When running `apt upgrade`, Apache packages are kept back

naitx · January 14, 2026, 10:03am

Support intro

Sorry to hear you’re facing problems.

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

Official documentation (searchable and regularly updated)
How to topics and FAQs
Forum search

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

The Basics

Nextcloud Server version (e.g., 29.x.x):
- Nextcloud Hub 10 (31.0.12)
Operating system and version (e.g., Ubuntu 24.04):
- Armbian v24.11.1 for Raspberry Pi 5 running Armbian Linux 6.6.63-current-bcm2712
  
  Packages: Debian stable (bookworm)
- NextcloudPi v1.56.0
Web server and version (e.g, Apache 2.4.25):
- Server version: Apache/2.4.65 (Debian)
- Server built: 2025-07-29T20:18:46
PHP version (e.g, 8.3):
- PHP 8.3.29
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- 12.01.2026
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- NCP
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

When running apt upgrade, Apache packages are kept back:

apache2-bin
apache2-data
apache2-utils

However, apt full-upgrade --dry-run wants to remove the apache2 package
and upgrade the components instead.

Is this expected behavior due to the apache2 package being pinned or handled specially?
Would unholding or reinstalling the apache2 meta package after full-upgrade be the correct approach or will it break my system?

Thanks in advance!

Steps to replicate it (hint: details matter!):

na*************pi:~$ sudo apt update && sudo apt upgrade
Hit:1 ht************************an bookworm InRelease
Hit:2 ht************************an bookworm-updates InRelease
Hit:3 ht**********************rg bookworm-security InRelease
Hit:4 ht************************an bookworm-backports InRelease
Hit:5 ht*************************hp bookworm InRelease
Hit:6 ht***********************************************an bookworm/ InRelease
Hit:8 ht***************************************************an bookworm/ InRelease
Hit:7 ht*******************************pt bookworm InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  apache2-bin apache2-data apache2-utils
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

na*************pi:~$ sudo apt full-upgrade --dry-run
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  apache2-data apache2-utils
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  apache2
The following packages will be upgraded:
  apache2-bin apache2-data apache2-utils
3 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Remv apache2 [2.4.65-1~deb12u1]
Inst apache2-bin [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Inst apache2-data [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Inst apache2-utils [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-bin (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-data (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Conf apache2-utils (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
na*************pi:~$

na*************pi:~$ sudo apt-cache policy apache2 apache2-bin apache2-utils apache2-data
apache2:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.65-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 ht************************an bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 30000
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 ht**********************rg bookworm-security/main arm64 Packages
apache2-bin:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 ht************************an bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 ht**********************rg bookworm-security/main arm64 Packages
apache2-utils:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 ht************************an bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 ht**********************rg bookworm-security/main arm64 Packages
apache2-data:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 ht************************an bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 ht**********************rg bookworm-security/main arm64 Packages
na*************pi:~$

Configuration

Nextcloud

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "1": "19**********10",
            "3": "nextcloudpi",
            "11": "83*********53"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.12.3",
        "overwrite.cli.url": "https:\/\/nextcloudpi\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "tempdirectory": "\/opt\/ncdata\/data\/tmp",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "jpeg_quality": 60,
        "overwriteprotocol": "https",
        "maintenance": false,
        "logfile": "\/opt\/ncdata\/data\/nextcloud.log",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ],
        "maintenance_window_start": 2,
        "default_phone_region": "AT",
        "memories.db.triggers.fcu": true,
        "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-aarch64-glibc",
        "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-aarch64",
        "data-fingerprint": "3a3400e3d44583b900c3751927d9a43c",
        "enabledPreviewProviders": [
            "OC\\Preview\\Movie",
            "OC\\Preview\\Image",
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\TIFF"
        ],
        "memories.gis_type": 1,
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "loglevel": "2",
        "log_type": "file",
        "app_install_overwrite": [],
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "theme": ""
    }
}

adelaar · January 14, 2026, 10:53am

This is a question you shall ask your debian package maintainer,

geoW · January 14, 2026, 11:20am

Keep in mind, rpi images of nextcloudpi are armbian based.
You may upgrade your server with
sudo armbian-upgrade
Take a look:
Can I upgrade to a new Armbian release?

