Sign up to save your podcasts
Or
Share Episode 187
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 187
Overview
After the announcement of Ubuntu Pro GA last week, we take the time to dispel
some myths around all things Ubuntu Pro, esm-apps and apt etc, plus Camila sits
down with Mark and David to discuss the backstory of Editorconfig CVE-2023-0341
and we also have a brief summary of the security updates from the past week.
Ubuntu Pro, esm-apps and apt confusions [00:40]
https://www.theregister.com/2022/10/13/canonical_ubuntu_ad/
details
https://www.omgubuntu.co.uk/2022/10/ubuntu-pro-terminal-ad
LTS releasing at the end of the LTS
https://news.ycombinator.com/item?id=33260896
But there has been a lot of users expressing a lot of emotion over the
appearance now of the new ‘advertisement’ for Ubuntu Pro / esm-apps when they
run apt update, e.g.:
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro
There appears to be a few main issues:
register an account on Ubuntu One etc and this requires providing various
high-level personal details (Name, Email etc)
So let’s take some time to look into these issues:
various products - e.g. motd etc - so perhaps this causes more frustration
for users - however, if desired it can be disabled:
pro config set apt_news False
entitled to a free Ubuntu Pro subscription on up to 5 machines
Server or Desktop - the install / Ubuntu type doesn’t matter
entitlement for 50 machines
(it still says 5 machines against the free personal token)
objectionable are personal users and so are entitled to the free
subscription
are now only available via Ubuntu Pro when previously they were part of
the regular Ubuntu archive
these updates are for packages in the Universe component of the Ubuntu
archive - previously this has only ever been community supported - and
so the Ubuntu Security team would only ever provide security updates on
rare occasions OR if a member of the community came along and provided
an update in the form of a debdiff which could be sponsored by someone
from the Ubuntu Security team
Universe and these are being made available via Ubuntu Pro
regular security updates for the Main+Restricted components as it
always was
security updates that were never previously available
to Ubuntu One, I realise this can be a bit contentious given that a lot of
Ubuntu and Linux users in general can be quite privacy conscious - however
this is not really any different than other online services like
Github/Gmail etc - and as said earlier, if you choose to not enrol in
Ubuntu Pro, you are just as secure as you always were - and to avoid having
to see the prompt in your apt update output, you can disable that as
mentioned earlier and so restore your system to the same state as it used
to be - as always, you are in control of your own machine
Ubuntu Pro and encourage folks to use it - the Ubuntu Security Team and others
at Canonical have put a lot of work into Ubuntu Pro behind the scenes and we
think this provides a lot of great security benefits and so encourage all
listeners to make use of it to ensure their systems are as secure as possible
The inside story of Editorconfig CVE-2023-0341 [09:05]
Esler about the discovery and investigation of CVE-2023-0341 in Editorconfig
([USN-5842-1] EditorConfig Core C vulnerability from Episode 186)
This week in Ubuntu Security Updates [25:19]
64 unique CVEs addressed
[USN-5849-1] Heimdal vulnerabilities
[USN-5835-4] Cinder vulnerability
[USN-5835-5] Nova vulnerability
[USN-5852-1] OpenStack Swift vulnerability
[USN-5850-1] Linux kernel vulnerabilities
[USN-5854-1] Linux kernel vulnerabilities
[USN-5855-1] ImageMagick vulnerabilities
[USN-5856-1] Linux kernel (OEM) vulnerabilities
[USN-5857-1] Linux kernel (OEM) vulnerability
[USN-5858-1] Linux kernel (OEM) vulnerabilities
[USN-5859-1] Linux kernel (OEM) vulnerabilities
[USN-5848-1] less vulnerability
[USN-5860-1] Linux kernel (GKE) vulnerabilities
[USN-5861-1] Linux kernel (Dell300x) vulnerabilities
[USN-5862-1] Linux kernel (Qualcomm Snapdragon) vulnerabilities
[USN-5863-1] Linux kernel (Azure) vulnerabilities
[USN-5865-1] Linux kernel (Azure) vulnerabilities
[USN-5866-1] Nova vulnerabilities
[USN-5867-1] WebKitGTK vulnerabilities
[USN-5864-1] Fig2dev vulnerabilities
[LSN-0091-1] Linux kernel vulnerability
[USN-5869-1] HAProxy vulnerability
[USN-5871-1] Git vulnerabilities
[USN-5870-1] apr-util vulnerability
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
After the announcement of Ubuntu Pro GA last week, we take the time to dispel
some myths around all things Ubuntu Pro, esm-apps and apt etc, plus Camila sits
down with Mark and David to discuss the backstory of Editorconfig CVE-2023-0341
and we also have a brief summary of the security updates from the past week.
