
Ubuntu LTS: many vulnerabilities despite long-term support - therealmarv
http://www.wilderssecurity.com/threads/ubuntu-lts-many-vulnerabilities-despite-long-term-support.385386/
======
m4r71n
I don't quite understand why people are upset with this. This is common in
every, single Linux distro. Some vulnerabilities are simply not worth
patching. Debian also has quite a few unpatched issues:

[https://security-
tracker.debian.org/tracker/status/unreporte...](https://security-
tracker.debian.org/tracker/status/unreported)

And CentOS doesn't even publish that data because it would probably terrify
you...

The fact is that not all vulnerabilities are equal. Some silly crashing bug in
Wireshark cannot be equated to an easily-exploitable RCE in some widely used
library. I am pretty sure most of the latter are fixed everywhere, whereas the
former should be ignored. If your use case really really requires fixing such
low importance issues, then patch it yourself, or pay support fees to someone
who will do it for you.

And the fact that Debian patches some issues but Ubuntu does not is simply a
question of how much work has been put into it. If a Debian pkg maintainer
releases a new version, there is no guarantee that it doesn't break some other
functionality. Simply patching without putting serious work into it is the
trait of community distros like Debian and Fedora. Ubuntu, I assume, must go
through a much more grueling process to get fixes out. Use whichever fits your
use case...

~~~
cwyers
Given the claim "Ubuntu has a number of vulnerabilities that are patched in
Debian," I am unsure of how "Debian has unpatched vulnerabilities too" is
supposed to make me feel better, given that Debian is an upstream of Ubuntu
and so presumably those are ALSO unpatched in Ubuntu.

~~~
rlpb
Debian is an upstream of Ubuntu only in the development release. Ubuntu stable
releases are effectively branches (like the stable releases of every other
distro).

Stable release maintenance of Debian and Ubuntu are thus independent in
principle.

In practice patches for one are likely to be similar to what is needed on the
other, issues affecting one are likely to affect the other, there are Debian
developers who are also Ubuntu developers, Canonical employees who are also
Debian developers, everyone is working towards a common goal of stable
maintenance, and so forth, so there is quite a bit of communication and cross-
pollination between the two. For example: I'm a Canonical employee and Debian
maintainer; today I've spent quite a bit of time working on a security fix for
a package I maintain in Debian that I'm effectively being paid to do by
Canonical.

------
DyslexicAtheist
_" The thing is that those vulnerabilities are all fixed in Debian as all
provided packages are maintained and security fixes are backported."_

Why can't Canonical move these fixes to Ubuntu LTS then? Seems the majority of
the work (finding the cause, patching the code) was already done and
corrections are sitting on some development branches from other distros.

~~~
kijin
That's the problem with frozen releases. Upstream just moves ahead with new
versions, but the distro insists on keeping the same version and only
backporting a few patches.

This might make sense for core packages that need to present a stable API
throughout the lifecycle of an LTS release, but it creates a whole bunch of
needless work for maintainers of other packages (who are often the same people
who work upstream). Frozen distros are essentially telling them to create a
frankenversion of their own program, one for each distro, based on some
arbitrary version from several months or even years ago.

Until a few years ago, most distros shipped a frozen version of Firefox and
only backported important fixes. Ubuntu finally gave up and started shipping
new versions of Firefox as soon as Mozilla releases them. I think they need to
do the same with most of the packages in "universe", too, including the vast
majority of GUI apps. No backporting, just pull the new version, build it, and
run some tests. It would save a lot of duplicate work that every upstream is
already doing, at negligible cost to the stability of the LTS release as a
whole.

------
fulafel
As there's already automatic(?) tracking for unfixed CVEs in "universe" at
[https://people.canonical.com/~ubuntu-
security/cve/universe.h...](https://people.canonical.com/~ubuntu-
security/cve/universe.html), it would be a short step to a local tool that
disables and/or warns users about running the programs when there are remote
vulnerabilities.

All in all it's pretty irresponsible to allow the current situation in the
first place. Don't ship vulnerability-prone internet-facing C apps that you
can't patch.

I wonder what the patch situation in practice is with CentOS installs that
enable EPEL?

~~~
embik
> All in all it's pretty irresponsible to allow the current situation in the
> first place. Don't ship vulnerability-prone internet-facing C apps that you
> can't patch.

