Ubuntu’s current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:

https://trac.ffmpeg.org/ticket/10952

https://ubuntu.com/security/CVE-2024-32230

On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I’m not eligible for Ubuntu Pro.

Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.

What should I do?

  • Geodad@lemm.eeEnglish
    65·
    1 day ago

    Ubuntu shipped ads from Amazon back in the late 00s. I stopped using them then and haven’t touched them since.

  • commander@lemmings.worldEnglish
    282·
    2 days ago

    It sure seems that way. Their “extended security maintenance” spam says that there are security updates that are only available if you “subscribe”.

    I asked the Linux community about this, and didn’t get a straight answer (not surprised.)

    It was enough for me to switch to Debian, though. There’s no excuse for updates to be locked behind paywalls or sign-ups in the free software ecosystem.

    • pmk@lemmy.sdf.org
      61·
      2 days ago

      The way I understand it is that the security team supports releases for 5 years. If you are running an older version of ubuntu than that and want security backports, you need to get the extended support. The difference in Debian is that when a release is too old, the security team simply doesn’t backport security fixes. You can pay someone to do it, but it’s not a part of what Debian as a project does.

      • ozymandias117@lemmy.worldEnglish
        12·
        2 days ago

        The Ubuntu security team only supports the ~2,000 packages in “main”

        Things like ffmpeg are in “universe” and only get security updates if you subscribe to Ubuntu Pro

        ubuntu.com/security/esm

        Debian’s security team has always been significantly more responsive than Ubuntu. It’s regularly had CVE fixes in older versions of Debian that newer versions of Ubuntu don’t bother to pull into universe

  • Leaflet@lemmy.worldEnglish
    48·
    3 days ago

    Yes. Ubuntu has two main repos, main and universe.

    main is relatively small and includes everything that comes with Ubuntu by default. Canonical secures this repo with security fixes for everyone.

    universe is not officially supported by Canonical. It’s updates are done by community members. However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe. It’s opt in because Canonical wants companies using Ubuntu to pay for Pro in order to help fund Ubuntu. However, Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it. f it was enabled by default then no one would pay for it.

    • warrenson@lemmy.nz
      1·
      1 day ago

      Thanks for the info, I’d seen the pro option but just assumed I didn’t want it, like pretty much everything thing else labelled “pro”.

    • gravitas_deficiency@sh.itjust.worksEnglish
      153·
      2 days ago

      My issue is that I don’t want to have to register for shit like that. If it’s security related, and it’s a free Linux distro (e.g. not RHEL, etc), it is absolutely not appropriate to diminish anonymity in exchange for those updates, or to paywall them.

      • Rogue@feddit.uk
        5·
        2 days ago

        It’s hardly diminishing your anonymity. There are plenty of services to create an anonymous email account.

    • commander@lemmings.worldEnglish
      99·
      2 days ago

      However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe.

      Since it’s all free software, what gives Ubuntu the privilege to restrict these updates behind paywalls and signups?

      Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it.

      Fuck that bullshit. We shouldn’t be encouraging or enabling this behavior at all.

      • Abnorc@lemm.ee
        2·
        1 day ago

        Those who are against it probably would just move away from Ubuntu. For those who aren’t, I don’t see why they shouldn’t register for Ubuntu Pro. It’s not in the spirit of the free software ecosystem, but not everyone needs to have the same level of commitment to free software.

        IMO, hearing about Ubuntu Pro reinforces my decision to stick to Ubuntu derivatives like Mint, and it’s making me consider trying options like LMDE or straight up Debian.

      • Noa Himesaka@lemmy.funami.tech
        18·
        2 days ago

        GPL does not restrict you from selling the software, though you can’t stop getting distributed by someone who bought it. Even RMS himself sold Emacs back in the day.

        EDIT: I’m not saying it’s justified in moral sense, I think it sucks ass. But it’s not against the licence.

        • commander@lemmings.worldEnglish
          24·
          2 days ago

          GPL does not restrict you from selling the software

          Oh god, we know.

          Practically speaking though, if anyone can redistribute it for free then it’s available for free.

          • Steve Dice@sh.itjust.worksEnglish
            2·
            18 hours ago

            You don’t seem to understand the difference between free as in freedom and free as in beer that is literally the cornerstone of the free software community.

      • Leaflet@lemmy.worldEnglish
        101·
        2 days ago

        Canonical is making the security patches.

        Also, you don’t have to release your source code changes to the public. You only have to release your changes to those who have access to the product.

        That being said, Canonical probably does release the source code changes for their security fixes, I just don’t know where.

  • lka1988@lemmy.dbzer0.comEnglish
    308·
    3 days ago

    And people ask me “why” when I chose LMDE over Ubuntu-based Linux Mint.

    This shit is why. Canonical is huffing their own farts at this point. Don’t dangle shit in front of me if it comes at a price. And yes, I know Linux Mint isn’t under Canonical, but at this point I would rather not support anything Ubuntu-related.

  • bad_news@lemmy.billiam.net
    243·
    3 days ago

    Just wait or switch distros. All the security updates they hold hostage for money come eventually. If you’re not a bank or wanted by a major world power, I doubt anyone is going pwn you with a security fix Ubuntu is slow walking to force people into pro. Since they started that shit I don’t put Ubuntu on new hardware, but I’m not going to purge servers I have it on because I’m worried someone’s going to deploy a sub-month old vulnerability against me as a rando doing nothing important.

  • catloaf@lemm.eeEnglish
    10·
    3 days ago

    You only get security updates for packages in main. If you want them for packages in universe, like ffmpeg, you have to use esm or upgrade to 24.10.

    • lengau@midwest.social
      4·
      22 hours ago

      That’s not quite accurate. The community can still upload fixed packages to universe, just as the community runs universe in the first place.

  • Xanza@lemm.eeEnglish
    21·
    3 days ago

    It’s the difference in OS version;

    • 24.04 has ffmpeg_6.1.1-3ubuntu5
    • 24.10 has ffmpeg_7.0.2-3ubuntu1

    So if you want ffmpeg from main, upgrade to 24.10, otherwise you can only get ffmpeg in 24.04 by waiting until its added to main, using Ubuntu Pro, or compiling from source.

    • dpflug@kbin.earth
      11·
      2 days ago

      You’re technically correct, but missing the point of the post. Canonical is withholding a security patch to extort a subscription.