Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices
Subiquity 23.09.1 was released today and explains:
"This release addresses an issue (LP: #2033977) where the security pocket in sources.list can end up not configured matching documented best practices. It is recommended to configure the $series-updates to come from security.ubuntu.com, to minimize the effect of mirroring delays.
Affected systems will be ones installed with Ubuntu 23.04, 22.04.3LTS, or installs done since April 2023 that accepted the snap version update.
To correct systems already installed, please modify /etc/apt/sources.list, look for the lines containing -security, and update them to use http://security.ubuntu.com."
Ubuntu's recommended configuration has always been to obtain the security updates from security.ubuntu.com rather than going through any mirrors that could potentially fall stale or otherwise not be updated as quickly as the main Ubuntu security archive for quickly obtaining new security package updates as they are published.
It took until earlier this month to realize the security pocket source is not security.ubuntu.com but that for Ubuntu Desktop 23.04 and other Ubuntu installs with Subiquity since April it's been going through mirrors instead. This bug was marked as of "critical" importance.
The fix of ensuring the proper security archive is set to the right URL was merged to Subiquity last week and is part of the Subiquity 23.09.1 release. It's somewhat surprising, or rather alarming, it took so long for this to be noticed. In any event the fix is out there now for new Subiquity-based while those on existing Ubuntu installations will want to verify their /etc/apt/sources.list configuration to confirm they are obtaining their security updates directly from security.ubuntu.com.