I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu 22.04

Question

I use the package texlive-full, which installs imagemagick and other related packages. When I check for updates, I get this message:

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  imagemagick libopenexr25 libmagick++-6.q16-8 libmagickcore-6.q16-6-extra
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common

Which means that if I want to use texlive-full with Ubuntu 22.04, I have to pay $500 per year to have a secured distro, as far as I understand what is written.

Is there a way to avoid that, for example by not installing everything installed by texlive-full?

EDIT:

gaucher@mars:~$ apt policy texlive-full
texlive-full:
  Installé : 2021.20220204-1
  Candidat : 2021.20220204-1
 Table de version :
 *** 2021.20220204-1 500
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe i386 Packages
        100 /var/lib/dpkg/status

My configuration (yes I am using Ubuntu 22.04):

Added on request:

gaucher@mars:~$ apt policy imagemagick
imagemagick:
  Installé : 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Candidat : 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
 Table de version :
 *** 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1 500
        500 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security/main amd64 Packages
        100 /var/lib/dpkg/status
     8:6.9.11.60+dfsg-1.3build2 500
        500 http://fr.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on [meta], or in [chat]. Comments continuing discussion may be removed. — andrew.46, Jan 31 '23 at 09:32

score 46 · Answer 1 · edited Feb 06 '23 at 13:55

46

This is an additional support stream

From reddit.com/r/linux/, user Patch86UK:

For clarity: This is not a roadblock being put on an existing support stream, it is a new support stream. Previously Ubuntu did not provide security patches for "Universe" repo packages (instead relying on upstream patches to happen when they happen). The Ubuntu security team are now producing in-house security patches for these packages, but only where Pro has been opted into (which is free for personal use).

If you do not want to opt in to Pro you still have the same level of support you had before (and the same level of support that you have with 99% of other distros).

edited Feb 06 '23 at 13:55

Pablo Bianchi

15,657

answered Feb 03 '23 at 14:42

Serge Stroobandt

5,268
1
48
59

19

I'm now considering Debian 11. This is a terrible idea by the Ubuntu team. – Gary Feb 04 '23 at 22:47
28

It is time to consider to move away from Ubuntu... – Kaspacainoombro Feb 05 '23 at 21:05
44

I feel like this will be widely misunderstood. There were no previous updates of this kind. This updates are available only in Ubuntu because this is additional work by them. Debian will not receive these up until the community patches them, at which point they'll be available in "non-paid" ubuntu. So this is on top of what you'd get on Debian. – s3v3n Feb 06 '23 at 08:15
2

@Gary There really isn't a difference with Debain as the Imagemagick vulnerabilities haven't been patched (except for old-stable as far as I can tell). This isn't any different than it was before with the Universe repository, only now Imagemagick has been moved to Universe which I do feel was a bad move considering all the vulnerabilities that pop up with this group of packages. – mchid Feb 06 '23 at 23:46
1

@Gary Also, I think it should be noted that ImageMagick appears to be fully patched in 22.10 and also for 18.04 (because in 18.04, ImageMagick was still in main, not Universe). – mchid Feb 06 '23 at 23:51
2

@s3v3n Yes and no. ImageMagick was moved out of main and into Universe in 20.04. – mchid Feb 06 '23 at 23:52
Actually, I'm not sure why but security updates were made available for 22.10 but not for Jammy – mchid Feb 06 '23 at 23:57
2

I think the message should read: "Get FASTER security updates through Ubuntu Pro with 'esm-apps' enabled:" – Hugo Cox Apr 03 '23 at 18:42
15

Ubuntu is still holding back security patches. The ethics of this are extremely questionable. They're basically doing what those "security" companies do that sell exploits (NSO, etc). Consider an evil hacker that has a "Pro" subscription, it's basically a feed for exploits they can use. No more Ubuntu for me. – CR. Apr 24 '23 at 22:51
10

I disagree, Ubuntu is a company that has to hire people to do the work of patching these exploits in someone else's source code, in order for them to be able to do this they need to find a revenue stream to cover the costs of hiring these people. Why not be angry at the people who wrote the original software and ignore the fact they have security vulnerabilities, probably because they are in the same boat, they too write open source software and don't have a massive income to investigate and fix these, some packages being maintained by a single person. – Matt Sep 20 '23 at 10:41
@CR. I doubt Ubuntu is discovering new vulnerabilities and patching them in secret without notifying the affected projects of the vulnerability. They are probably just patching publicly known vulnerabilities before the actual dev team for that package gets around to it. Putting that behind a paywall seems fine to me. Hackers are not learning anything new by subscribing to Ubuntu Pro. – nog642 Sep 29 '23 at 12:45
@nog642 If you're running Ubuntu 22.04, the very latest LTS, then despite being fully up to date and patched, you're not. Currently there are dozens of security patches that exist but are only available via Pro. I've demonstrated this for organizations by easily breaking in to their fully up-to-date and still fully supported systems. Like me, they drop Ubuntu real quick. – CR. Sep 30 '23 at 00:59
2