My rpi5 test server is updated this way, it runs:

pi@ncpi5:~$ sudo apache2 -v
[sudo] Passwort für pi: 
Server version: Apache/2.4.66 (Debian)
Server built:   2025-12-05T18:54:44

naitx · January 14, 2026, 12:14pm

Thank you for the pointer.
As far as I can tell from the link, the armbian-upgrade command is essentially a wrapper for apt update && apt upgrade.
However, even when I run this command, the packages in question are still being held back on my system.

geoW · January 14, 2026, 12:51pm

That to my knowledge depends on the starting os, you may start with tiny raspios server and then curl ncp installation script, you may start with little debian/ubuntu server or take the installation image at github repo.
Keep in mind ubuntu drives an update deployment with often hold back packages so early error messages may stop full deployment to the masses, early updater get there often messages of kept back packages.

Here I would not worry too much, keep an eye on version numbers of major components and take a look at the doku what fits.

adelaar · January 14, 2026, 2:26pm

All apache related messages comes from Debian bookworm packages, none from Ubuntu. Recent stable Debian is trixie

bb77 · January 15, 2026, 6:51am

Yeah but Ubuntu then explicitly says so in the message. Something like “packages held back due to phasing” or similiar.

Yep, but there might still be third party repos involved (Sury?), but it’s hard to say because for some reason OP decided to obscure the URLs of the repos.

naitx · January 15, 2026, 7:50am

My apologies for the confusion caused by the anonymized URLs. For clarity, here are the original repository links:

na*************pi:~$ sudo apt update && sudo apt upgrade
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://security.debian.org bookworm-security InRelease
Hit:4 http://deb.debian.org/debian bookworm-backports InRelease
Hit:5 https://packages.sury.org/php bookworm InRelease
Hit:7 http://repository.netdata.cloud/repos/stable/debian bookworm/ InRelease
Hit:8 http://repository.netdata.cloud/repos/repoconfig/debian bookworm/ InRelease
Hit:6 http://armbian.lv.auroradev.org/apt bookworm InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  apache2-bin apache2-data apache2-utils
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

bb77 · January 15, 2026, 8:11am

I’m not sure if that’s the reason, but I noticed that you integrated the Sury PHP repositories, and there are at least some dependencies between the Sury PHP packages and the Apache packages.

I also think I read somewhere that, when installing PHP from the Sury repositories, it is also recommended to install Apache from there. There is a separate repository for this: Index of /apache2/.

I can’t say for sure whether this will solve your problem. I just know that I’ve been using both repos for years and have never had any dependency problems or packages being held back.

EDIT: I just saw that you are using NextcloudPi (NCP). Unfortunately, I don’t have any experience with it, but I suspect that manually changing any package sources in that case is probably not a good idea.

I’d say NCP has more to be seen as an appliance, and whenever possible, you should use the integrated scripts to keep Nextcloud and the system up to date. However, as I said, I don’t use NCP myself, so I’m afraid I can’t help you any further.

ernolf · January 16, 2026, 2:29am

naitx:

sudo apt update && sudo apt upgrade
 / ... /
The following packages have been kept back:
  apache2-bin apache2-data apache2-utils
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Could you post the responses of following commands:

apt list --upgradable
apt-cache policy apache2-bin apache2-data apache2-utils
sudo apt upgrade -s

Often apt full-upgrade or apt-get dist-upgrade can solve it.

You can first do a simulation:

sudo apt-get dist-upgrade -s

and when that looks good, run it without -s

or

sudo apt full-upgrade -s

and like with apt-get dist-upgrade, if the simulation looks good, rund it without -s

h.t.h.

