1

The ESM webpage (https://ubuntu.com/security/esm) is inconsistent. These statements are all on that page:

ESM enables continuous vulnerability management for critical, high and medium CVEs.

(COVERAGE FOR CRITICAL, HIGH AND SELECTED MEDIUM CVES)

ESM continues security updates and kernel livepatching for high and critical CVEs (Common Vulnerabilities and Exposures).

What does ESM actually cover?

jcburgoon
  • 19
  • You should probably contact Canonical directly, since no one here is involved in what's stated on their webpage. – Artur Meinild Jun 27 '23 at 12:50
  • your answer is in the quote They do no contradict :) (the last one is soecific to kernels). The 1st one for non-kernel and the middle one for both. And I agree: regarding EMS: take it up with Canonical. They will know the exact details on this. – Rinzwind Jun 27 '23 at 12:52
  • It provides 10 years support while it is normally 5 years. – Mahler Jun 27 '23 at 15:46

1 Answers1

0

This appears to be the answer: https://discourse.ubuntu.com/t/ubuntu-pro-faq/34042#:~:text=Will%20all%20vulnerabilities%20get%20fixed%3F

Will all vulnerabilities get fixed?

Ubuntu Security Team prioritises critical and high CVEs. They will also tackle selected medium CVEs. For customers with specific compliance requirements, Canonical allows enterprise customers to sponsor additional patches up to medium CVEs for a selected subset of packages and their dependencies.

Canonical should update their webpage about ESM to be more clear about what is supported.

muru
  • 197,895
  • 55
  • 485
  • 740
jcburgoon
  • 19