Ubuntu’s current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:
https://trac.ffmpeg.org/ticket/10952
https://ubuntu.com/security/CVE-2024-32230
On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I’m not eligible for Ubuntu Pro.
Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.
What should I do?
You must log in or register to comment.
Yes. Ubuntu has two main repos, main and universe.
main is relatively small and includes everything that comes with Ubuntu by default. Canonical secures this repo with security fixes for everyone.
universe is not officially supported by Canonical. It’s updates are done by community members. However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe. It’s opt in because Canonical wants companies using Ubuntu to pay for Pro in order to help fund Ubuntu. However, Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it. f it was enabled by default then no one would pay for it.
My issue is that I don’t want to have to register for shit like that. If it’s security related, and it’s a free Linux distro (e.g. not RHEL, etc), it is absolutely not appropriate to diminish anonymity in exchange for those updates, or to paywall them.
It’s hardly diminishing your anonymity. There are plenty of services to create an anonymous email account.
This is a very accu explanation. ☝️
Thanks for the info, I’d seen the pro option but just assumed I didn’t want it, like pretty much everything thing else labelled “pro”.
However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe.
Since it’s all free software, what gives Ubuntu the privilege to restrict these updates behind paywalls and signups?
Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it.
Fuck that bullshit. We shouldn’t be encouraging or enabling this behavior at all.
Canonical is making the security patches.
Also, you don’t have to release your source code changes to the public. You only have to release your changes to those who have access to the product.
That being said, Canonical probably does release the source code changes for their security fixes, I just don’t know where.
Those who are against it probably would just move away from Ubuntu. For those who aren’t, I don’t see why they shouldn’t register for Ubuntu Pro. It’s not in the spirit of the free software ecosystem, but not everyone needs to have the same level of commitment to free software.
IMO, hearing about Ubuntu Pro reinforces my decision to stick to Ubuntu derivatives like Mint, and it’s making me consider trying options like LMDE or straight up Debian.
It sure seems that way. Their “extended security maintenance” spam says that there are security updates that are only available if you “subscribe”.
I asked the Linux community about this, and didn’t get a straight answer (not surprised.)
It was enough for me to switch to Debian, though. There’s no excuse for updates to be locked behind paywalls or sign-ups in the free software ecosystem.
There’s no excuse for updates to be locked behind paywalls or sign-ups in the free software ecosystem.
Of course because you are also working for free, right? Btw. Ubuntu PRO is free for up to 5 devices…
Anybody can get Ubuntu Pro for free on up to five devices: https://ubuntu.com/pro/subscribe
Why Ubuntu pro when you can have Linux Mint for free indefinitely
Ubuntu pro provides support after 5 years of standard LTS support. Linux Mint does not provide any support (paid nor free) after the first 5 years so the comparison does not really make sense.
You only get security updates for packages in main. If you want them for packages in universe, like ffmpeg, you have to use esm or upgrade to 24.10.
So LTS isn’t really LTS.
Glad I switched to Debian.
deleted by creator
Thank you so much for your useful input.
deleted by creator
It’s the difference in OS version;
- 24.04 has ffmpeg_6.1.1-3ubuntu5
- 24.10 has ffmpeg_7.0.2-3ubuntu1
So if you want ffmpeg from main, upgrade to 24.10, otherwise you can only get ffmpeg in 24.04 by waiting until its added to main, using Ubuntu Pro, or compiling from source.
ffmpeg is not in main in any version
All distros have security vulnerabilities. It’s the nature of software. Minimizing the risk is the best you can do.
