July 11th, 2024

Ubuntu Security Updates Are a Confusing Mess

The article delves into Ubuntu security update complexities, emphasizing Tomcat vulnerability issues. It discusses patch availability discrepancies across LTS versions, Canonical's support limitations, and considerations of switching to Debian for more consistent security fixes.

Read original articleLink Icon
Ubuntu Security Updates Are a Confusing Mess

The article discusses the complexity surrounding Ubuntu security updates, particularly focusing on the case of a Tomcat vulnerability. It highlights the confusion caused by the availability of patches for different Ubuntu LTS releases. While older versions like 18.04 receive patches through Extended Security Maintenance (ESM) or Ubuntu Pro subscriptions, newer versions like 22.04 may not have access to the same updates. The article explains how Canonical's support for packages in the universe repository is on a "Best Effort" basis, impacting the availability of security patches for regular LTS users. It also mentions the option of upgrading to Ubuntu Pro for access to patches but notes the limitations for non-commercial users. The author contemplates switching to Debian due to its more consistent release of security fixes. Ultimately, the article questions the clarity of support provided by Canonical and the implications for users relying on LTS versions for security updates.

Related

Windows: Insecure by Design

Windows: Insecure by Design

Ongoing security issues in Microsoft Windows include vulnerabilities like CVE-2024-30080 and CVE-2024-30078, criticized for potential remote code execution. Concerns raised about privacy with Recall feature, Windows 11 setup, and OneDrive integration. Advocacy for Linux desktops due to security and privacy frustrations.

Canonical's 'distroless' Linux images are a game-changer for enterprises

Canonical's 'distroless' Linux images are a game-changer for enterprises

Canonical introduces 'distroless' Linux images with long-term support, enhancing security by reducing attack surface. Plans include supporting various platforms and adding open-source components to Ubuntu Pro subscriptions, emphasizing AI/ML tools. Collaboration with Microsoft for .NET containers solidifies Canonical's commitment to rapid security resolutions.

Windows: Insecure by Design

Windows: Insecure by Design

The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.

CVE-2021-4440: A Linux CNA Case Study

CVE-2021-4440: A Linux CNA Case Study

The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.

Company offers unofficial security patches for Windows 10 until 2030

Company offers unofficial security patches for Windows 10 until 2030

0Patch offers unofficial security patches for Windows 10 until 2030, with free and paid options. Micropatches can be applied without restarting, competing with Microsoft's ESU program, appealing to users avoiding upgrades.

Link Icon 12 comments
By @captn3m0 - 5 months
I maintain https://endoflife.date/ubuntu. Ubuntu security policies are indeed a hot mess, and opaquely documented on their own website. I use it as an example of how not to document your support policies at https://endoflife.date/recommendations.

At one point Ubuntu changed the EOL tables on their Wiki from 5 years to 10 with no explanation about applicability/ESM - just calling it LTS.

It is among the longest pages on our website.

By @frankjr - 5 months
I don't care they're gating this behind a subscription but the fact that they won't even tell you that you're missing an important security update? That's bad. I wonder how many people think they are fully up to date while being vulnerable to known bugs.
By @hs86 - 5 months
Most Ubuntu users don't know that Canonical only supports the main repository for free.

To my knowledge, only some comments hidden in /etc/apt/sources.list mention this, but the more honest approach would be to warn all users when they try to `apt install foo` some package from universe/multiverse. Or do it like RHEL with their EPEL repo and disable it by default.

But I guess they would have never gotten this popular if people saw that Ubuntu is only a few thousand packages compared to Debian's tens of thousands.

By @n3storm - 5 months
Ubuntu is reselling Debian, once they made it well, now I don't know
By @thinkst - 4 months
The updates in universe are definitely best effort.

We were paying for Ubuntu Pro through an AWS subscription on 2k EC2 instances, and could not get Canonical to update a package with a CVSS 7.8 in the 18.04 LTS.

We've moved off Ubuntu Pro as a result. Blogged it at https://blog.thinkst.com/2024/07/unobtrusively-upgrading-ubu...

By @arjvik - 5 months
If I was looking for a distro with paid support (a la RHEL/Ubuntu) that's also not incredibly behind bleeding edge (maybe not as bleeding edge as Arch, but also not running patched-to-hell-and-back software like Ubuntu), what are my options?

Thankfully I'm not personally looking for this at the moment, I'm more than happy being my own sysadmin and running anything from Arch to Fedora CoreOS to OpenSUSE on my machines.

By @BeefySwain - 5 months
> ...what are my options? > ...Maybe it is time to go back to Debian, as they seem to release these fixes to their users?

Curious if this would actually be a solution. They state that fixes in Debian are down-streamed regardless of support, so if this fix wasn't down-streamed, then why would it be in Debian ?

By @bravetraveler - 5 months
I'd argue we wouldn't have Snap [for the better] if their LTS releases weren't visually bound to years... saving overhead they regularly create for cosmetic reasons.

Wouldn't have to create it to consolidate platforms if they stopped making them so often!

They have three concurrent LTS releases when they need one. Maybe two. 18.04 is the python2 of distributions. Let it go.

Having worked in several places that relied on it... ESM is being the bad kind of enabler.

Fedora handles "The Snap Problem" -- many target distributions -- with 'fedpkg' and 'mock'. Software and machines on the build side. Not by degrading the end user experience. They do participate with Flatpak... but that's peer pressure more than anything.

Flatpak is more well-rounded IMO. Probably from being the broader answer. Maybe this all doesn't make an argument. Just a bunch of statements. I don't know.

Back on topic: I wonder what all of this Canonical stuff in particular is for/leads to. New software isn't scary; 'just' plan/test. It becomes scary when you get lazy here... so accept your involvement.

By @markshuttle - 5 months
Your free personal Ubuntu Pro subscription does in fact cover as many VMs and containers as you can run on up to five personal machines, as the OP well knows. I like that we make Ubuntu Pro, including universe updates, free for anyone running at small scale.
By @cosmin800 - 5 months
Ubuntu is a mess, there you go I fixed your title, joke but no joke, is real.
By @Suppafly - 5 months
Is it not possible to fix the one package from the debian sources vs waiting for ubuntu to allow him to get it from them?