=== robs is now known as robse
[13:08] <robse> Hello
[13:11] <robse> i'm on Ubuntu 18.04.5 LTS and my current linux-aws is 5.4.0.1063.45 that is affected by CVE-2022-0185. Even after apt-get update, I can't list the new linux-aws 5.4.0-1063.66
[13:11] <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0185>
[13:13] <robse> any hint on this ? I'm on AWS and I see that the package should be in security updates ? https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1063.66~18.04.1
[13:40] <sdeziel> robse: linux-aws pulls linux-image-aws which currently pulls linux-image-5.4.0-1063-aws which has version 5.4.0-1063.66~18.04.1 which includes the CVE fix
[13:49] <robse> sdeziel: yeah, I sorted it out just now. Wondering why linux-aws itself is version 5.4.0.1063.45.and not .66 that confused me. Thank you
[20:20] <ZMoney> Hey everyone -- Quick question -- when a CVE page lists a *-esm patches package name, does that imply that the package is only available from ETS?  I'm looking at the 16.04 row here: https://ubuntu.com/security/CVE-2021-4034
[20:20] <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034>
[20:20] <ZMoney> ^^^ I have the exact same package version installed from 16.04 LTS, but of course it doesn't have the -esm suffix. So does it have the patch? :)
[20:22] <ZMoney> `sudo apt list --installed | grep policykit` shows policykit-1/xenial-updates,xenial-security,now 0.105-14.1ubuntu0.5 amd64 [installed]
[20:31] <sarnold> ZMoney: correct, you've got to enroll your machine into ESM via ua attach in order to get the ESM updates
[20:32] <sarnold> ZMoney: usually debian packages have a changelog located in /usr/share/doc/<packagename>/changelog.Debian.gz -- there should be a "* SECURITY UPDATE:" entry, with the CVE number, when you've got an installed package. (with the caveats that if there weren't a cve number available, or the assignment changed, etc, after release, we won't re-release new packages just to update this)
[20:35] <ZMoney> ok thanks for that. And 16.04 no longer receives any security updates for unpaid users?
[20:37] <sarnold> ZMoney: there's two free tiers -- one, available to all, allows three machines; the other, available to ubuntu members, allows 50 machines https://ubuntu.com/security/esm