Ubuntu 24.04 security patch for Ubuntu Pro only
nate
ubuntu at linuxpowered.net
Tue Mar 10 00:14:56 UTC 2026
Hello
Was hoping someone would have an idea what is going on here.. ran a
vulnerability scan recently and it flagged my systems as being
vulnerable to
https://ubuntu.com/security/notices/USN-7613-1
Which was patched last year, but on closer inspection it appears for
some reason those patches are flagged for Ubuntu Pro "only". Ubuntu
24.04 LTS
doesn't go EOL till 2029, and the security policy indicates all packages
get community support till that time
https://documentation.ubuntu.com/security/security-updates/
The package is in the universe repo, so it's even more strange Ubuntu
would go out of their way to patch something in that repo and then
flag it for subscribers only. I have seen many times where packages in
universe don't get updated even for security(the varnish package is
one example that stands out, several security issues, no updates from
Ubuntu in over 3 years, which I understand given it's in universe).
I've always assumed that universe was a "best effort" thing, and most of
the focus is on "main" (I first started using Debian in 1998).
My systems have the latest version of the package that was released in
2024
https://launchpad.net/ubuntu/+source/mongo-c-driver
https://changelogs.ubuntu.com/changelogs/pool/universe/m/mongo-c-driver/mongo-c-driver_1.26.0-1.1ubuntu2/changelog
This specific update is of no real concern to me, I am more curious if
anyone knows why this (or any update) would be flagged for
"Pro" only when a LTS version is in it's general release support cycle.
Normally I don't pay attention to the details of such
security advisories I just apply the updates. So quite possible this has
been going on for a while in some cases and I never
noticed it. I just don't understand why Ubuntu would care so much about
this package to do this process, especially given it
is in "universe" not in "main".
I looked at upstream Debian and there is no such patch for this version
of the libmongoc-1.0-0t64 package, they jumped
from 1.26 to 1.27 in 2024, and 1.30 in 2025 (vs 1.26 for Ubuntu 24.04
LTS)
https://metadata.ftp-master.debian.org/changelogs//main/m/mongo-c-driver/mongo-c-driver_1.30.4-1+deb13u1_changelog
https://ubuntu.com/about/release-cycle
There is talk about ESM (Expanded Security Maintenance), these patches
are flagged as "ESM" patches, however the only info I
see about ESM is "Extend the lifetime of your favorite Linux and the
open source you use on top with reliable security
maintenance for up to 15 years."
https://ubuntu.com/security/esm
(emphasis on "extending the lifetime", not giving you patches others
can't already get before that extended period kicks
in)
No clear indication(that I see) that Ubuntu says they will (sometimes?)
do what they did with this security advisory.
thanks
nate
More information about the ubuntu-users
mailing list