Join Log in
Score:61
Philippe Gaucher avatar Ubuntu

I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu 22.04

id flag
Philippe Gaucher

I use the package texlive-full, which installs imagemagick and other related packages. When I check for updates, I get this message:

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  imagemagick libopenexr25 libmagick++-6.q16-8 libmagickcore-6.q16-6-extra
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common

Which means that if I want to use texlive-full with Ubuntu 22.04, I have to pay $500 per year to have a secured distro, as far as I understand what is written.

Is there a way to avoid that, for example by not installing everything installed by texlive-full?

EDIT:

gaucher@mars:~$ apt policy texlive-full
texlive-full:
  Installé : 2021.20220204-1
  Candidat : 2021.20220204-1
 Table de version :
 *** 2021.20220204-1 500
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe i386 Packages
        100 /var/lib/dpkg/status

My configuration (yes I am using Ubuntu 22.04):

enter image description here

Added on request:

gaucher@mars:~$ apt policy imagemagick
imagemagick:
  Installé : 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Candidat : 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
 Table de version :
 *** 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1 500
        500 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security/main amd64 Packages
        100 /var/lib/dpkg/status
     8:6.9.11.60+dfsg-1.3build2 500
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
54955
7 + 1
andrew.46 avatar
in flag
andrew.46
**Comments have been [moved to chat](https://chat.stackexchange.com/rooms/142481/discussion-on-question-by-philippe-gaucher-im-getting-the-error-the-following); please do not continue the discussion here.** Before posting a comment below this one, please review the [purposes of comments](/help/privileges/comment). Comments that do not request clarification or suggest improvements usually belong as an [answer](/help/how-to-answer), on [meta], or in [chat]. Comments continuing discussion may be removed.
0
Reply
Score:34
John Manecke avatar Ubuntu
th flag
John Manecke

Here is a solution that doesn't require subscribing or registering. It removes the helpful look what you could get if you sign up message. This is not the most elegant, but it takes care of the immediate issue:

the file /etc/apt/apt.conf.d/20apt-esm-hook.conf provides the hook that calls the marketing message generation. Removing that is an option

mkdir -p relocated_apt
sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf ~/relocated_apt/.

now when you run apt upgrade the message does not show.

Note this doesn't survive updates if a new version gets put there, which may happen more as this new feature is rolled out/updated.

+ 6
Joseph Sible-Reinstate Monica avatar
kr flag
Joseph Sible-Reinstate Monica
While this may remove the message, it doesn't fix the security vulnerability that the message is warning you that you're affected by.
8
Reply
John Manecke avatar
th flag
John Manecke
This solution addresses the issue of getting a message that is perceived as an error. If the OP does not want to subscribe (or be reminded about it in a confusing way), this removes the message.
5
Reply
John Manecke avatar
th flag
John Manecke
Help me to better understand this. Is there a security vulnerability here? If I'm running Debian stable, the version of imagemagick I'll have is the same as what I'm getting from universe without the esm-apps. I generally consider Debian stable a to be well updated from a security perspective. Agree moving to esm-apps provides a path to increased security, but I'm not sure running without it means I'm running with security vulnerabilities? Does this issue raise up to something you modify the output of apt for?
7
Reply
mchid avatar
bo flag
mchid
Yes, it appears 20.04 and 22.04 do have some vulnerabilities that only ESM provides updates for. As for Debian, you'll have to check with Debian to see if the same applies because Debian offers slightly different package versions that may be patched.
0
Reply
mchid avatar
bo flag
mchid
Like for [this CVE](https://security-tracker.debian.org/tracker/CVE-2021-4219), oldstable (buster) is patched but stable (bullseye) is not.
1
Reply
mchid avatar
bo flag
mchid
Pretty sure it will survive an update (or it will at least prompt you before making changes) if you simply change the hooks from `true` to `false` For example: `sudo sed -i 's/true/false/g' /etc/apt/apt.conf.d/20apt-esm-hook.conf`
0
Reply
Score:33
Philippe Gaucher avatar Ubuntu
id flag
Philippe Gaucher

I have found the solution. Run:

sudo pro enable esm-apps

and then update using the usual way and imagemagick and all related packages will be updated.

