OK, so you don’t have to do anything. The ‘Unattended upgrades’ provide security updates by default. Ensure it remains enabled in your main question is not an error message, it’s just a reminder to keep your security updates enabled in Ubuntu.
The message you received is a reminder from Ubuntu to enable the unattended upgrades feature. Unattended upgrades automatically downloads and installs security updates for your system without requiring any manual intervention from the user. Unattended upgrades is enabled by default in all currently supported versions of Ubuntu. It is a good practice to keep this feature enabled to ensure that your Ubuntu is always up-to-date and secure.
The following command will check if unattended upgrades is currently enabled in Ubuntu:
sudo apt-config dump | grep -E 'APT::Periodic::Update-Package-Lists|APT::Periodic::Unattended-Upgrade'
The output of this command should be:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
The "1" at the end of both lines indicates that unattended upgrades are enabled, otherwise if either value is set to "0" unattended upgrades are disabled.
To enable unattended upgrades, run the following command:
sudo apt install unattended-upgrades
To check if the unattended-upgrades package is installed run the following command:
apt policy unattended-upgrades
Intel microcode updates in Ubuntu provides improved security, performance and stability in Ubuntu. It is a good practice to install Intel microcode updates in Ubuntu as soon as they are available. The Intel microcode update package can also be manually installed in Ubuntu by running the following command:
sudo apt install intel-microcode
The intel-microcode package get installed and updated automatically by unattended upgrades. To verify that this is the case, you can check the unattended upgrades configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Look for the line near the end of 50unattended-upgrades that starts with Unattended-Upgrade::Package-Blacklist. If the intel-microcode package is not listed after this line, then it is eligible for unattended upgrades.
Your sources.list file has some leftover lines in it from Ubuntu 23.04 lunar which are all commented out, so there is nothing to worry about there. The remaining lines that are not commented out are all for Ubuntu 23.10 mantic as they should be.