I am using Ubuntu Server 26.04 on an Orange Pi board.
Debian and Fedora have already released fixes for the Fragnesia and Dirty Frag vulnerabilities.
However, Ubuntu appears to be taking longer to release updates containing these fixes.
Ubuntu Server 26.04 is still running kernel version 7.0.0-15.
I also tried enabling the HWE kernel, but without success.
I assume this may be related to some particularity of the kernel used by the Orange Pi board.
I have two questions and would appreciate any help:
Is this delay in releasing fixes considered normal for an LTS version, even when dealing with security vulnerabilities?
Is there any estimated schedule, release cycle, or defined interval for new kernel releases in Ubuntu 26.04?
In my opinion, the response by Canonical to the kernel privilege escalation issues has been woefully inadequate. It’s taken weeks to get an updated kernels that address the CVEs, which were addressed within days by most other linux distributions. The resolute kernel is tracking the current stable kernel release that was seeing continuous point releases. I think the approach to patching kernel vulnerabilities in particular needs to be reviewed and improved. As a paying customer I also filed a support ticket and suggest others to do the same to provide feedback.
Both CVE pages in the Ubuntu CVE Tracker link to this post so I would expect any production sites that care about it to already have the mitigation in place.
The fixes have landed in the package and are in the proposed archive undergoing their usual regression testing as you can see in the changelog of the linux package already …
