I just ran ubuntu-security-status on a 20.04 installation learnt to enable ESM to get more security updates:
4667 packages installed, of which:
1962 receive package updates with LTS until 4/2025
2694 could receive security updates with ESM Apps until 4/2030
11 packages are from third parties
[...]
Enable Extended Security Maintenance (ESM Apps) to get 3 security
updates (so far) and enable coverage of 2694 packages.
A littel bit of tinkering revealed the three packages as ant,ant-doc and libzmq5. So I subscribed to the free plan on Ubuntu advantage and enabled it my host as documented.
ubuntu-security-status does not show the warning anymore, but the packages did not receive any updates.
Using the ant package as an example: The ESM-focal-apps-security-package list lists ant-1.10.7-1ubuntu0.1~esm1. The Changelog reveals that it patches CVE-2020-1945. However the package comes from the esm-apps-repository which is not enabled by default and cannot be enabled via ua enable esm-apps ("This subscription is not entitled to ESM Apps")
# ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps no — UA Apps: Extended Security Maintenance
[...]
Reading on launchpad/ant shows that CVE-2020-1945 was patched in
- Ubuntu 19.10 in
ant-1.10.6 - Ubuntu 21.04 in
ant-1.10.8
So what is going on:
- Why are there ESM packages for the current LTS release at all?
- What is this
esm-appsand how to get the updates? - Why is this CVE patched for 19.10 and 21.04, but not for 20.04 the only LTS version here?
- Does this mean Canonical is holding back security patches and preovide them only for paying customers?
