Security podcast: March

Welcome to the second post in our series based on the weekly Ubuntu Security Podcast! I am Alex Murray and am a Staff Engineer and the Tech Lead for the Ubuntu Security team at Canonical. Each month, I cover the most interesting security fixes around Ubuntu, as well as an in-depth discussion of the different vulnerabilities that we’ve been addressing. This time we will look into Python updates, have a discussion about 16.04 LTS transitioning into extended security maintenance (ESM) in April and finally, I will cover some open positions within the team!

Python updates

Seven different CVEs were addressed for the 18.04 LTS and 20.04 LTS releases. I wanted to talk about this one because it highlights all the different versions of Python that are spread across the different repositories in Ubuntu. If you are familiar with the Ubuntu repositories, you will know we have 2 main sections – Main and Universe. Main is the software that is supported by the security team and other teams at Canonical, and Universe is supported by the community.

Within Universe, we actually have multiple different Python versions across the different Ubuntu releases. However, we usually only support a single one in Main, meaning that only one version of Python is supported for each release (or in the case of Python 2 versus Python 3, we support only one Python 2 and one Python 3 release). So for 16.04 LTS and 18.04 LTS, Python 2.7 is in Main. But for later releases like 20.04 LTS and 20.10, 2.7 is now in Universe. Whereas say in 16.04 LTS we have Python 3.5 in Main, but 3.6 is in Main for 18.04 LTS, and 3.8 is in Main for 20.04 LTS and 20.10. We often have the same versions back in the older releases but they live in the Universe. This means that it is possible to run Python 3.8 in all those older releases, but it’s in Universe, so not officially supported by Canonical. 

In this update, we have rolled in several of those fixes to those versions that are in Universe. So if you are running one of those versions that aren’t traditionally supported, you are now a little safer, and you can find details of those vulnerabilities either in the show notes or referring back to previous episodes. 

16.04 LTS to ESM transition

The 16.04 LTS Ubuntu release was released back in April of 2016 and was supported by Canonical for five years. This month we’ll be reaching the end of the long-term support period. The 16.04 LTS release will be transitioning to extended security maintenance (ESM). Since the original 12.04 LTS and our first ESM release in 2017, we have been supporting a subset of the packages in Main, doing security updates for high and critical vulnerabilities for a period of three years once a release transitions from LTS to ESM.

However, we are doing something different for 16.04: instead of only supporting just a subset of Main, we will be supporting the entirety of Main for high and critical priority CVEs. This means that the coverage of what is supported under 16.04 ESM is now expanded compared to previous ESM releases.

So for people that are running 16.04 LTS and not in a position yet to upgrade to 18.04 LTS or 20.04 LTS, transitioning to ESM is a compelling option. If you want to find out more, there’s a blog post written by Lech Sandecki that talks about the trade-offs between upgrading from one LTS to another or moving over to ESM, etc. There is also a webinar by Lech and Rick Harding from the Ubuntu server team that talks about some of those concerns and the kind of things you need to think about if you are currently running 16.04 LTS.

It is worth noting that not only is ESM available for Ubuntu Advantage customers, it is also available for personal use, meaning that anyone can use ESM on up to three of their own machines for free – whilst Ubuntu Members can use it on up to 50 machines. And as I said, for those enterprise users with bigger needs, it is also available as part of the Ubuntu Advantage program, alongside other enterprise perks.

We are hiring

We have some open positions on the team! We are currently looking for an AppArmor security engineer. If you want to work on AppArmor, develop new features on both the kernel and the user space part of that, I urge you to check that one out. 

We are also looking for a security engineer to work as part of our certifications team. If you have experience or an interest in things like FIPs, Common Criteria, and STIG, don’t hesitate to apply. 

And finally, we are also looking for a generalist, someone to work on the day-to-day security, patching work, and hardening of Ubuntu, feature development, etc. Both of these are remote positions and the second one is available to anyone in the world!

The Ubuntu Security Podcast

If you want to have the full breakdown of our latest updates and patches, check out the Ubuntu Security Podcast on Spotify, Apple Podcast, Google Podcast, and Pocket Casts! And if you want to get in contact with us, you can find us on Twitter at @ubuntu_sec. We also hang out on the #ubuntu-hardened channel on the Freenode IRC network. You can also check out the security section on discourse.ubuntu.com or of course email the team at security@ubuntu.com.