Ubuntu LTS: many vulnerabilities despite long-term support

Discussion in 'all things UNIX' started by summerheat, Apr 23, 2016.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    It's not a new insight but still worth mentioning given that Ubuntu 16.04 LTS was released a couple of days ago: Although Canonical claims that LTS versions "are supported for five years on both the desktop and the server. During that time, there will be security fixes and other critical updates.", this is not the whole truth.

    An article on heise.de reminds again of the fact that this LTS support only applies to the main repository (with about 7.300 packages in 16.04), not to universe (with about 45.500 packages) . This is critical as many packages therein are no longer maintained and can therefore be affected by security holes.

    An example mentioned in that article is the widely used VLC. That package was officially supported for just 9 months in Ubuntu 12.04 and 14.04 but got security fixes for a longer time. However, this is no longer the case: That package is no longer maintained by the community and as a consequence affected by several vulnerabilities. Another example is the libmms package which is needed if you enable software support from 3rd-parties (e.g. for mp3 support). A serious vulnerability hasn't been fixed since Ubuntu 12.04!

    The thing is that those vulnerabilities are all fixed in Debian as all provided packages are maintained and security fixes are backported.

    You can find out the support status in Ubuntu by executing

    Code:
    ubuntu-support-status --show-unsupported
    or more detailed:

    Code:
    ubuntu-support-status --show-all | less 
    You will notice that many packages are only supported for 3 years or even only 9 months. For specific packages you can see this from the "Supported:" line in

    Code:
    apt-cache show package
    The article mentions that even for well-known packages like MariaDB, Nodejs, Nullmailer, Privoxy, Wireshark and Docker the support status is either completely undefined or only 9 months.

    Conclusion: If you really want an LTS version and stick with Ubuntu, you should try to only use packages from the main repository. If you need packages from universe you should regularly check the Ubuntu CVE tracker for universe. Or chose a distro like Debian or CentOS which does it properly.

    P.S.: Debian (and probably also CentOS) isn't perfect, either. If you install the debian-security-support package and execute check-support-status you will also get a list of packages which don't get security updates. These are packages with "No security support upstream and backports not feasible, only for use on trusted content". This makes sense: If a package is no longer supported by upstream, no security fixes will be available which could be backported. But the situation on Ubuntu is much worse.
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I'm pretty sure VLC is in the Ubuntu repo. A great number of Ubuntu users prefer SMPlayer anyway. I get Chromium updates regularly as well (Trusty Tahr). I do have to manually update the Pepper Flash though.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    There is no "Ubuntu repo". There is the main repo, but VLC is in universe. And again, the CVE status is here.
     
  4. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Well, VLC was in the Ubuntu Software Centre the last time I looked.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Because the Ubuntu Software Centre is not restricted to main.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Nothing to worry about as long as nothing malicious is allowed in.
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Hells Bells, and after telling many people about the advantages of signed repositories et al. I wonder what Igor's take on this is - was he aware of the limited support ?
    I have CentOS which now seems a better proposition than the other two I am running (Kubuntu and Xubuntu) .. eg. nux has just updated VLC.

    summerheat, you have spoilt my weekend. I'm off to watch a Western for some anxiety relief. :)
     
  8. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    That explains it then. I wonder how popular VLC is with Ubuntu users in general though, I saw a poll recently where SMPlayer was voted ahead of it. In fact, I prefer SMP myself on Ubuntu. Even on Windows I prefer MPC-HC
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Does that mean that you've stopped using Firejail as you don't let anything malicious in? :D
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Sorry for that! :argh:

    Seriously: The risk is probably manageable as Linux desktop systems are not really under attack. Nevertheless, every Ubuntu user should be aware of this situation.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Of course not, because it's a component of my browser-concentric security approach.
     
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    This is why Debian is the MOTHER_F-ING_FATHER. LIKE A BAUSSS! Dayumn! :argh:

    Compared to Debian, Ubuntu's security is like Mint's security compared to Ubuntu: "not so good, eh ese"?

    If one wants security, stay with Debian, period. Either one is fine, though I recommend staying away from Testing as much as possible, because fixes can take a while to come from Sid.

    Debian Stable has less security bugs.
    Debian Unstable has more bugs, but it has GRSecurity in the repos.

    So either one is fine.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Okay, that was a joke. But I'm sure you know what I was trying to say. There has been malware distributed in multimedia files in the past. So using a multimedia player with vulnerabilities is potentially risky.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    no worries, I think I caught the humor :D ...but why would anyone obtain malware-infested multimedia files, unless they aren't exercising some basic common sense?
     
  15. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    summerheat, thanks for raising awareness regarding the breadth of LTS support coverage.
     
  16. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,127
    yeap, I add my thanks
     
  17. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Im not sure its a question of popularity, rather there are much better alternatives for linux than say on windows imo. The native applications in Linux distros are generally pretty good, media players included. I used vlc in windows but I prefer others in linux such as totem or audacious. There are also codec licensing issues that vlc have continually had issues with, not to mention that freesoftware or opensource software are not the same thing and distros will pick and choose software that are for their persona regardless of popularity. So depending on various Distros and their ideals, either bundle vlc or not.
     
  18. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I think Audacious is very good, and popular. One thing about VLC that always impressed me was that it seemed to be able to play files that were broken in other players. So I'm surprised that there have been codec issues. VLC isn't actually bundled with Ubuntu though. I'm not that impressed with Ubuntu's native video player.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Well, it seems to happen. For example, if you get an infected file from a friend by mail. But VLC was just a (prominent) example. Obiously many other packages are also (potentially) affected.

    As said in another post, the risk is probably manageable for the time being. My point was that Canonical basically promises a set and forget for the next 5 years approach - but that promise is only valid for a limited number of packages, and most users are not really aware of that. In other words, a divergence between ambitions and reality. If I chose an LTS distro I expect that known vulnerabilities will be fixed until the end of life of that release. It's that simple.
     
  20. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Well, if VLC isn't actually in the Ubuntu repo and it isn't actually bundled with Ubuntu (which it isn't) Canonical aren't really telling porkies are they? ;)
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    What do you mean with "not bundled"? Yes, VLC is not in the main repo but the universe repo is an integral part of the distro, and nobody tells you that you should restrict yourself to packages from main. Besides, VLC is only an example. Many other packages (often needed as dependencies) are also in universe, among them, e.g., all KDE packages. Hence, using Ubuntu without any packages from universe is hardly possible. But it's problematic if users are not aware that they install packages which may no longer be supported after 3 years or even 9 months. This contradicts the purport of a distro with long-term support, IMHO.
     
  22. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    VLC isn't actually bundled with Ubuntu. It was at one time I believe, but it isn't now. There is a native (and rather basic) media player. It certainly isn't VLC though.
     
  23. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,127
    Exactly.
    Check this thread at Mint's forums comparing Ubuntu's repositories with Debian's and see how the main's percentage of total packages is so different (about 20% to Ubuntu, close to 100% to Debian).
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Common sense dictates to check the file extension and size. Two tremendous clues there alone. There is also the matter of trusting your source(es).

    yes, I admittedly also expect and hope vulnerabilities to be fixed in a timely manner, but if they aren't, I don't worry about it whatsoever because I keep malicious content off my machines. IOW, I'm confident I could run an application - other than the web browser and anything that bolsters its security- full of vulnerabilities like Swiss cheese and remain infection-free. I guess ultimately the message I'm trying to get across to those who are concerned about the VLC issue is not to worry about it as long as your multimedia files are clean.
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Sure, but remember that we're here on Wilderssecurity. You're a user who is focused on security. But the majority of users isn't.
     
Loading...