Limonene

Is Ubuntu shipping software with known security vulnerabilities?

https://lemmy.world/post/26435835

Is Ubuntu shipping software with known security vulnerabilities? - Lemmy.World

Ubuntu’s current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability: https://trac.ffmpeg.org/ticket/10952 [https://trac.ffmpeg.org/ticket/10952] https://ubuntu.com/security/CVE-2024-32230 [https://ubuntu.com/security/CVE-2024-32230] On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 [https://ubuntu.com/security/notices/USN-6983-1] but can only only do so with Ubuntu Pro. I’m not eligible for Ubuntu Pro. Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update. What should I do?

Mar 6, 2025 at 11:18pmWeb
Show threadcatloafMar 6, 2025
You only get security updates for packages in main. If you want them for packages in universe, like ffmpeg, you have to use esm or upgrade to 24.10.
Show threadlengauMar 8, 2025
That’s not quite accurate. The community can still upload fixed packages to universe, just as the community runs universe in the first place.
Show threadXanzaMar 7, 2025

It’s the difference in OS version;

  • 24.04 has ffmpeg_6.1.1-3ubuntu5
  • 24.10 has ffmpeg_7.0.2-3ubuntu1

So if you want ffmpeg from main, upgrade to 24.10, otherwise you can only get ffmpeg in 24.04 by waiting until its added to main, using Ubuntu Pro, or compiling from source.

git.ffmpeg.org Git - ffmpeg.git/tags

Show threadcatloafMar 7, 2025
ffmpeg is not in main in any version
Show threadMuddybulldogMar 7, 2025
Anybody can get Ubuntu Pro for free on up to five devices: ubuntu.com/pro/subscribe
Buy Ubuntu Pro | Ubuntu

Ubuntu Pro offers a single, per-node packaging of the most comprehensive software, security and IaaS support in the industry, with OpenStack support, Kubernetes support included, and Livepatch, Landscape and Expanded Security Maintenance to address security and compliance concerns.

Ubuntu
Show threadColdWaterMar 8, 2025
Why Ubuntu pro when you can have Linux Mint for free indefinitely
Show threadlengauMar 8, 2025
Does mint ship with a fixed version of ffmpeg?
Show threadTMP_NKcYUEoM7kXg4qYeMar 9, 2025
Ubuntu pro provides support after 5 years of standard LTS support. Linux Mint does not provide any support (paid nor free) after the first 5 years so the comparison does not really make sense.
Show threadlengauMar 10, 2025
Not to mention that I can’t find any indication that Mint has a fixed version of ffmpeg at all.
Show threadGeodadMar 8, 2025
Ubuntu shipped ads from Amazon back in the late 00s. I stopped using them then and haven’t touched them since.
Show threadblackfireMar 8, 2025
Thank you so much for your useful input.
Show threadGeodadMar 8, 2025
Glad to help. I’m highly suspicious of any corporation backed distributions.