Join Log in
Score:2
jalipert avatar Ubuntu

With the release of Ubuntu Pro, Laravel Forge provisioned servers are left vulnerable

ss flag
jalipert

Since Canonical released Ubuntu Pro this year, they are now withholding some security patches for many common packages, including some that are included on Laravel Forge provisioned servers.

I use AWS Inspector to monitor for vulnerabilities on my EC2 instances, and all of a sudden there are several medium-severity vulnerabilities that are unable to be patched with unattended-upgrades, or even a manual install. The patches are restricted to Ubuntu Pro users as part of the "ESM" service. This is not just true of older installations -- I have several vulnerabilities showing on 22.04.2 LTS builds, and I'm quickly approaching the SLA on resolving these for our SOC II protocol. This was never a problem in the past two years I've been using Forge + Ubuntu + AWS Inspector. All vulnerabilities were always patchable via unattended-upgrades or the occasional apt-get update/upgrade plus server reboot. I'm not really sure what the best course of action is -- but likely many enterprise Forge users will start feeling the effects of this soon. Perhaps there is another Unix distro that can be used, or maybe Forge can partner with Canonical to allow provisioning "Pro" servers at a reasonable cost?

Anyone else dealing with this now or have any ideas on how to best handle this situation?

156
1 + 4
esm
guiverc avatar
cn flag
guiverc
Are you sure? Ubuntu PRO introduces `universe` packages to security fixes/patches they've never had before, being a new feature that is now available & optional. Packages are still upgraded as before even without the Ubuntu PRO enabled, but only those provided by the community with no change (the new *security* patches are additional to the upstream packages previously available & still available with or without Ubuntu PRO enabled). Ubuntu PRO just means more flaws are searched for & thus fixed, instead of the traditional back-porting of fixes from upstream which hasn't changed !
3
Reply
jalipert avatar
ss flag
jalipert
I am sure that AWS Inspector is finding medium-severity vulnerabilities on universe packages, and says the fixed version is an esm patch. I am unable to install these patches on my non-Pro servers. Whether these fixes were never getting done before doesn't really matter. Now that my Vulnerability monitor is finding them, I do need to figure out a way to install them to meet my SLA.
0
Reply
us flag
Archisman Panigrahi
Do you know that Ubuntu Pro is free for personal use in upto five computers? https://ubuntu.com/pro
0
Reply
user535733 avatar
cn flag
user535733
If a group of developers and/or enterprises want to resurrect community patching of Universe CVEs, then Ubuntu MOTUs are ready to upload those patched packages -- free to everybody, independent of Pro. That avenue never closed.
2
Reply
Score:5
user535733 avatar Ubuntu
cn flag
user535733

"This was never a problem in the past two years" simply means that you were blind to CVEs in Universe. Well, now you can see them.

The only way to install packages from esm is to subscribe to Pro. If that's what SLA requires, then you obviously have several choices.

These are not technical choices -- they are business-model choices.

  • Amend your SLA
  • Stop using Universe software
  • Use the 6-month releases of Ubuntu instead of LTS
  • Subscribe
  • Create/join a different (non-Pro) group that patches or mitigates Universe CVEs

Note also that any audit method you were using has apparently been shown ineffective. It should have been revealing those unpatched Universe CVEs all along.

+ 1
jalipert avatar
ss flag
jalipert
Appreciate your response. That clarifies a lot of things for me. The biggest remaining issue I see is there is no good way to apply a VM Ubuntu Pro License (the ones that are ~$6/year on AWS for a small-scale server) to an existing provisioned server in AWS. You can only provision a new server with the Pro license, or buy a $500/year license to apply to an existing VM. That's a big cost difference. (This is for business, not personal use). And when using a service like Laravel Forge to provision a new server, there is currently no option to select one with a Pro license.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.