Ubuntu LTS: many vulnerabilities despite long-term support

It's not a new insight but still worth mentioning given that Ubuntu 16.04 LTS was released a couple of days ago: Although Canonical claims that LTS versions "are supported for five years on both the desktop and the server. During that time, there will be security fixes and other critical updates.", this is not the whole truth.

An article on heise.de reminds again of the fact that this LTS support only applies to the main repository (with about 7.300 packages in 16.04), not to universe (with about 45.500 packages) . This is critical as many packages therein are no longer maintained and can therefore be affected by security holes.

An example mentioned in that article is the widely used VLC. That package was officially supported for just 9 months in Ubuntu 12.04 and 14.04 but got security fixes for a longer time. However, this is no longer the case: That package is no longer maintained by the community and as a consequence affected by several vulnerabilities. Another example is the libmms package which is needed if you enable software support from 3rd-parties (e.g. for mp3 support). A serious vulnerability hasn't been fixed since Ubuntu 12.04!

The thing is that those vulnerabilities are all fixed in Debian as all provided packages are maintained and security fixes are backported.

You can find out the support status in Ubuntu by executing

Code:

ubuntu-support-status --show-unsupported

or more detailed:

Code:

ubuntu-support-status --show-all | less 

You will notice that many packages are only supported for 3 years or even only 9 months. For specific packages you can see this from the "Supported:" line in

Code:

apt-cache show package

The article mentions that even for well-known packages like MariaDB, Nodejs, Nullmailer, Privoxy, Wireshark and Docker the support status is either completely undefined or only 9 months.

Conclusion: If you really want an LTS version and stick with Ubuntu, you should try to only use packages from the main repository. If you need packages from universe you should regularly check the Ubuntu CVE tracker for universe. Or chose a distro like Debian or CentOS which does it properly.

P.S.: Debian (and probably also CentOS) isn't perfect, either. If you install the debian-security-support package and execute check-support-status you will also get a list of packages which don't get security updates. These are packages with "No security support upstream and backports not feasible, only for use on trusted content". This makes sense: If a package is no longer supported by upstream, no security fixes will be available which could be backported. But the situation on Ubuntu is much worse.

 

I'm pretty sure VLC is in the Ubuntu repo. A great number of Ubuntu users prefer SMPlayer anyway. I get Chromium updates regularly as well (Trusty Tahr). I do have to manually update the Pepper Flash though.

 

There is no "Ubuntu repo". There is the main repo, but VLC is in universe. And again, the CVE status is here.

 

Well, VLC was in the Ubuntu Software Centre the last time I looked.

 

Because the Ubuntu Software Centre is not restricted to main.

 

Nothing to worry about as long as nothing malicious is allowed in.

 

Hells Bells, and after telling many people about the advantages of signed repositories et al. I wonder what Igor's take on this is - was he aware of the limited support ?
I have CentOS which now seems a better proposition than the other two I am running (Kubuntu and Xubuntu) .. eg. nux has just updated VLC.

summerheat, you have spoilt my weekend. I'm off to watch a Western for some anxiety relief.

 

That explains it then. I wonder how popular VLC is with Ubuntu users in general though, I saw a poll recently where SMPlayer was voted ahead of it. In fact, I prefer SMP myself on Ubuntu. Even on Windows I prefer MPC-HC

 

Does that mean that you've stopped using Firejail as you don't let anything malicious in?

 

Sorry for that!

Seriously: The risk is probably manageable as Linux desktop systems are not really under attack. Nevertheless, every Ubuntu user should be aware of this situation.

 

Of course not, because it's a component of my browser-concentric security approach.

 

This is why Debian is the MOTHER_F-ING_FATHER. LIKE A BAUSSS! Dayumn!

Compared to Debian, Ubuntu's security is like Mint's security compared to Ubuntu: "not so good, eh ese"?

If one wants security, stay with Debian, period. Either one is fine, though I recommend staying away from Testing as much as possible, because fixes can take a while to come from Sid.

Debian Stable has less security bugs.
Debian Unstable has more bugs, but it has GRSecurity in the repos.

So either one is fine.

 

Okay, that was a joke. But I'm sure you know what I was trying to say. There has been malware distributed in multimedia files in the past. So using a multimedia player with vulnerabilities is potentially risky.

 

no worries, I think I caught the humor ...but why would anyone obtain malware-infested multimedia files, unless they aren't exercising some basic common sense?

 

summerheat, thanks for raising awareness regarding the breadth of LTS support coverage.

 

yeap, I add my thanks

 

Im not sure its a question of popularity, rather there are much better alternatives for linux than say on windows imo. The native applications in Linux distros are generally pretty good, media players included. I used vlc in windows but I prefer others in linux such as totem or audacious. There are also codec licensing issues that vlc have continually had issues with, not to mention that freesoftware or opensource software are not the same thing and distros will pick and choose software that are for their persona regardless of popularity. So depending on various Distros and their ideals, either bundle vlc or not.

 

I think Audacious is very good, and popular. One thing about VLC that always impressed me was that it seemed to be able to play files that were broken in other players. So I'm surprised that there have been codec issues. VLC isn't actually bundled with Ubuntu though. I'm not that impressed with Ubuntu's native video player.

 

Well, it seems to happen. For example, if you get an infected file from a friend by mail. But VLC was just a (prominent) example. Obiously many other packages are also (potentially) affected.

As said in another post, the risk is probably manageable for the time being. My point was that Canonical basically promises a set and forget for the next 5 years approach - but that promise is only valid for a limited number of packages, and most users are not really aware of that. In other words, a divergence between ambitions and reality. If I chose an LTS distro I expect that known vulnerabilities will be fixed until the end of life of that release. It's that simple.

 

Well, if VLC isn't actually in the Ubuntu repo and it isn't actually bundled with Ubuntu (which it isn't) Canonical aren't really telling porkies are they?

 

What do you mean with "not bundled"? Yes, VLC is not in the main repo but the universe repo is an integral part of the distro, and nobody tells you that you should restrict yourself to packages from main. Besides, VLC is only an example. Many other packages (often needed as dependencies) are also in universe, among them, e.g., all KDE packages. Hence, using Ubuntu without any packages from universe is hardly possible. But it's problematic if users are not aware that they install packages which may no longer be supported after 3 years or even 9 months. This contradicts the purport of a distro with long-term support, IMHO.

 

VLC isn't actually bundled with Ubuntu. It was at one time I believe, but it isn't now. There is a native (and rather basic) media player. It certainly isn't VLC though.

 

Exactly.
Check this thread at Mint's forums comparing Ubuntu's repositories with Debian's and see how the main's percentage of total packages is so different (about 20% to Ubuntu, close to 100% to Debian).

 

Common sense dictates to check the file extension and size. Two tremendous clues there alone. There is also the matter of trusting your source(es).

yes, I admittedly also expect and hope vulnerabilities to be fixed in a timely manner, but if they aren't, I don't worry about it whatsoever because I keep malicious content off my machines. IOW, I'm confident I could run an application - other than the web browser and anything that bolsters its security- full of vulnerabilities like Swiss cheese and remain infection-free. I guess ultimately the message I'm trying to get across to those who are concerned about the VLC issue is not to worry about it as long as your multimedia files are clean.

 

Sure, but remember that we're here on Wilderssecurity. You're a user who is focused on security. But the majority of users isn't.