Linux

51161 readers

669 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Is Ubuntu shipping software with known security vulnerabilities? (lemmy.world)

submitted 2 days ago by Limonene@lemmy.world to c/linux@lemmy.ml

30 comments fedilink hide all child comments

Ubuntu's current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:

https://trac.ffmpeg.org/ticket/10952

https://ubuntu.com/security/CVE-2024-32230

On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I'm not eligible for Ubuntu Pro.

Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.

What should I do?

you are viewing a single comment's thread
view the rest of the comments

[–] commander@lemmings.world 26 points 2 days ago (1 children)

It sure seems that way. Their "extended security maintenance" spam says that there are security updates that are only available if you "subscribe".

I asked the Linux community about this, and didn't get a straight answer (not surprised.)

It was enough for me to switch to Debian, though. There's no excuse for updates to be locked behind paywalls or sign-ups in the free software ecosystem.

[–] pmk@lemmy.sdf.org 5 points 1 day ago (1 children)

The way I understand it is that the security team supports releases for 5 years. If you are running an older version of ubuntu than that and want security backports, you need to get the extended support. The difference in Debian is that when a release is too old, the security team simply doesn't backport security fixes. You can pay someone to do it, but it's not a part of what Debian as a project does.

[–] ozymandias117@lemmy.world 12 points 1 day ago

The Ubuntu security team only supports the ~2,000 packages in "main"

Things like ffmpeg are in "universe" and only get security updates if you subscribe to Ubuntu Pro

ubuntu.com/security/esm

Debian's security team has always been significantly more responsive than Ubuntu. It's regularly had CVE fixes in older versions of Debian that newer versions of Ubuntu don't bother to pull into universe