Ubuntu’s current LTS version (24.04) contains ffmpeg version 7:6.1.1-3ubuntu5 which has this buffer overflow vulnerability:
https://trac.ffmpeg.org/ticket/10952
https://ubuntu.com/security/CVE-2024-32230
On my only Ubuntu computer, my update widget says that I need to upgrade to ffmpeg version 7:6.1.1-3ubuntu5+esm2 but can only only do so with Ubuntu Pro. I’m not eligible for Ubuntu Pro.
Ubuntu claims that 24.04 is currently fully supported, and should have complete security updates. However, they seem to have paywalled this security update.
What should I do?
You must log in or register to comment.
Yes. Ubuntu has two main repos, main and universe.
main is relatively small and includes everything that comes with Ubuntu by default. Canonical secures this repo with security fixes for everyone.
universe is not officially supported by Canonical. It’s updates are done by community members. However, Ubuntu started a service called Ubuntu Pro / ESM that provides updates for packages in universe. It’s opt in because Canonical wants companies using Ubuntu to pay for Pro in order to help fund Ubuntu. However, Pro is also free for personal use on up to 5 machines, so there’s no reason not to enable it. f it was enabled by default then no one would pay for it.
This is a very accurate explanation. ☝️
Anybody can get Ubuntu Pro for free on up to five devices: https://ubuntu.com/pro/subscribe
Why Ubuntu pro when you can have Linux Mint for free indefinitely
Ubuntu pro provides support after 5 years of standard LTS support. Linux Mint does not provide any support (paid nor free) after the first 5 years so the comparison does not really make sense.
Not to mention that I can’t find any indication that Mint has a fixed version of ffmpeg at all.
Does mint ship with a fixed version of ffmpeg?
All distros have security vulnerabilities. It’s the nature of software. Minimizing the risk is the best you can do.
