Frequently asked questions

Learn from these questions and answers that are designed to help you better understand BigFix Patch for Debian.

What are Unspecified Fixlets and why do we need them?
Unspecified Fixlets are for the packages found in Debian's security repositories and that do not have a security notice (DSA) associated with them. Not all security packages released by Debian have a DSA associated with them - Unspecified Fixlets covers such packages.
Where can I search and download the packages?
The current version of packages can be found and downloaded from the Debian website at, while previous versions can be found in the Debian snapshot ( You can also search packages at
Are there other Debian resources I should be aware of?
Here are a few helpful resources:
If a patch fails to install, what should I do?
Ensure that you applied the patch to the correct computers. Also, check the following logs:
  • /var/opt/BESClient/__BESData/__Global/Logs/<YYYYMMDD>.log
  • /var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt
For debugging purposes, you can add an extra -n to the last line of the action script after wait /bin/bash "{parameter "cwd"}/".
The -n flag disables the cleanup of following files:
  • /var/opt/BESClient/EDRDeployData/EDR_RepoData.txt
  • /var/opt/BESClient/EDRDeployData/EDR_PackageList.txt
  • /var/opt/BESClient/EDRDeployData/EDR_ResolverOutput.log
  • /var/opt/BESClient/EDRDeployData/EDR_ResolverError.log
  • /var/opt/BESClient/__BESData/Patches for Debian 7/apt
These extra files provide the context information of the patching and can help in investigating the failure.
What are superseded patches?
Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet is superseded, then a newer Fixlet exists with newer versions of the packages. The newer Fixlet ID can be found in the description of the superseded Fixlet.
How do I find out if the Debian package is upgradeable?
You must first install the apt-show-versions, which is a rpm package to find out if any Debian packages are upgradeable.
  1. To install apt-show-versions, enter apt-get install apt-show-versions.
  2. To get a list of only the upgradeable packages, enter apt-show-versions -u | less. You can also use grep as follows: apt-show-versions -u | grep "apache"
How do I upgrade specific packages?
You should specify the package name. For example, if you want to upgrade apache-perl package, type the following command: apt-get install apache-perl. This command is useful if you just want to upgrade a single package and not the entire system.
The client logs contains a prefetch plug-in error that prevents the Fixlet from completing successfully. What is causing the error? What should I do?
The ActionScript that was running on the endpoint might have been blacklisted, causing the prefetch plug-in issue.
To resolve this issue, restart the BigFix client to clear the blacklist. To prevent the script from being blacklisted, set the _BESClient_ActionManager_PrefetchPlugInTimeoutSeconds client configuration setting with sufficient time for the patch to install and resolve dependencies. This client setting indicates how long the client should wait before blacklisting the script. You can use the Change Timeout for Prefetch Plugins task, available from the Patching Support site, to set the setting to 30 minutes (1800 seconds).
The _BESClient_ActionManager_PrefetchPlugInTimeoutSeconds setting varies based on the endpoint and the Fixlet being installed. To get the desired value, take the slowest endpoint and increase the setting to a high number, such as 3,000 seconds, then run a large Fixlet and see how long it takes. You can then take that number and multiple it by two. Alternatively, set the client setting to 600 seconds and adjust it accordingly if the suggested value does not work for you.