1

The patches for CVE-2021-26291 and CVE-2024-45337 are only available for the Ubuntu Pro subscription packages, even though Ubuntu support page mentions: The initial 5 years of standard security updates for packages in the Ubuntu Main repository comes out of the box together with fixes for packages in the Ubuntu Universe repository coming from the Ubuntu community and Debian.

If the patches are made available for the esm releases, why aren't they made available for the standard LTS releases which are not EOL'ed yet? like Ubuntu 24.04 LTS , 22.04 LTS?

Ref: https://ubuntu.com/security/CVE-2024-45337#status Ref: https://ubuntu.com/security/CVE-2021-26291#status

Improve this question
9
  • Pick the packages listed; they're NOT in main but in universe which gets fixed via Ubuntu Pro, universe means they're community packages; so you're welcome to SRU fixes yourself if you wish... it's up to someone in the community to do it; or use the Canonical Pro service and have it done for you Commented Jan 7 at 20:38
  • 2
    This question is similar to: What are ESM Apps, and how do they relate to Ubuntu Pro?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented Jan 7 at 20:39
  • Does that mean that the snapd (Golang/crypto for ex.) packages that gets installed by default with standard Ubuntu LTS, need to be fixed by someone in the community in the "main" branch, even though the fixes are available in the "universe" branch? Commented Jan 8 at 17:12
  • 1
    That package [golang-go.crypto] is universe so only gets fixes automatically (by Canonical! not Ubuntu) if Ubuntu Pro is used (Pro includes ESM) or ESM for EOSS releases. Commented Jan 8 at 20:20
  • 1
    golang-go.crypto is in universe and not main, thus doesn't get Ubuntu security updates; packages in universe are only available if a community member SRU's (stable release update; or uploads to universe repository) them for everyone, as Ubuntu only gets security fixes for packages in main. Canonical offer ESM/Pro options which provide security fixes for universe; refer duplicate answer. Commented Jan 8 at 21:40

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.