3

Since Canonical released Ubuntu Pro this year, they are now withholding some security patches for many common packages, including some that are included on Laravel Forge provisioned servers.

I use AWS Inspector to monitor for vulnerabilities on my EC2 instances, and all of a sudden there are several medium-severity vulnerabilities that are unable to be patched with unattended-upgrades, or even a manual install. The patches are restricted to Ubuntu Pro users as part of the "ESM" service. This is not just true of older installations -- I have several vulnerabilities showing on 22.04.2 LTS builds, and I'm quickly approaching the SLA on resolving these for our SOC II protocol. This was never a problem in the past two years I've been using Forge + Ubuntu + AWS Inspector. All vulnerabilities were always patchable via unattended-upgrades or the occasional apt-get update/upgrade plus server reboot. I'm not really sure what the best course of action is -- but likely many enterprise Forge users will start feeling the effects of this soon. Perhaps there is another Unix distro that can be used, or maybe Forge can partner with Canonical to allow provisioning "Pro" servers at a reasonable cost?

Anyone else dealing with this now or have any ideas on how to best handle this situation?

jalipert
  • 41

1 Answers1

5

"This was never a problem in the past two years" simply means that you were blind to CVEs in Universe. Well, now you can see them.

The only way to install packages from esm is to subscribe to Pro. If that's what SLA requires, then you obviously have several choices.

These are not technical choices -- they are business-model choices.

  • Amend your SLA
  • Stop using Universe software
  • Use the 6-month releases of Ubuntu instead of LTS
  • Subscribe
  • Create/join a different (non-Pro) group that patches or mitigates Universe CVEs

Note also that any audit method you were using has apparently been shown ineffective. It should have been revealing those unpatched Universe CVEs all along.

user535733
  • 68,493