Your submission was sent successfully! Close

Get started with Ubuntu Pro


New to Ubuntu Pro? This how-to guide will help you understand how to activate your Ubuntu Pro subscription and choose which services to enable. Together, we will identify security updates available uniquely with an Ubuntu Pro subscription, and we will apply fixes.

We will start by getting a free, personal subscription. Then we will attach this subscription to your existing Ubuntu LTS machine and enable the Expanded Security Maintenance for Applications (esm-apps) in beta, to find out if any additional security fixes are available for you on your machine.

Want to learn more about the benefits of Ubuntu Pro before moving on?

What you'll learn

  1. What Ubuntu Pro is and how to use it
  2. How to check the source of your installed packages
  3. How to attach an Ubuntu Pro subscription to your existing Ubuntu LTS machine
  4. How to check for and apply security updates on your Ubuntu machine, including security updates for Ubuntu Universe packages which are only available with Ubuntu Pro

What you'll need

  1. An Ubuntu machine running 16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS
  2. Sudo access
  3. An email address, or an existing Ubuntu One account
  4. Ubuntu Pro client version 27.11.2 or newer


Before we start

  1. Make sure that you are up to date:
    $ sudo apt update && sudo apt upgrade
  2. Ensure that you're running the latest version of the pro client:
    $ pro --version
    $ pro --version

I can see that I am running version 27.11.2, so no need to update. If you run a previous version of the client, you have two options:

  • You could wait for the pro client update, which is now released and phased to get to all Ubuntu machines by October 9th, 2022, or
  • Consider bypassing the update phasing and install the client version 27.11.2 using the following command:
    $ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1


Identify the source repository of your installed packages

First, let's find out how many deb packages are installed on your machine and from which source:

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download

To get more information about the packages, run
    pro security-status --help
for a list of available options.

This machine is not attached to an Ubuntu Pro subscription.

Main/Restricted packages receive updates with LTS until 2025.

Try Ubuntu Pro beta with a free personal subscription on up to 5 machines.
Learn more at

OK, so there are 2190 deb packages installed on your machine.

  • 1870 packages are from Ubuntu Main/ Restricted repository which means that they receive Ubuntu LTS updates until 2025. This is covered without any subscription but can be expanded with Ubuntu Pro for an additional 5 years, until 2030.
  • 281 packages are from Ubuntu Universe/ Multiverse repository and they come with no security assurance with Ubuntu LTS. They would be covered by Ubuntu Pro and there might be beta security updates available for them today. Let's find out if that is the case.

Note: if you're currently not using any packages from the Ubuntu Universe repository, that line will not be displayed.

At the bottom of the output, I am notified that I can get a free personal Ubuntu Pro subscription for 5 machines. Let's get one!


Get your free Ubuntu Pro subscription

  1. Create an Ubuntu One account

    If you do not already have an Ubuntu One account, create one - Ubuntu One is the single account you use to log in to all services and sites related to Ubuntu, including the Ubuntu Pro which is free of charge for personal use on up to 5 machines.

  2. Confirm the email address

    Simply click the link provided in the email:

    Welcome to your new Ubuntu One account.
    You can log in right away and start using your new account.
    Please take a moment to confirm your email address with us.
    To confirm your email address, please click on the link below:{YOUR_TOKEN_HERE}/+newemail/{YOUR_EMAIL_HERE}
    Thank you,
    The Ubuntu One team
    If you don't know what this is about, then someone has probably entered your email address by mistake. Sorry about that. Use the following link only if you wish to report this email being incorrectly used:{YOUR_TOKEN_HERE}/{YOUR_EMAIL_HERE}
    You can also seek further assistance on:

  3. Retrieve the token:

    You will be automatically redirected to your Ubuntu Pro dashboard (; an additional Google captcha confirmation step might be required. Your Ubuntu Pro token will be listed under 'Free Personal Token'


Attach your Ubuntu LTS machine to an Ubuntu Pro subscription using the token

Now that we have our Ubuntu Pro token, we can attach it to our Ubuntu instance. Open the terminal on your Ubuntu LTS, and type the following command:

$ sudo pro attach [YOUR_TOKEN]

You should see some of the Ubuntu Pro services - Expanded Security Maintenance for Infrastructure (esm-infra), and Livepatch - automatically enabling, while others will remain disabled until you switch them on:

$ sudo pro attach [YOUR_TOKEN]
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Canonical livepatch enabled.
Unable to determine current instance-id
This machine is now attached to 'Ubuntu Pro - free personal subscription'            

esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
fips             yes       disabled  NIST-certified core packages
fips-updates     yes       disabled  NIST-certified core packages with priority security updates
livepatch        yes       enabled   Canonical Livepatch service
usg              yes       disabled  Security compliance and audit tools

Operation in progress: pro attach

Enable services with: pro enable <service>
Account: [YOUR_EMAIL]
Subscription: Ubuntu Pro - free personal subscription

This output will depend on your Ubuntu LTS version; for instance 'fips', 'fips-updates' and 'usg' are not yet available on Ubuntu 22.04 LTS.


Enable the esm-apps service (in beta)

Now, let's enable the esm-apps beta service by running:

$ sudo pro enable esm-apps --beta
$ sudo pro enable esm-apps --beta
One moment, checking your subscription first
Updating package lists
Ubuntu Pro: ESM Apps enabled

Remember that you need to attach a Pro subscription first. If you haven't done it in advance, you will see the following message:

$ sudo pro enable esm-apps --beta
To use 'esm-apps' you need an Ubuntu Pro subscription
Personal and community subscriptions are available at no charge


Find out if any additional security patches are available for you

Check if any additional security updates for the packages from the Ubuntu Universe repository are available for you

Run $ apt list --upgradable | grep apps-security to find out which packages can be upgraded. Ubuntu Pro: esm-apps packages will be listed under release-apps-security

$ apt list --upgradable | grep apps-security

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

redis-server/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis-tools/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis/focal-apps-security,focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 all [upgradable from: 5:5.0.7-2ubuntu0.1]         

Ok, I can see that there are 3 packages related to Redis that have esm-apps security updates available for Ubuntu Pro.

