1

We installed tomcat9 and nginx from the Ubuntu package manager and soon realised that the package versions available didn't have the latest security and patches. We then subscribed to ubuntu pro esm-apps which is supposed to have the latest security and patches for a number of packages including tomcat9 and nginx.

However running sudo apt update doesn't update these packages to the latest. Do we need to do anything else?

Ubuntu Version - 22.04.3 LTS

user@host:/# sudo pro security-status --esm-apps
749 packages installed:
    8 packages from Ubuntu Universe/Multiverse repository


Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2032.


Run 'pro help esm-apps' to learn more


Installed packages covered by esm-apps:
libeclipse-jdt-core-java libnetfilter-queue1 libtcnative-1 libtomcat9-java
python3-parted rename tomcat9 tomcat9-common

Tomcat9 is still the old version 9.0.58 which was released in January 2022

user@host:/..../tomcat9/bin# ./version.sh
Server version: Apache Tomcat/9.0.58 (Ubuntu)
Server built:   Jan 6 1970 15:09:28 UTC
Server number:  9.0.58.0
OS Name:        Linux
OS Version:     6.2.0-1019-azure
Architecture:   amd64
JVM Version:    11.0.21+9-post-Ubuntu-0ubuntu122.04
JVM Vendor:     Ubuntu

How do I ensure that we get the latest from esm-apps?

Update

sudo apt upgrade doesn't list tomcat9 as a package to upgrade

user@host:/# sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  alsa-ucm-conf
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 43.4 kB of archives.
After this operation, 0 B of additional disk space will be used.

apt list --installed shows the following.

tomcat9-common/jammy-updates,now 9.0.58-1ubuntu0.1 all [installed,automatic]
tomcat9/jammy-updates,now 9.0.58-1ubuntu0.1 all [installed]

apt policy tomcat9 shows the following

tomcat9:
  Installed: 9.0.58-1ubuntu0.1
  Candidate: 9.0.58-1ubuntu0.1
  Version table:
 *** 9.0.58-1ubuntu0.1 500
        500 http://azure.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
        100 /var/lib/dpkg/status
     9.0.58-1 500
        500 http://azure.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
hoz
  • 129
  • 5
  • sudo apt update has never updated any packages. That command updates the database of available packages. sudo apt upgrade downloads and installs available packages using that database. – user535733 Feb 02 '24 at 19:03
  • 3
    You cannot reliably tell if software is patched by using the software itself. Many patches do not change the software's version number. Instead, look at the package version listed by apt or dpkg, which does increment. – user535733 Feb 02 '24 at 19:10
  • LTS releases have "frozen" software versions for most packages, in your case that means that Tomcat will probably always stay at version 9.0.58. This is to avoid possible breaking compatibility, as this is supposed to be a stable release. However, the security patches are usually backported. You can know it only by looking at the package's change log. – raj Feb 02 '24 at 22:53
  • @user535733 Thanks, I have updated the post based on your comments. Unfortunately, I can't see a way to upgrade tomcat9 to latest. – hoz Feb 06 '24 at 16:55

2 Answers2

0

You will need to check out the Ubuntu Security Notices website and cross reference the CVE to see if a patched version from Ubuntu or Ubuntu Pro is available. You will also be able to verify if the version you are running is or is not patched.

The link I've provided shows search results for nginx. You can also search for an individual CVE, just enter the CVE number into the search bar and press ENTER.

mchid
  • 45,159
0

Ubuntu ESM doesn’t provide the latest versions via the subscription. However, security fixes are backported to the latest stable version released for the software version for that OS release. For example, 9.0.58 is the Tomcat9 version released for Ubuntu 22.04.3 LTS. However, according to Canonical security fixes are backported to this version and are available via the ESM subscription.

With Ubuntu Pro we provide our users with hundreds of security fixes for versions of software not maintained by any other vendor. Yet there are cases when we might not provide a fix. Ubuntu Pro commits to addressing high or critical CVEs. So, CVEs that are medium or low are outside the scope. Usually, we are okay with fixing selected medium CVEs at customer request. We typically don't address lows. Sometimes, the Ubuntu Security team can change the priority of a CVE if the risk on Ubuntu can be mitigated because of Ubuntu's configuration. If no patch is yet available upstream, or if the upstream disputes a CVE, there might not be a fix to be applied as well

I can see from the documentation for nginx that they have fixed some CVEs. https://ubuntu.com/security/cves?q=&package=nginx&priority=&version=jammy Some marked as not vulnerable.

However, this is not the case for Tomcat. Most of the vulnerabilities are in the Needs Triage status. Probably because these are Medium and Low CVEs. https://ubuntu.com/security/cves?q=&package=tomcat9&version=jammy

hoz
  • 129
  • 5