Ubuntu 24.04 security patch for Ubuntu Pro only
Keith
keithw at caramail.com
Wed Mar 11 02:05:12 UTC 2026
On 3/9/2026 7:14 PM, nate wrote:
> Hello
>
> Was hoping someone would have an idea what is going on here.. ran a
> vulnerability scan recently and it flagged my systems as being
> vulnerable to
>
> https://ubuntu.com/security/notices/USN-7613-1
>
> Which was patched last year, but on closer inspection it appears for
> some reason those patches are flagged for Ubuntu Pro "only". Ubuntu
> 24.04 LTS
> doesn't go EOL till 2029, and the security policy indicates all packages
> get community support till that time
> https://documentation.ubuntu.com/security/security-updates/
>
> The package is in the universe repo, so it's even more strange Ubuntu
> would go out of their way to patch something in that repo and then
> flag it for subscribers only. I have seen many times where packages in
> universe don't get updated even for security(the varnish package is
> one example that stands out, several security issues, no updates from
> Ubuntu in over 3 years, which I understand given it's in universe).
> I've always assumed that universe was a "best effort" thing, and most of
> the focus is on "main" (I first started using Debian in 1998).
>
> My systems have the latest version of the package that was released in 2024
> https://launchpad.net/ubuntu/+source/mongo-c-driver
> https://changelogs.ubuntu.com/changelogs/pool/universe/m/mongo-c-driver/
> mongo-c-driver_1.26.0-1.1ubuntu2/changelog
>
> This specific update is of no real concern to me, I am more curious if
> anyone knows why this (or any update) would be flagged for
> "Pro" only when a LTS version is in it's general release support cycle.
> Normally I don't pay attention to the details of such
> security advisories I just apply the updates. So quite possible this has
> been going on for a while in some cases and I never
> noticed it. I just don't understand why Ubuntu would care so much about
> this package to do this process, especially given it
> is in "universe" not in "main".
>
> I looked at upstream Debian and there is no such patch for this version
> of the libmongoc-1.0-0t64 package, they jumped
> from 1.26 to 1.27 in 2024, and 1.30 in 2025 (vs 1.26 for Ubuntu 24.04 LTS)
> https://metadata.ftp-master.debian.org/changelogs//main/m/mongo-c-
> driver/mongo-c-driver_1.30.4-1+deb13u1_changelog
>
> https://ubuntu.com/about/release-cycle
>
> There is talk about ESM (Expanded Security Maintenance), these patches
> are flagged as "ESM" patches, however the only info I
> see about ESM is "Extend the lifetime of your favorite Linux and the
> open source you use on top with reliable security
> maintenance for up to 15 years."
>
> https://ubuntu.com/security/esm
> (emphasis on "extending the lifetime", not giving you patches others
> can't already get before that extended period kicks
> in)
>
> No clear indication(that I see) that Ubuntu says they will (sometimes?)
> do what they did with this security advisory.
>
> thanks
>
> nate
>
You've answered your question. Mongo-c-driver is in universe and
therefore community supported. It's up to the community to backport
whatever security patches are available from upstream into current
version in noble. Nobody really seems to care, though, because nobody
has even bothered to file a bug report about it:
https://bugs.launchpad.net/ubuntu/+source/mongo-c-driver
0 New bugs
1 Open bug
0 In-progress bugs
0 Critical bugs
0 High importance bugs
Bugs fixed elsewhere
0 Bugs with patches
0 Open CVE bugs
Last I checked, Ubuntu provided diffs even for ESM packages. So it's not
exactly difficult to get the source diffs through a subscription to
Ubuntu Pro and create a patch set from it to apply to the package in
universe. Someone from the community just needs to be willing to do the
work.
Or users can just subscribe to Ubuntu Pro if they don't want to wait
around for someone to patch a medium security vulnerability in software
that not a lot of people seem to use.
--
Keith
More information about the ubuntu-users
mailing list