Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

Written by Michael Larabel in Ubuntu on 15 September 2023 at 10:52 AM EDT. 9 Comments
UBUNTU
It turns out that Ubuntu Linux installations of Ubuntu 23.04, 22.04.3 LTS, and installs done since April 2023 that accepted the Snap version update haven't been following Ubuntu's own recommended security best practices for their security pocket configuration for packages. A new Subiquity release was issued today to fix this problem while those on affected Ubuntu installs are recommended to manually edit their /etc/apt/sources.list file.

Subiquity 23.09.1 was released today and explains:
"This release addresses an issue (LP: #2033977) where the security pocket in sources.list can end up not configured matching documented best practices. It is recommended to configure the $series-updates to come from security.ubuntu.com, to minimize the effect of mirroring delays.

Affected systems will be ones installed with Ubuntu 23.04, 22.04.3LTS, or installs done since April 2023 that accepted the snap version update.

To correct systems already installed, please modify /etc/apt/sources.list, look for the lines containing -security, and update them to use http://security.ubuntu.com."

Ubuntu's recommended configuration has always been to obtain the security updates from security.ubuntu.com rather than going through any mirrors that could potentially fall stale or otherwise not be updated as quickly as the main Ubuntu security archive for quickly obtaining new security package updates as they are published.

It took until earlier this month to realize the security pocket source is not security.ubuntu.com but that for Ubuntu Desktop 23.04 and other Ubuntu installs with Subiquity since April it's been going through mirrors instead. This bug was marked as of "critical" importance.

Ubuntu Lunar /etc/apt/sources.list


The fix of ensuring the proper security archive is set to the right URL was merged to Subiquity last week and is part of the Subiquity 23.09.1 release. It's somewhat surprising, or rather alarming, it took so long for this to be noticed. In any event the fix is out there now for new Subiquity-based while those on existing Ubuntu installations will want to verify their /etc/apt/sources.list configuration to confirm they are obtaining their security updates directly from security.ubuntu.com.
9 Comments
Related News
Ubuntu 24.04 LTS Downloads Now Available
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
Ubuntu 24.04 Beta Now Available For Testing
Ubuntu Maker Canonical Announces New Collaboration With Qualcomm
Canonical Announces Ubuntu Pro For Devices
Netplan 1.0 Is Ready To Go For Ubuntu 24.04 LTS
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Godot's Vulkan Backend Seeing Better Performance, 10~20% Reduction In Frame Times