I think it's even worse because they _won 't_ patch or remove it. They could,
but they do not consider it a problem. Ubuntu just imports everything from
Debian. Things not relevant to the core team at Canonical are just thrown at
the community basically saying "if you want a safe OS, you have to support
this by yourself now". All the while Canonical is building their in-house,
partly closed-source solutions to already solved problems.

~~~
slgeorge
That description of how Ubuntu deals with repositories is factually wrong.
There are two repositories (in essense), Main and Universe [0].

For packages in Main a core developer (could be Canonical or someone else) has
to be assigned to look after it and the Ubuntu security team has to allow it
into the repository on the basis of it having a good security record and being
maintainable [1]: it is _true_ that the Ubuntu security team is basically all
Canonical employees. Many of these packages follow the upstream and don't come
from Debian: or in some cases it's the same Canonical employee who maintains
both the Debian and the Ubuntu packages so they might upload to Debian and
pull in, or upload to both [2].

For Universe, Ubuntu pulls and builds from Debian. Many packages are sponsored
by a maintainer who can then choose to upload their own package rather than
use the latest sync from Debian. They aren't "thrown" to the community, rather
they are never "promoted" to Main.

All distributions have to choose how they deal with the large 'Universe' of
software out there: in the Debian/Ubuntu world there's always been a lot of
packages, compared to commercial RPM world. In Ubuntu's case the decision was
to build/provide those packages, and let users decide what they wanted to do:
for a 100% secured environment you would only turn on Main which is why the
tools show you the supported status.

The next question is whether it's a problem. It's _not_ a problem if you
understand a bit about how your distribution works. We can also look at the
fact that it's been this way since Ubuntu started - so from 2004 it's worked
like this.

Clearly you don't like Ubuntu, which is fair enough: but I have to ask what
you mean by "partly closed-source solutions" when there's nothing involving
desktop Ubuntu that is closed-source. I assume you don't like Unity or
something, but it's very much open source. Unless you are thinking of
something else I'm unaware of?

[0]
[https://help.ubuntu.com/community/Repositories/Ubuntu](https://help.ubuntu.com/community/Repositories/Ubuntu)

[1]
[https://wiki.ubuntu.com/MainInclusionProcess](https://wiki.ubuntu.com/MainInclusionProcess)
[2] [https://www.piware.de/tag/debian/](https://www.piware.de/tag/debian/) is
an example of someone who does this.

------
ausjke
A bit scary but I understand ubuntu probably don't have the resource to watch
all those packages all the time for verifying/backporting/testing etc.

As far as security goes, Ubuntu really should work together with Debian to
leverage each other to better the situation. My sites run either LTS or Debian
and now I'm more worried.

~~~
lamarkia
Not so much actual worry. Such panic articles appear regularly.

If you stick with official packages, you are fine. It is the front-facing
services that are important, and these are updated for security issues.

~~~
ausjke
I ran those checks and most problematic packages are related to ruby, as I ran
redmine which uses Ruby.

------
rhinoceraptor
To be fair, many packaged applications in popular distros are insecure
(OwnCloud in Debian as one example). The developers of the applications will
tell users specifically not to install the packaged version of the
application, because it is out of date and/or insecure.

PPAs were supposed to solve this problem, and the official line is that Snap
packages are supposed to solve this problem, but better.

~~~
therealmarv
snap is also not the silver bullet
[https://mjg59.dreamwidth.org/42320.html](https://mjg59.dreamwidth.org/42320.html)

~~~
slgeorge
Snap packages with isolation aren't a 'silver bullet' but they are a step
forward. It continues a trajectory of trying to secure desktop endusers with
steps like AppArmor and kernel hardening that were don't for other LTS
releases.

At least in terms of package format, the difficulty with dpkg is that a)
general software developers don't understand it, and b) it's not transactional
in the sense you can't reverse what's happened easily.

Trying to get commercial developers onto Linux is very difficult: on the
desktop side they often don't see the point of such a small platform, and on
the server side they feel it's super complicated and difficult. It might be
stating the obvious but most developers aren't system administrators, so they
really, really struggle with packaging and complain about dpkg/rpm a lot.
Appstores are both tools and a process: Ubuntu did developer.ubuntu.com to
provide an easy process for developers, and snap packages are another step
along that way.

Lets not let the perfect get in the way of the improved!

------
code_research
There is only one really problematic package that is not supported in the
current 16.04 release: network-manager-openvpn

Please support the bug report on Launchpad:

[https://bugs.launchpad.net/ubuntu/+source/network-manager-
op...](https://bugs.launchpad.net/ubuntu/+source/network-manager-
openvpn/+bug/1574576)

~~~
jldugger
Are there open CVE's regarding it?

------
dfc
Someone once asked me about wilders security. I told them I did not know much
about it other than it was forum primarily for windows folks. I have never
seen any discussions I wished I was part of from wilders. Is anyone familiar
with wilders?

------
slizard
While the point about the different level of support of different repos is a
good one and it does deserve more awareness, without the right context the
claims of the article are easy to mis- or over-interpret.

