为什么内核更新不再被归类为“安全更新”?

tag-icon tag-icon package-management updates security update-manager
为什么内核更新不再被归类为“安全更新”?

升级到 Focal 后,我注意到内核更新显示在 GUI 中的“其他更新”下,而不是“安全更新”。这可能会导致关键安全修复的通知延迟,因为这些更新通常包括 CVE 缓解措施。

“其他更新”下带有内核更新的 GUI 更新通知的屏幕截图

apt list --upgradable似乎表明这些更新不再是focal-security存储库的一部分?为什么?可以通过配置解决这个问题,以恢复以前的行为吗?

~$ apt list --upgradable
Listing... Done
firefox-locale-de/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox-locale-en/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
linux-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-headers-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-image-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-libc-dev/focal-updates 5.4.0-148.165 amd64 [upgradable from: 5.4.0-147.164]
tzdata/focal-updates,focal-updates 2023c-0ubuntu0.20.04.1 all [upgradable from: 2023c-0ubuntu0.20.04.0]


~$ cat /etc/apt/sources.list
###### Ubuntu Main Repos
deb http://de.archive.ubuntu.com/ubuntu focal main restricted universe multiverse

###### Ubuntu Update Repos
deb http://de.archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse

###### Ubuntu Partner Repo
deb http://archive.canonical.com/ubuntu focal partner


/etc/update-manager$ grep -r . *
meta-release:[METARELEASE]
meta-release:URI = https://changelogs.ubuntu.com/meta-release
meta-release:URI_LTS = https://changelogs.ubuntu.com/meta-release-lts
meta-release:URI_UNSTABLE_POSTFIX = -development
meta-release:URI_PROPOSED_POSTFIX = -proposed

release-upgrades:[DEFAULT]
release-upgrades:Prompt=lts

release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Sources]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Distro]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py

release-upgrades.d/allow-third-party.cfg:[Sources]
release-upgrades.d/allow-third-party.cfg:AllowThirdParty = yes

答案1

Ubuntu 安全团队尚未完成该软件包的工作。然后它将出现在安全存储库中。

您添加的图像有一个启动板错误编号。该错误显示了此 CVE 缓解措施的工作流程。

截至今日,该工作流程如下:

在此处输入图片描述

答案2

经过一番研究,似乎这将根据内核更新的类型而有所不同。我最近安装了linux-image-5.15.0-71-generic内核更新,并获得了以下信息:

$ apt policy linux-image-5.15.0-71-generic
linux-image-5.15.0-71-generic:
  Installed: 5.15.0-71.78
  Candidate: 5.15.0-71.78
  Version table:
 *** 5.15.0-71.78 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status

因此很明显,这个内核更新还包含安全补丁(CVE),因为它是jammy-updates和的一部分jammy-security

但是,如果情况并非如此,那么我会假设内核更新仅添加到jammy-updates存储库中。如果更新主要包含错误修复或其他与安全无直接关系的反向移植功能(无 CVE),情况就会如此。

相关内容