Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

Written by Michael Larabel in Ubuntu on 15 September 2023 at 10:52 AM EDT. 9 Comments
It turns out that Ubuntu Linux installations of Ubuntu 23.04, 22.04.3 LTS, and installs done since April 2023 that accepted the Snap version update haven't been following Ubuntu's own recommended security best practices for their security pocket configuration for packages. A new Subiquity release was issued today to fix this problem while those on affected Ubuntu installs are recommended to manually edit their /etc/apt/sources.list file.

Subiquity 23.09.1 was released today and explains:
"This release addresses an issue (LP: #2033977) where the security pocket in sources.list can end up not configured matching documented best practices. It is recommended to configure the $series-updates to come from security.ubuntu.com, to minimize the effect of mirroring delays.

Affected systems will be ones installed with Ubuntu 23.04, 22.04.3LTS, or installs done since April 2023 that accepted the snap version update.

To correct systems already installed, please modify /etc/apt/sources.list, look for the lines containing -security, and update them to use http://security.ubuntu.com."

Ubuntu's recommended configuration has always been to obtain the security updates from security.ubuntu.com rather than going through any mirrors that could potentially fall stale or otherwise not be updated as quickly as the main Ubuntu security archive for quickly obtaining new security package updates as they are published.

It took until earlier this month to realize the security pocket source is not security.ubuntu.com but that for Ubuntu Desktop 23.04 and other Ubuntu installs with Subiquity since April it's been going through mirrors instead. This bug was marked as of "critical" importance.

Ubuntu Lunar /etc/apt/sources.list

The fix of ensuring the proper security archive is set to the right URL was merged to Subiquity last week and is part of the Subiquity 23.09.1 release. It's somewhat surprising, or rather alarming, it took so long for this to be noticed. In any event the fix is out there now for new Subiquity-based while those on existing Ubuntu installations will want to verify their /etc/apt/sources.list configuration to confirm they are obtaining their security updates directly from security.ubuntu.com.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week