Our security scanners have flagged docker as being affected by CVE-2024-29018 and CVE-2024-41110 on some of our servers.
When I check official ubuntu information it is stated as fixed if you have Ubuntu Pro.
But from my understanding security fixes should be made available LTS-releases for “Main” and “Universe” repositories the first 5 years.
And docker.io comes from Universe and 22.04 is still a supported LTS-release.
When will this fix be available for non Pro-users?
Or why are these CVE’s excluded from the LTS-release?
From my understanding CVE-2024-41110 is not fixed in 24.04 LTS without Ubuntu Pro either.
Security fixes are only provided by Canonical for “Main” in LTS and Interim Releases. More information here.
Any packages in “Universe” are community-maintained. That means if Canonical actively patch any security vulnerabilities in “Universe”, those will be available through Ubuntu Pro, that’s the esm-apps offering.
I hope this clarifies your doubt.
Yes, the Ubuntu LTS and interim release support still work exactly the same with the same set of promises, bug fixes – and crucially, the same scope of security updates for both ‘Main’ and ‘Universe’ packages.
For me “same scope” means that they should be treated the same way.
But from your comment it seems that only security patches for Main is free and Universe needs a subscription to get guaranteed security fixes.
But then at least I know that Universe packages are best effort for security patches and can update the security team that we need to switch to Pro or change to docker-repositories directly.
That just means that nothing changed if you do not use pro, since day one Ubuntus universe component only got security updates if some community person stepped up to take over security maintenance for a package. This is still the same if you do not turn on pro support today, what was changed is that we recently added support for universe packages to the existing pro offering additionally …
This seems more like a what-does-Ubuntu-Pro-cover question, and less about security.
It is understandable confusion: A clear picture of what Ubuntu Pro does and does-not cover requires an understanding how bugfix and security patches differ among each pocket in the Ubuntu repos.
Yes and no, as part of the question is that I wanted to know when or if the CVE’s/USN would be publicly available.
Which is a security concern for non-Pro users.
Yes it was answered, my message was more in response to ian-weisser about it not being a security question. For some reason my quotation of his message did not work.