Security update that doesnt look right

cookieserver

1/28/24, 6:25 AM

An update for Ubuntu is showing this:

Samba core libraries:
* SECURITY UPDATE: Multiple regressions (LP: #2003867) (LP: #2003891)
    - debian/patches/series: disable all security fixes from the previous
      update pending further investigation. This reverts the following
      CVEs: CVE-2022-3437, CVE-2022-42898, CVE-2022-45141, CVE-2022-38023,
      CVE-2022-37966, CVE-2022-37967.

Is it normal for an update to disable previous security fixes?? or something here doesn't add up? wouldn't that make my device vulnerable to those CVE's? I haven't done this update although it showed many times in the past days but I have been ignoring it due to the fact that it will revert some previous patches..

Ubuntu 20.04.5 LTS

117

1 + 3

updates

security

20.04

Jos

1/28/24, 7:37 AM

This must be a correction to a security upgrade that was issued last Tuesday: https://ubuntu.com/security/notices/USN-5822-1

mikewhatever

1/28/24, 1:09 PM

Regressions are not uncommon with software updates When it happens, and an update breaks things, it is reverted. So, yes, it is normal.

cookieserver

1/29/24, 8:04 PM

Thanks guys. Appreciate it.

Score:2

Ubuntu

user535733

1/28/24, 10:25 AM

Your first stop for security related questions should be the tools at security.ubuntu.com

In this example, see https://ubuntu.com/security/notices/USN-5822-2:

USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes.

We apologize for the inconvenience.

The Ubuntu Security Team doesn't want patches to cause unexpected problems -- the point of the patch is to solve problems. When folks report serious problems with an update, reverting that update pending investigation is one normal alternative that Ubuntu has to limit the risk to your system.

None of these reverted patches were "high" priority nor "critical". None of the CVEs are readily exploitable in a stock install of Ubuntu anyway.

The Ubuntu Security Team wants folks to understand how they work. They don't want it to be a mystery. They publish a weekly podcast to help folks understand, and it's a great learning tool.

+ 1

cookieserver

1/29/24, 8:06 PM

Appreciate it. Wow didn't know there are podcasts for that!! I will start listening to them while coding :) sounds amazing!! Cheers mate.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Security update that doesnt look right

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.