升级到 Focal 后,我注意到内核更新显示在 GUI 中的“其他更新”下,而不是“安全更新”。这可能会导致关键安全修复的通知延迟,因为这些更新通常包括 CVE 缓解措施。
apt list --upgradable
似乎表明这些更新不再是focal-security
存储库的一部分?为什么?可以通过配置解决这个问题,以恢复以前的行为吗?
~$ apt list --upgradable
Listing... Done
firefox-locale-de/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox-locale-en/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
linux-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-headers-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-image-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-libc-dev/focal-updates 5.4.0-148.165 amd64 [upgradable from: 5.4.0-147.164]
tzdata/focal-updates,focal-updates 2023c-0ubuntu0.20.04.1 all [upgradable from: 2023c-0ubuntu0.20.04.0]
~$ cat /etc/apt/sources.list
###### Ubuntu Main Repos
deb http://de.archive.ubuntu.com/ubuntu focal main restricted universe multiverse
###### Ubuntu Update Repos
deb http://de.archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse
###### Ubuntu Partner Repo
deb http://archive.canonical.com/ubuntu focal partner
/etc/update-manager$ grep -r . *
meta-release:[METARELEASE]
meta-release:URI = https://changelogs.ubuntu.com/meta-release
meta-release:URI_LTS = https://changelogs.ubuntu.com/meta-release-lts
meta-release:URI_UNSTABLE_POSTFIX = -development
meta-release:URI_PROPOSED_POSTFIX = -proposed
release-upgrades:[DEFAULT]
release-upgrades:Prompt=lts
release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Sources]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Distro]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py
release-upgrades.d/allow-third-party.cfg:[Sources]
release-upgrades.d/allow-third-party.cfg:AllowThirdParty = yes
答案1
答案2
经过一番研究,似乎这将根据内核更新的类型而有所不同。我最近安装了linux-image-5.15.0-71-generic
内核更新,并获得了以下信息:
$ apt policy linux-image-5.15.0-71-generic
linux-image-5.15.0-71-generic:
Installed: 5.15.0-71.78
Candidate: 5.15.0-71.78
Version table:
*** 5.15.0-71.78 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
因此很明显,这个内核更新还包含安全补丁(CVE),因为它是jammy-updates
和的一部分jammy-security
。
但是,如果情况并非如此,那么我会假设内核更新仅添加到jammy-updates
存储库中。如果更新主要包含错误修复或其他与安全无直接关系的反向移植功能(无 CVE),情况就会如此。