@CR. Those patches are exclusive to Ubuntu Pro though. You're not going to get them by dropping Ubuntu. Once the patch is available on other distros, it should be available on the free version of Ubuntu too. To my understanding. – nog642 Sep 30 '23 at 02:04
@nog642 So you're saying what I said in my original post. OK – CR. Sep 30 '23 at 03:08
1

Here is a super helpful Ubuntu Pro FAQ making it very clear that this is not "taking away" anything we already had, but rather adding something new that we never had. (I hope that's true. I haven't verified anything. That's good enough for me for now.) – Gabriel Staples Jan 26 '24 at 17:56

John Manecke · Answer 2 · 2023-01-30T17:26:30.153

45

Here is a solution that doesn't require subscribing or registering. It removes the helpful look what you could get if you sign up message. This is not the most elegant, but it takes care of the immediate issue:

the file /etc/apt/apt.conf.d/20apt-esm-hook.conf provides the hook that calls the marketing message generation. Removing that is an option

mkdir -p relocated_apt
sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf ~/relocated_apt/.

now when you run apt upgrade the message does not show.

Note this doesn't survive updates if a new version gets put there, which may happen more as this new feature is rolled out/updated.

edited Jan 30 '23 at 17:26

answered Jan 30 '23 at 17:25

John Manecke

459

13

While this may remove the message, it doesn't fix the security vulnerability that the message is warning you that you're affected by. – Joseph Sible-Reinstate Monica Jan 30 '23 at 17:31
6

This solution addresses the issue of getting a message that is perceived as an error. If the OP does not want to subscribe (or be reminded about it in a confusing way), this removes the message. – John Manecke Jan 30 '23 at 22:00
8

Help me to better understand this. Is there a security vulnerability here? If I'm running Debian stable, the version of imagemagick I'll have is the same as what I'm getting from universe without the esm-apps. I generally consider Debian stable a to be well updated from a security perspective. Agree moving to esm-apps provides a path to increased security, but I'm not sure running without it means I'm running with security vulnerabilities? Does this issue raise up to something you modify the output of apt for? – John Manecke Jan 30 '23 at 22:05
Yes, it appears 20.04 and 22.04 do have some vulnerabilities that only ESM provides updates for. As for Debian, you'll have to check with Debian to see if the same applies because Debian offers slightly different package versions that may be patched. – mchid Feb 02 '23 at 14:30
1

Like for this CVE, oldstable (buster) is patched but stable (bullseye) is not. – mchid Feb 02 '23 at 14:44
Pretty sure it will survive an update (or it will at least prompt you before making changes) if you simply change the hooks from true to false For example: sudo sed -i 's/true/false/g' /etc/apt/apt.conf.d/20apt-esm-hook.conf – mchid Mar 27 '23 at 04:33

Philippe Gaucher · Accepted Answer · 2023-01-30T09:30:25.620

41

I have found the solution. Run:

sudo pro enable esm-apps

and then update using the usual way and imagemagick and all related packages will be updated.

If Ubuntu Pro support is enabled on your Ubuntu Desktop, you can go to Software & Updates and open the Ubuntu Pro tab.

In this context, it should be noted that "ESM Apps" cover applications from the universe repository.

Note that it is necessary to have an account on ubuntu.com and this feature is free for up to 5 machines.

See the Q&A about Ubuntu Pro.

edited Jan 30 '23 at 09:30

answered Jan 28 '23 at 10:56

Philippe Gaucher

2,004
2
21
33

55

Doesn't looks like a solution when the goal is to continue using a system without having to switch on a subscription – Dario Petrillo Jan 28 '23 at 16:28
3

@DarioPetrillo You're right. The solution is not complete. It is necessary to have an account on ubuntu.com at first. It is free up to 5 machines: I have one desktop PC and two laptops PC with Ubuntu 22.04. – Philippe Gaucher Jan 28 '23 at 19:53
2

Doesn't work, even after creating the needed account and getting a token – Bytor Feb 02 '23 at 16:53
1

Sure its free, but you're leaving something very important out: tier: updates (Free usage; This machine beta tests new patches.) – Yarek T Jun 14 '23 at 08:36
1

This does not work. One enables it and status is the same. Disabled. – Antonio J. de Oliveira Aug 28 '23 at 10:47
This really sucks, my advise is to run Debian at this point – jringoot Mar 12 '24 at 08:30

VasyaNovikov · Answer 4 · 2023-07-23T09:52:41.037

There are two possible solutions.