If Ubuntu Pro support is enabled on your Ubuntu Desktop, you can go to Software & Updates and open the Ubuntu Pro tab.

Software & Updates

In this context, it should be noted that "ESM Apps" cover applications from the universe repository.

Note that it is necessary to have an account on ubuntu.com and this feature is free for up to 5 machines.

See the Q&A about Ubuntu Pro.

+ 5
Dario Petrillo avatar
np flag
Dario Petrillo
Doesn't looks like a solution when the goal is to continue using a system without having to switch on a subscription
44
Reply
Philippe Gaucher avatar
id flag
Philippe Gaucher
@DarioPetrillo You're right. The solution is not complete. It is necessary to have an account on ubuntu.com at first. It is free up to 5 machines: I have one desktop PC and two laptops PC with Ubuntu 22.04.
2
Reply
Bytor avatar
us flag
Bytor
Doesn't work, even after creating the needed account and getting a token
2
Reply
us flag
Yarek T
Sure its free, but you're leaving something very important out: `tier: updates (Free usage; This machine beta tests new patches.)`
1
Reply
Antonio J. de Oliveira avatar
es flag
Antonio J. de Oliveira
This does not work. One enables it and status is the same. Disabled.
0
Reply
Score:31
Serge Stroobandt avatar Ubuntu
cn flag
Serge Stroobandt

This is an additional support stream

From reddit.com/r/linux/, user Patch86UK:

For clarity: This is not a roadblock being put on an existing support stream, it is a new support stream. Previously Ubuntu did not provide security patches for "Universe" repo packages (instead relying on upstream patches to happen when they happen). The Ubuntu security team are now producing in-house security patches for these packages, but only where Pro has been opted into (which is free for personal use).

If you do not want to opt in to Pro you still have the same level of support you had before (and the same level of support that you have with 99% of other distros).

+ 9
Gary avatar
at flag
Gary
I'm now considering Debian 11. This is a terrible idea by the Ubuntu team.
6
Reply
Kaspacainoombro avatar
in flag
Kaspacainoombro
It is time to consider to move away from Ubuntu...
14
Reply
s3v3n avatar
gl flag
s3v3n
I feel like this will be widely misunderstood. There were no previous updates of this kind. This updates are available only in Ubuntu because this is additional work by them. Debian will not receive these up until the community patches them, at which point they'll be available in "non-paid" ubuntu. So this is on top of what you'd get on Debian.
31
Reply
mchid avatar
bo flag
mchid
@Gary There really isn't a difference with Debain as the Imagemagick vulnerabilities haven't been patched (except for old-stable as far as I can tell). This isn't any different than it was before with the Universe repository, only now Imagemagick has been moved to Universe which I do feel was a bad move considering all the vulnerabilities that pop up with this group of packages.
2
Reply
mchid avatar
bo flag
mchid
@Gary Also, I think it should be noted that ImageMagick appears to be fully patched in 22.10 and also for 18.04 (because in 18.04, ImageMagick was still in main, not Universe).
1
Reply
mchid avatar
bo flag
mchid
@s3v3n Yes and no. ImageMagick was moved out of main and into Universe in 20.04.
1
Reply
mchid avatar
bo flag
mchid
Actually, I'm not sure why but security updates were made available for [22.10](https://packages.ubuntu.com/search?keywords=libmagickcore-6.q16-6-extra&searchon=names&suite=kinetic&section=all) but not for [Jammy](https://packages.ubuntu.com/search?keywords=libmagickcore-6.q16-6-extra&searchon=names&suite=jammy&section=all)
0
Reply
Hugo Cox avatar
py flag
Hugo Cox
I think the message should read: "Get FASTER security updates through Ubuntu Pro with 'esm-apps' enabled:"
0
Reply
in flag
CR.
Ubuntu is still holding back security patches. The ethics of this are extremely questionable. They're basically doing what those "security" companies do that sell exploits (NSO, etc). Consider an evil hacker that has a "Pro" subscription, it's basically a feed for exploits they can use. No more Ubuntu for me.
3
Reply
Score:16
Thomas JOUANNOT avatar Ubuntu
tj flag
Thomas JOUANNOT

Have you actually tried going to https://ubuntu.com/pro ? I just did, and after logging in, I received a "Free Personal Token" that never expires and includes up to 5 machines.

