Ubuntu’s current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:
https://trac.ffmpeg.org/ticket/10952
https://ubuntu.com/security/CVE-2024-32230
On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I’m not eligible for Ubuntu Pro.
Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.
What should I do?
Yes. Ubuntu has two main repos, main and universe.
main is relatively small and includes everything that comes with Ubuntu by default. Canonical secures this repo with security fixes for everyone.
universe is not officially supported by Canonical. It’s updates are done by community members. However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe. It’s opt in because Canonical wants companies using Ubuntu to pay for Pro in order to help fund Ubuntu. However, Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it. f it was enabled by default then no one would pay for it.
Thanks for the info, I’d seen the pro option but just assumed I didn’t want it, like pretty much everything thing else labelled “pro”.
My issue is that I don’t want to have to register for shit like that. If it’s security related, and it’s a free Linux distro (e.g. not RHEL, etc), it is absolutely not appropriate to diminish anonymity in exchange for those updates, or to paywall them.
It’s hardly diminishing your anonymity. There are plenty of services to create an anonymous email account.
This is a very accurate explanation. ☝️
Since it’s all free software, what gives Ubuntu the privilege to restrict these updates behind paywalls and signups?
Fuck that bullshit. We shouldn’t be encouraging or enabling this behavior at all.
Those who are against it probably would just move away from Ubuntu. For those who aren’t, I don’t see why they shouldn’t register for Ubuntu Pro. It’s not in the spirit of the free software ecosystem, but not everyone needs to have the same level of commitment to free software.
IMO, hearing about Ubuntu Pro reinforces my decision to stick to Ubuntu derivatives like Mint, and it’s making me consider trying options like LMDE or straight up Debian.
GPL does not restrict you from selling the software, though you can’t stop getting distributed by someone who bought it. Even RMS himself sold Emacs back in the day.
EDIT: I’m not saying it’s justified in moral sense, I think it sucks ass. But it’s not against the license.
Oh god, we know.
Practically speaking though, if anyone can redistribute it for free then it’s available for free.
You don’t seem to understand the difference between free as in freedom and free as in beer that is literally the cornerstone of the free software community.
Canonical is making the security patches.
Also, you don’t have to release your source code changes to the public. You only have to release your changes to those who have access to the product.
That being said, Canonical probably does release the source code changes for their security fixes, I just don’t know where.