ernolf

naitx · January 16, 2026, 11:31am

Thanks for the suggestions! Here are the outputs of the requested commands on my system:

apt list --upgradable

na*************pi:~$ sudo apt list --upgradable
Listing... Done
apache2-bin/oldstable 2.4.66-1~deb12u1 arm64 [upgradable from: 2.4.65-1~deb12u1]
apache2-data/oldstable 2.4.66-1~deb12u1 all [upgradable from: 2.4.65-1~deb12u1]
apache2-utils/oldstable 2.4.66-1~deb12u1 arm64 [upgradable from: 2.4.65-1~deb12u1]

apt-cache policy apache2-bin apache2-data apache2-utils

na*************pi:~$ sudo apt-cache policy apache2-bin apache2-data apache2-utils
apache2-bin:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 http://security.debian.org bookworm-security/main arm64 Packages
apache2-data:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 http://security.debian.org bookworm-security/main arm64 Packages
apache2-utils:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.66-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 100
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 http://security.debian.org bookworm-security/main arm64 Packages

apt upgrade -s

na*************pi:~$ sudo apt upgrade -s
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  apache2-bin apache2-data apache2-utils
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

apt full-upgrade -s

na*************pi:~$ sudo apt full-upgrade -s
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  apache2-data apache2-utils
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  apache2
The following packages will be upgraded:
  apache2-bin apache2-data apache2-utils
3 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Remv apache2 [2.4.65-1~deb12u1]
Inst apache2-bin [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Inst apache2-data [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Inst apache2-utils [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-bin (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-data (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Conf apache2-utils (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])

I’m not entirely sure how to interpret the simulated upgrade outputs, so I’m unsure whether it’s safe to run the actual upgrade…

Thanks again for the guidance!

ernolf · January 16, 2026, 10:18pm

OK, I asked for
sudo apt-get dist-upgrade -s (apt-get, not apt and dist-upgrade and not upgrade)

But anyhow, from the simulation output it looks like apt full-upgrade would remove the apache2 package, which is not something you want on a running web server. So I would not run full-upgrade as-is.

apache2 itself could be held back (hold/pinning), so apt can’t upgrade it to the same version as apache2-bin/data/utils.

Could you please run these checks to find that out and paste the outputs?

apt-cache policy apache2
apt-mark showhold
grep -R --line-number -E 'Package:\s*apache2\b|Pin:|Pin-Priority' /etc/apt/preferences*

If apt-mark showhold returns apache2, then Hold is the culprit.

then run:

sudo apt-mark unhold apache2

b.t.w.:
here is one more usefull simulation to see a “safe” upgrade plan:

sudo apt install -s apache2 apache2-bin apache2-data apache2-utils

If that shows apache2 being upgraded (not removed), you can run the same command without -s and everything should be fine frome then.
If not, we must digg a litle deeper

h.t.h.

ernolf

naitx · January 17, 2026, 11:01pm

Thanks for the detailed guidance! I ran the checks as suggested.

And sorry for the wrong command - here’s the output of sudo apt-get dist-upgrade -s and the other checks:

sudo apt-get dist-upgrade -s

na*************pi:~$ sudo apt-get dist-upgrade -s
[sudo] password for n****: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  apache2-data apache2-utils
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  apache2
The following packages will be upgraded:
  apache2-bin apache2-data apache2-utils
3 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Remv apache2 [2.4.65-1~deb12u1]
Inst apache2-bin [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Inst apache2-data [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Inst apache2-utils [2.4.65-1~deb12u1] (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-bin (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])
Conf apache2-data (2.4.66-1~deb12u1 Debian:12.13/oldstable [all])
Conf apache2-utils (2.4.66-1~deb12u1 Debian:12.13/oldstable [arm64])

apt-cache policy apache2

na*************pi:~$ apt-cache policy apache2
apache2:
  Installed: 2.4.65-1~deb12u1
  Candidate: 2.4.65-1~deb12u1
  Version table:
     2.4.66-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
 *** 2.4.65-1~deb12u1 30000
        100 /var/lib/dpkg/status
     2.4.62-1~deb12u2 500
        500 http://security.debian.org bookworm-security/main arm64 Packages

apt-mark showhold

na*************pi:~$ apt-mark showhold
na*************pi:~$

grep -R --line-number -E ‘Package:\s*apache2\b|Pin:|Pin-Priority’ /etc/apt/preferences*

na*************pi:~$ grep -R --line-number -E 'Package:\s*apache2\b|Pin:|Pin-Priority' /etc/apt/preferences*
/etc/apt/preferences.d/armbian:4:#Pin: release o=armbian
/etc/apt/preferences.d/armbian:5:#Pin-Priority: 990
/etc/apt/preferences.d/armbian:8:#Pin: release o=Ubuntu
/etc/apt/preferences.d/armbian:9:#Pin-Priority: 50
/etc/apt/preferences.d/apt-listbugs:4:Package: apache2
/etc/apt/preferences.d/apt-listbugs:5:Pin: version 2.4.65-1~deb12u1
/etc/apt/preferences.d/apt-listbugs:6:Pin-Priority: 30000