Note: If you don't see anything in your output, it means that no Ubuntu Pro security updates are currently available on that Ubuntu machine. In that case consider installing a package that would provide an output. Before doing that, please disable the esm-apps service and enable it again once the package is installed (otherwise it would install the new version right away and thereby you would not see the difference).

$ sudo pro disable esm-apps
$ sudo apt-get install pdfresurrect
$ sudo pro enable esm-apps --beta

And then move back to the top of step 6.


Identify which CVEs are affecting you

  1. First, let's add an apt source for the esm-apps deb-src repository. This will allow us to download the source packages directly which contain the CVE information.
    echo "deb-src $(lsb_release -s -c)-apps-security main"  | sudo tee /etc/apt/sources.list.d/esm-apps-sources.list'
  2. Now, let's make sure that apt is aware of those source packages by running:
    $ apt-get update
  3. Now, let's download a source package for a package present on esm-apps (from step 6). In our example here it can be redis.
    $ sudo apt-get source redis
  4. Let's now find a file that starts with the package name we downloaded and ends with debian.tar.xz. We can do that by running the following ls command:
    $ ls [PACKAGE_NAME]*.debian.tar.xz
    For example, for redis we should run:
    $ ls redis*.debian.tar.xz
  5. We can now use this name to show the latest changelog entry:
    $ tar -xOf [PACKAGE_NAME].debian.tar.xz debian/changelog | sed "/--/q"
    For example, for redis we should run:
    $ tar -xOf redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz debian/changelog | sed "/--/q"
    redis (5:5.0.7-2ubuntu0.1+esm1) focal-security; urgency=medium
      * SECURITY UPDATE: Several security issues.
        - debian/patches/CVE-2021-32626.patch: Fix invalid memory write on
        lua stack overflow
        - debian/patches/CVE-2021-32627_32628.patch: Fix ziplist and
        listpack overflows and truncations
        - debian/patches/CVE-2021-32672.patch: Fix protocol parsing on
        - debian/patches/CVE-2021-32675.patch: Prevent unauthenticated
        client from easily consuming lots of memory
        - debian/patches/CVE-2021-32687.patch: Fix Integer overflow issue
        with intsets
        - debian/patches/CVE-2021-41099.patch: Fix integer overflow in
        - CVE-2021-32626
        - CVE-2021-32627
        - CVE-2021-32628
        - CVE-2021-32672
        - CVE-2021-32675
        - CVE-2021-32687
        - CVE-2021-41099
     -- Eduardo Barretto   Tue, 08 Mar 2022 09:52:58 +0100              

I can now see all CVE fixes available for redis with Ubuntu Pro. They fix the following CVEs:

  • CVE-2021-32626
  • CVE-2021-32627
  • CVE-2021-32628
  • CVE-2021-32672
  • CVE-2021-32675
  • CVE-2021-32687
  • CVE-2021-41099

You can learn more about those security vulnerabilities on Ubuntu security pages, e.g.

Note: as those security fixes are currently in beta, the USNs will not yet be announced.

PS: You can delete the “/etc/apt/sources.list.d/esm-apps-sources.list” file after looking at the changelog.


Upgrade packages to a patched version

Now that we have identified which packages and CVEs are affecting you, let's get them fixed.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  redis redis-server redis-tools
3 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
3 esm-apps security updates
Need to get 532 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 focal-apps-security/main amd64 redis-server amd64 5:5.0.7-2ubuntu0.1+esm1 [37.4 kB]
Get:2 focal-apps-security/main amd64 redis-tools amd64 5:5.0.7-2ubuntu0.1+esm1 [491 kB]
Get:3 focal-apps-security/main amd64 redis all 5:5.0.7-2ubuntu0.1+esm1 [3,072 B]
Fetched 532 kB in 1s (393 kB/s)   
(Reading database ... 281498 files and directories currently installed.)
Preparing to unpack .../redis-server_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-server (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis-tools_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-tools (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis_5%3a5.0.7-2ubuntu0.1+esm1_all.deb ...
Unpacking redis (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Setting up redis-tools (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis-server (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis (5:5.0.7-2ubuntu0.1+esm1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (245.4-4ubuntu3.18) ...


Find out how many esm-apps fixes have been installed overall

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download

To get more information about the packages, run
    pro security-status --help
for a list of available options.

Main/Restricted packages receive updates with LTS until 2025.

Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 3 security

Congrats! It seems that packages have been upgraded, so you're not vulnerable to the CVEs listed in step 8 anymore. In the final output above, with $ esm-apps --beta service enabled, we can see that 3 packages have received security updates.


What else can you use your Ubuntu Pro subscription for?

For users running in regulated environments, we have a set of FIPS-certified crypto-modules and hardening scripts available. To enable them, consider enabling other Pro services you are entitled to, such as the Ubuntu Security Guide.

$ sudo pro enable usg


That's all, folks

Good job, you made it! You should now know how to access and use Ubuntu Pro, as well as understand all the great benefits Ubuntu Pro has to offer.

Next steps:

Still hungry to learn more about Ubuntu Pro? Head on over to Ubuntu Pro Discourse.