Is Ubuntu shipping software with known security vulnerabilities? (lemmy.world)

submitted 3 months ago by [email protected] to c/[email protected]

28 comments fedilink hide all child comments

Ubuntu's current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:

https://trac.ffmpeg.org/ticket/10952

https://ubuntu.com/security/CVE-2024-32230

On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I'm not eligible for Ubuntu Pro.

Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.

What should I do?

you are viewing a single comment's thread
view the rest of the comments

[-] [email protected] 0 points 3 months ago

However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe.

Since it's all free software, what gives Ubuntu the privilege to restrict these updates behind paywalls and signups?

Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it.

Fuck that bullshit. We shouldn't be encouraging or enabling this behavior at all.

[-] [email protected] 17 points 3 months ago* (last edited 3 months ago)

GPL does not restrict you from selling the software, though you can't stop getting distributed by someone who bought it. Even RMS himself sold Emacs back in the day.

EDIT: I'm not saying it's justified in moral sense, I think it sucks ass. But it's not against the license.

[-] [email protected] -2 points 3 months ago

GPL does not restrict you from selling the software

Oh god, we know.

Practically speaking though, if anyone can redistribute it for free then it's available for free.

[-] [email protected] 2 points 3 months ago

You don't seem to understand the difference between free as in freedom and free as in beer that is literally the cornerstone of the free software community.

[-] [email protected] 7 points 3 months ago

Canonical is making the security patches.

Also, you don’t have to release your source code changes to the public. You only have to release your changes to those who have access to the product.

That being said, Canonical probably does release the source code changes for their security fixes, I just don’t know where.

this post was submitted on 06 Mar 2025

66 points (92.3% liked)

Linux

55149 readers

623 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

[email protected]