Solution 1: Enable the Pro repository.

That repository is not public, it's free for up to 5 machines, it requires setting up an account (email, username, password), and it gives you additional security updates. To do that, register at https://ubuntu.com/pro, get your personal token, then run:

    sudo pro attach your-personal-token

This is what Ubuntu recommends itself.

Solution 2: Remove the advertisement.

sudo dpkg-divert --divert /etc/apt/apt.conf.d/20apt-esm-hook.conf.bak --rename --local /etc/apt/apt.conf.d/20apt-esm-hook.conf

This will effectively add a .bak suffix to the conf file, immediately disabling it. This will continue to work with future apt upgrades as well.

To confirm that it is working, run apt upgrade. If everything works correctly, you should no longer see the extra text.

It's important to remember that only solution 1 will get you the security updates. Solution 2 just covers up the fact that you're missing them. — Joseph Sible-Reinstate Monica, Jun 08 '23 at 15:37

Thomas JOUANNOT · Answer 5 · 2023-01-28T17:20:02.993

20

Have you actually tried going to https://ubuntu.com/pro ? I just did, and after logging in, I received a "Free Personal Token" that never expires and includes up to 5 machines.

Then you just need to run "sudo pro attach your-personal-token" and that's it :)

edited Jan 28 '23 at 17:20

answered Jan 28 '23 at 17:19

Thomas JOUANNOT

325

1

Yes it is more or less what I did with my other Ubuntu PC :-). I am registred for livepatch so I have an account on ubuntu.com. It is why the solution I gave works by the way ; otherwise the first step is to register on ubuntu.com to get an account. – Philippe Gaucher Jan 28 '23 at 19:03
3

I have to pay now for it. Maybe it recently changed. – hongo Feb 08 '23 at 16:17
2

@hongo It's free for personal use, for up to 5 machines. – Philippe Gaucher Feb 09 '23 at 12:54
1

@PhilippeGaucher Today it costs 25$ per year. Not free for personal use. – Ofek Shilon Jun 20 '23 at 12:21
@OfekShilon It is free for personal use for up to five machines. I have 5 free personal tokens which never expire... – Philippe Gaucher Jun 20 '23 at 12:54
@PhilippeGaucher I don't think you'd be able to get a new one today – Ofek Shilon Jun 20 '23 at 15:39
@OfekShilon It is an extremely bad news ! – Philippe Gaucher Jun 20 '23 at 17:41
1

@OfekShilon Maybe you still can. I did not attempt to get a sub, but a hint is hidden in the notes. Select "myself" at https://ubuntu.com/pro/subscribe. – Twonky Nov 22 '23 at 08:21

score 2 · Answer 6 · answered Feb 18 '23 at 16:50

While most answers discuss ESM, TeXLive without (Ubuntu's version of) imagemagick might be a reasonable goal by itself.

Regarding which packages in texlive-full actually require imagemagick, you could simply do a sudo apt remove imagemagick-6-common after installing texlive-full.

But if you plan to use tlmgr, you should avoid installing texlive-full and just follow this guide on tex.stackexchange. However, imagemagick might still be pulled in by other TeX-related packages, e.g., on my system kbibtex recommends latex2rtf (not part of TeXLive, but on CTAN) which requires imagemagick-6-common.

score 1 · Answer 7 · answered Jun 07 '23 at 07:57

These have not helped me (they do not persist):

moving/removing /etc/apt/apt.conf.d/20apt-esm-hook.conf
changing the token in the /etc/apt/apt.conf.d/20apt-esm-hook.conf file from true to false

I have not found a workaround for this that persists. However, I do note from a discussion on reddit:

We don't show it in apt-get (anymore) because scripts parse apt-get output and break whereas apt output is for humans only.

I can confirm that the message does not (as of yet) get called when using apt-get or if using nala as a front end.

Definitely not a 'solution' as such, but it does allow me to not be reminded how much I hate Ubuntu every time I run an update :)

score -1 · Answer 8 · answered Sep 06 '23 at 17:32

To disable:

chmod a-x /usr/lib/ubuntu-advantage/apt-esm-json-hook
sudo pro disable esm-apps

To enable:

chmod a+x /usr/lib/ubuntu-advantage/apt-esm-json-hook
sudo pro enable esm-apps
sudo pro attach XXXXXXXXXXXXXX  << your token got from ubuntu.com/pro

I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu 22.04

8 Answers8

This is an additional support stream

Solution 1: Enable the Pro repository.

Solution 2: Remove the advertisement.

Linked

Related