I think a fair comparison would be to show other distros too rather than judge
Ubuntu based on a single data-point.

For instance, a user stuck with ancient packages on CentOS may quickly reach
out to alternative repos and pull in tons of packages with questionable
security.

------
slgeorge
This title is misleading.

The article is a post on a bulletin board by someone stating two facts:

a. Canonical "claims" they provide Long Term Support b. That support is for
the "Main" repository only.

Neither of these points is incorrect: though "claim" clearly implies their
opinion. All the Linux distributions need to draw the line somewhere on what
software they will provide security for: Ubuntu comes from the Debian
tradition which packages a large swathe of software, so to differentiate
levels of support/origin they are separated into repositories. Other
distributions reduce the total amount of packaged software made available, to
deal with the same issue.

The title is misleading because it implies that Ubuntu LTS' security record is
poor: which this article is not discussing.

------
tbolt
As someone who runs Ubuntu Desktop, should this be concerning?

Currently I am running 14.04 which I keep regularly updated. The only other
software I have installed is plex media server and chrome. Seems like I would
be more at-risk if I were running more 'non-main' packages, but I am not
really sure what that means.

~~~
lamarkia
Such panic articles appear every so often. People have to dramatize in order
to be heard.

As a desktop user, you interact with the hostile Internet through your
browser, which is updated as soon an issue appears. You might open PDF
documents, so this is evince. Or Libreoffice for .doc. Both are in main and
get security updates.

~~~
subsection1h
LibreOffice isn't in Main; it's in Universe. You've just unintentionally
demonstrated how Ubuntu is less secure than many of its users realize.

------
gkya
Ubuntu is nice as a (1) desktop, but I can't see it's benefits as a server
operating system. It's harder to configure, and more opaque than the
alternatives. The devs seem amateurish and the company is too much unfocused
for its size. The system is not well integrated and surprising changes occur
frequently. Documentation is scarse and fragmented. There are systems like
BSDs and maybe some Gnu Linux distros where the behaviour of the system and
that the devs are way more predictable and processes and practices
transparent. Why use Ubuntu for server, for other than its popularity and
tradition? Is there actually any pros to it that I don't know?

(1) Edit: Removed "disability" from here, autocorrect accident.

~~~
slizard
A large fraction of users seem to disagree! Ubuntu is the most popular server
distro in the cloud, by far.

[http://fossbytes.com/ubuntu-linux-is-the-most-popular-
operat...](http://fossbytes.com/ubuntu-linux-is-the-most-popular-operating-
system-in-cloud/)
[https://duh6oa3w9hopv.cloudfront.net/uploads/pdfs/RightScale...](https://duh6oa3w9hopv.cloudfront.net/uploads/pdfs/RightScale-2015-State-
of-the-Cloud-Report.pdf) etc.

The must be doing something right, but of course as quickly as they rose, they
could loose the market equally quickly. I do see interesting directions,
though: Ubuntu seems to be the default choice on OpenPOWER servers (at least
for now) and it will likely be a strong contender; see e.g.
[https://www-03.ibm.com/press/us/en/pressrelease/47791.wss](https://www-03.ibm.com/press/us/en/pressrelease/47791.wss)

One group that has certainly contributed and needs to be given credit is
Debian!

~~~
gkya
I believe that's because devs want to use what they use for their workstation
(that is, what they know the best) on their servers. That's understandable,
and most cloud services give you boxes that are already usable but because you
don't have sth. like the FreeBSD handbook, and because the whole thing is not
that thightly integrated, complex stuff requires hacks and dirty workarounds
or at least a lot of experience. I have not done any system-admin work, but I
can say this: in one week I've managed to make my FreeBSD system completely
reproducible after using it for the first time. I haven't been able to do that
with any Gnu/Linux, and I've used it for more than ten years till last
february I guess.

~~~
slizard
I take your point about FreeBSD's benefits, but we need to be realistic.

People want working devices/peripherals (admittedly, I'm not very familiar
with the state of the drivers on FreeBSD today, but I know it has been an
issue) and many prefer to be productive too rather than hack away at their OS.
These OSes have moved out of the garage and are running a large part of this
damn Internet :)

FreeBSD is certainly perfect for some niche uses but, I believe, it isn't
realistic for many if not most GNU/Linux server uses today.

And that's where I'd come back to your initial point on Ubuntu's lacking
server benefits: you may not see them, but many do, and for better or worse
they vote with their choice. Even if many don't like it, let's be honest, many
do benefit from it indirectly.

------
fred_is_fred
If we expect Ubuntu/Canonical to support universe packages then you should
expect Apple to support all released OSX and iOS packages too. That would be
insane, just like this article is.