Then you just need to run "sudo pro attach your-personal-token" and that's it :)

+ 7
Philippe Gaucher avatar
id flag
Philippe Gaucher
Yes it is more or less what I did with my other Ubuntu PC :-). I am registred for livepatch so I have an account on ubuntu.com. It is why the solution I gave works by the way ; otherwise the first step is to register on ubuntu.com to get an account.
1
Reply
hongo avatar
cn flag
hongo
I have to pay now for it. Maybe it recently changed.
3
Reply
Philippe Gaucher avatar
id flag
Philippe Gaucher
@hongo It's free for personal use, for up to 5 machines.
2
Reply
Ofek Shilon avatar
cn flag
Ofek Shilon
@PhilippeGaucher Today it costs 25$ per year. Not free for personal use.
1
Reply
Philippe Gaucher avatar
id flag
Philippe Gaucher
@OfekShilon It is free for personal use for up to five machines. I have 5 free personal tokens which never expire...
0
Reply
Ofek Shilon avatar
cn flag
Ofek Shilon
@PhilippeGaucher I don't think you'd be able to get a new one today
0
Reply
Philippe Gaucher avatar
id flag
Philippe Gaucher
@OfekShilon It is an extremely bad news !
0
Reply
Score:10
VasyaNovikov avatar Ubuntu
cn flag
VasyaNovikov

There are two possible solutions.

Solution 1: Enable the Pro repository.

That repository is not public, it's free for up to 5 machines, it requires setting up an account (email, username, password), and it gives you additional security updates. To do that, register at https://ubuntu.com/pro, get your personal token, then run:

    sudo pro attach your-personal-token

This is what Ubuntu recommends itself.

Solution 2: Remove the advertisement.

sudo dpkg-divert --divert /etc/apt/apt.conf.d/20apt-esm-hook.conf.bak --rename --local /etc/apt/apt.conf.d/20apt-esm-hook.conf

This will effectively add a .bak suffix to the conf file, immediately disabling it. This will continue to work with future apt upgrades as well.

To confirm that it is working, run apt upgrade. If everything works correctly, you should no longer see the extra text.

+ 1
Joseph Sible-Reinstate Monica avatar
kr flag
Joseph Sible-Reinstate Monica
It's important to remember that only solution 1 will get you the security updates. Solution 2 just covers up the fact that you're missing them.
2
Reply
Score:1
frafl avatar Ubuntu
us flag
frafl

While most answers discuss ESM, TeXLive without (Ubuntu's version of) imagemagick might be a reasonable goal by itself.

Regarding which packages in texlive-full actually require imagemagick, you could simply do a sudo apt remove imagemagick-6-common after installing texlive-full.

But if you plan to use tlmgr, you should avoid installing texlive-full and just follow this guide on tex.stackexchange. However, imagemagick might still be pulled in by other TeX-related packages, e.g., on my system kbibtex recommends latex2rtf (not part of TeXLive, but on CTAN) which requires imagemagick-6-common.

+ 0
Score:0
nodnarb avatar Ubuntu
in flag
nodnarb

These have not helped me (they do not persist):

  1. moving/removing /etc/apt/apt.conf.d/20apt-esm-hook.conf
  2. changing the token in the /etc/apt/apt.conf.d/20apt-esm-hook.conf file from true to false

I have not found a workaround for this that persists. However, I do note from a discussion on reddit:

We don't show it in apt-get (anymore) because scripts parse apt-get output and break whereas apt output is for humans only.

I can confirm that the message does not (as of yet) get called when using apt-get or if using nala as a front end.

Definitely not a 'solution' as such, but it does allow me to not be reminded how much I hate Ubuntu every time I run an update :)

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.