2) Once you receive a security announcement saying that a package has been updated, log onto your server and:
Update your package database:
sudo aptitude update
If there is an update for one (or many) of the packages you use the output will finish by:
[…]
Reading package lists… Done
Current status: 1 update [+1]
Reading package lists… Done
Current status: 1 update [+1]
Perform the actual upgrade:
sudo aptitude safe-upgrade
If the upgrade was successful it should finish by:[…]
Current status: 0 updates [-1]
Current status: 0 updates [-1]
Check to see if currently running processes or daemons are using an older version of the updated packages/libraries:
sudo checkrestart
It will tell you if processes are using old versions of files, what are the scripts and argument you can use to make sure they are restarted with the proper version. (Note that if you are connected by SSH and checkrestart tells you to reload it you will also need to logout/login again for this to be effective). You will notice that on a Debian (and other Linux) servers you almost never need to restart the whole server.
Note: If you don't have checkrestart, you may just need to install it:
sudo aptitude debian-goodies
3) If you're using Tripwire (and you should, if not take a look at this guide), run a check and update the database so it doesn't report those upgrades as errors. Just go back to this guide if you don't remember how.