sudo apt install -s apache2 apache2-bin apache2-data apache2-utils

na*************pi:~$ sudo apt install -s apache2 apache2-bin apache2-data apache2-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
apache2 is already the newest version (2.4.65-1~deb12u1).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 apache2 : Depends: apache2-bin (= 2.4.65-1~deb12u1) but 2.4.66-1~deb12u1 is to be installed
           Depends: apache2-data (= 2.4.65-1~deb12u1) but 2.4.66-1~deb12u1 is to be installed
           Depends: apache2-utils (= 2.4.65-1~deb12u1) but 2.4.66-1~deb12u1 is to be installed
E: Unable to correct problems, you have held broken packages.

apt-mark showhold returns no output, so no packages are currently held.

The simulation with sudo apt install -s apache2 apache2-bin apache2-data apache2-utils fails with “…unmet dependencies” and “…you have held broken packages”.

The pin priority in /etc/apt/preferences.d/apt-listbugs is very high (30000), so I took a closer look at the file:

na*************pi:~$ cat /etc/apt/preferences.d/apt-listbugs

Explanation: Pinned by apt-listbugs at 2026-01-11 06:17:31 +0100
Explanation:   #1114729: apache2 delivers .php files uninterpreted in clear during apt dist-upgrade
Package: apache2
Pin: version 2.4.65-1~deb12u1
Pin-Priority: 30000

Could this be the cause of the problem?

ernolf · January 18, 2026, 2:12pm

Yep — that apt-listbugs pin seams to be the reason.

Right now you’ve got a hard APT preference:

apache2 is pinned to 2.4.65 with Pin-Priority: 30000
but apache2-bin/data/utils want to go to 2.4.66
apache2 depends on exact matching versions of those packages → mismatch → APT either “keeps back” or proposes removing apache2.

This pin was created by apt-listbugs because of Debian bug #1114729 (risk of PHP source being served during a dist-upgrade). So either:

A) keep the pin and wait (no Apache upgrade), or
B) temporarily remove/disable that pin, and upgrade apache2 + bin/data/utils together — ideally with Apache stopped / site blocked during the upgrade. (I wouldn’t consider maintenance mode sufficient, because it’s also PHP.)

Here’s how to handle it, step by step, (with checks in between):

Option A (safe/default): leave it pinned and do nothing

If you’re not in a hurry: just keep the pin and wait until apt-listbugs stops pinning it (or you remove the pin later).
Don’t run dist-upgrade/full-upgrade while it wants to remove apache2.

Option B (upgrade now): temporarily disable the pin, upgrade

Disable the pin (temporary):

sudo mv /etc/apt/preferences.d/apt-listbugs /etc/apt/preferences.d/apt-listbugs.disabled

Update package lists:

sudo apt update

Dry-run the exact upgrade (make sure it does NOT remove apache2):

sudo apt install -s apache2 apache2-bin apache2-data apache2-utils

If you see it wants to remove apache2, stop — something else is still forcing it.

Do the upgrade for real: (after stopping apache2)

sudo systemctl stop apache2
sudo apt install apache2 apache2-bin apache2-data apache2-utils

Start Apache again:

sudo systemctl start apache2

and if you want that apt-listbugs protection back afterwards:

sudo mv /etc/apt/preferences.d/apt-listbugs.disabled /etc/apt/preferences.d/apt-listbugs

Good luck!

h.t.h.

ernolf

naitx · January 19, 2026, 7:44am

Thanks a lot for the clear explanation - that makes perfect sense now!

I’ll go with Option A and keep the pin in place for the moment. There’s no real urgency on my side, so waiting until apt-listbugs lifts the pin is the safest choice for me.

Really appreciate the detailed breakdown and the step-by-step options. And thanks to everyone here - this is a great forum with very helpful people!

naitx

system · January 27, 2026, 7:45am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.