When performing security updates that apply to all Ubuntu versions, do the latest releases get priority over older, still supported ones?

ReactHelp

8/12/24, 9:36 PM

At the time of writing (2023-08-12), the Downfall attack on Intel CPUS (CVE-2022-40982) is ongoing and in the process of being patched.

Based on the Linux package page, it looks like only "The Lunar Lobster" (6.2.0) has been updated (on 2023-08-10) to include the patch. Older, but still supported versions, such as "The Jammy Jellyfish" (5.15.0) and "The Focal Fossa" (5.4.0) do not appear to yet have received an update for this issue, since the latest release was prior to the date of the CVE.

Is my understanding correct that newer releases will get higher priority when it comes to security fixes that must eventually be applied to all (supported) versions>

1 + 2

upgrade

updates

security

intel

user535733

8/12/24, 10:01 PM

The best way to determine if a CVE has been addressed for your release of Ubuntu is to use the [Ubuntu Security Team CVE Tracker](https://ubuntu.com/security/cves).

ReactHelp

8/12/24, 10:40 PM

I was unaware of that site. Thank you for the resource.

Score:4

Ubuntu

user535733

8/12/24, 10:00 PM

No supported release has a higher priority over another supported release.

CVE mitigations for different releases may appear at different times for many possible reasons.

A common generic reason is simply that mitigating a CVE in Release A may be easy while Release B is more difficult. Or sometimes the mitigation for one release might fail testing. In cases like these, the successful mitigation for Release A will be uploaded while work continues upon Release B.

Another reason, is that it's evaluated priority is simply too low to work yet with the resources available: Nobody has complained. The priority is "Medium". Nobody has triaged it. There are other, higher priority CVEs to work sooner.

You specifically mentioned specific CVE-2022-40982, so let's look at this excerpt from https://ubuntu.com/security/CVE-2022-40982, captured on 14-08-2023: You can see that all supported releases except one have a released mitigation. Check your package version in apt to see if you have the patched version installed. Most users receive the [atched version automatically via Unattended Upgrades.

Folks who disagree with the Ubuntu Security Team's evaluation of "Medium", or who have discovered this vulnerability being exploited in the wild, should please discuss your concerns directly with the Ubuntu Security Team. They are very nice, and will listen. Don't discuss them here - AskUbuntu is not the Security Team.

+ 1

ReactHelp

8/12/24, 10:31 PM

I apologize, it is CVE-2022-40982. I have updated the original post. Thank you for the answer, that makes sense. I am now aware of the CVE Tracker page as well. I appreciate the rapid and thorough response!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: When performing security updates that apply to all Ubuntu versions, do the latest releases get priority over older, still supported ones?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.