Ubuntu Pro, esm-apps and apt confusions [00:40]
https://www.theregister.com/2022/10/13/canonical_ubuntu_ad/
details
https://www.omgubuntu.co.uk/2022/10/ubuntu-pro-terminal-ad
LTS releasing at the end of the LTS
https://news.ycombinator.com/item?id=33260896
But there has been a lot of users expressing a lot of emotion over the
appearance now of the new ‘advertisement’ for Ubuntu Pro / esm-apps when they
run apt update, e.g.:
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro
There appears to be a few main issues:
register an account on Ubuntu One etc and this requires providing various
high-level personal details (Name, Email etc)
So let’s take some time to look into these issues:
various products - e.g. motd etc - so perhaps this causes more frustration
for users - however, if desired it can be disabled:
pro config set apt_news False
entitled to a free Ubuntu Pro subscription on up to 5 machines
Server or Desktop - the install / Ubuntu type doesn’t matter
entitlement for 50 machines
(it still says 5 machines against the free personal token)
objectionable are personal users and so are entitled to the free
subscription
are now only available via Ubuntu Pro when previously they were part of
the regular Ubuntu archive
these updates are for packages in the Universe component of the Ubuntu
archive - previously this has only ever been community supported - and
so the Ubuntu Security team would only ever provide security updates on
rare occasions OR if a member of the community came along and provided
an update in the form of a debdiff which could be sponsored by someone
from the Ubuntu Security team
Universe and these are being made available via Ubuntu Pro
regular security updates for the Main+Restricted components as it
always was
security updates that were never previously available
to Ubuntu One, I realise this can be a bit contentious given that a lot of
Ubuntu and Linux users in general can be quite privacy conscious - however
this is not really any different than other online services like
Github/Gmail etc - and as said earlier, if you choose to not enrol in
Ubuntu Pro, you are just as secure as you always were - and to avoid having
to see the prompt in your apt update output, you can disable that as
mentioned earlier and so restore your system to the same state as it used
to be - as always, you are in control of your own machine
Ubuntu Pro and encourage folks to use it - the Ubuntu Security Team and others
at Canonical have put a lot of work into Ubuntu Pro behind the scenes and we
think this provides a lot of great security benefits and so encourage all
listeners to make use of it to ensure their systems are as secure as possible
The inside story of Editorconfig CVE-2023-0341 [09:05]
Esler about the discovery and investigation of CVE-2023-0341 in Editorconfig
([USN-5842-1] EditorConfig Core C vulnerability from Episode 186)
This week in Ubuntu Security Updates [25:19]
64 unique CVEs addressed
[USN-5849-1] Heimdal vulnerabilities
[USN-5835-4] Cinder vulnerability
[USN-5835-5] Nova vulnerability
[USN-5852-1] OpenStack Swift vulnerability
[USN-5850-1] Linux kernel vulnerabilities
[USN-5854-1] Linux kernel vulnerabilities
[USN-5855-1] ImageMagick vulnerabilities
[USN-5856-1] Linux kernel (OEM) vulnerabilities
[USN-5857-1] Linux kernel (OEM) vulnerability
[USN-5858-1] Linux kernel (OEM) vulnerabilities
[USN-5859-1] Linux kernel (OEM) vulnerabilities
[USN-5848-1] less vulnerability
[USN-5860-1] Linux kernel (GKE) vulnerabilities
[USN-5861-1] Linux kernel (Dell300x) vulnerabilities
[USN-5862-1] Linux kernel (Qualcomm Snapdragon) vulnerabilities
[USN-5863-1] Linux kernel (Azure) vulnerabilities
[USN-5865-1] Linux kernel (Azure) vulnerabilities
[USN-5866-1] Nova vulnerabilities
[USN-5867-1] WebKitGTK vulnerabilities
[USN-5864-1] Fig2dev vulnerabilities
[LSN-0091-1] Linux kernel vulnerability
[USN-5869-1] HAProxy vulnerability
[USN-5871-1] Git vulnerabilities
[USN-5870-1] apr-util vulnerability
Get in contact