Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

Written by Michael Larabel in Ubuntu on 15 September 2023 at 10:52 AM EDT. 9 Comments
UBUNTU
It turns out that Ubuntu Linux installations of Ubuntu 23.04, 22.04.3 LTS, and installs done since April 2023 that accepted the Snap version update haven't been following Ubuntu's own recommended security best practices for their security pocket configuration for packages. A new Subiquity release was issued today to fix this problem while those on affected Ubuntu installs are recommended to manually edit their /etc/apt/sources.list file.

Subiquity 23.09.1 was released today and explains:
"This release addresses an issue (LP: #2033977) where the security pocket in sources.list can end up not configured matching documented best practices. It is recommended to configure the $series-updates to come from security.ubuntu.com, to minimize the effect of mirroring delays.

Affected systems will be ones installed with Ubuntu 23.04, 22.04.3LTS, or installs done since April 2023 that accepted the snap version update.

To correct systems already installed, please modify /etc/apt/sources.list, look for the lines containing -security, and update them to use http://security.ubuntu.com."

Ubuntu's recommended configuration has always been to obtain the security updates from security.ubuntu.com rather than going through any mirrors that could potentially fall stale or otherwise not be updated as quickly as the main Ubuntu security archive for quickly obtaining new security package updates as they are published.

It took until earlier this month to realize the security pocket source is not security.ubuntu.com but that for Ubuntu Desktop 23.04 and other Ubuntu installs with Subiquity since April it's been going through mirrors instead. This bug was marked as of "critical" importance.

Ubuntu Lunar /etc/apt/sources.list


The fix of ensuring the proper security archive is set to the right URL was merged to Subiquity last week and is part of the Subiquity 23.09.1 release. It's somewhat surprising, or rather alarming, it took so long for this to be noticed. In any event the fix is out there now for new Subiquity-based while those on existing Ubuntu installations will want to verify their /etc/apt/sources.list configuration to confirm they are obtaining their security updates directly from security.ubuntu.com.
9 Comments
Related News
Ubuntu 25.04 Planning To Ship With The Linux 6.14 Kernel
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
Ubuntu flash-kernel Package Looks To Drop Support For Old ARM Hardware
Ubuntu 25.04 Planning To Use GCC 15 As Well As Exploring Greater LLVM Use
Mir 2.19 Released With Atomic KMS Platform Support, New Wayland Protocols
UBports' Ubuntu Touch OTA-7 Atop Ubuntu 20.04 Released
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries