1

As a sysadmin, I'm pretty aggressive about the security updates. I'm looking for the best practices when an update is missing in the official repository.

Example

  • Sept. 1st, CISA releases a security update about vmware-tools
  • I run 'apt update && apt upgrade' on my Ubuntu servers, hoping to install the patch
  • Due to different distribution versions, I don't always get the last 'fixed' version:

Ubuntu 20.04 LTS (focal), version 11.3.0 (vulnerable!)

root@ubuntu2004:/home/sysadmin# apt list --installed | grep open-vm-tools

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


open-vm-tools/focal-updates,focal-security,now 2:11.3.0-2ubuntu0~ubuntu20.04.6 amd64 [installed]

Ubuntu 22.04 LTS (jammy), version 12.1.5 (better, but not the last tough!)

root@ubuntu2204:/home/sysadmin# apt list --installed | grep open-vm-tools

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


open-vm-tools/jammy-updates,jammy-security,now 2:12.1.5-3~ubuntu0.22.04.3 amd64 [installed]

I get this, this makes sense when I look at Canonical's official package page, but I want to install the very last 12.3.0.

But now, here is the big question. How am I supposed to do my patch management ? Am I just supposed to wait ? Or should I somehow do the patching manually ? (which may become a HUGE load of work)

In short, what are your best practices for such situations ?

Archisman Panigrahi
  • 28,338
  • 18
  • 105
  • 212
Garry
  • 13
  • 1
    Are you worried about any particular security vulnerability? Ubuntu backports the security patches to the old versions. See https://ubuntu.com/security/cves?q=&package=open-vm-tools&priority=&version=&status= – Archisman Panigrahi Sep 18 '23 at 15:17
  • 1
    In Ubuntu, open-vm-tools and stuff receive patches on top of the current version in the repository for security patches, etc. That's what the -security pocket is for. If you have specific vulnerabilities you want to keep an eye on, you should check the CVEs, etc. against the Ubuntu CVE tracker that Archisman linked you to. This applies to – Thomas Ward Sep 18 '23 at 15:20
  • 1
    The three most common security-related mistakes in AskUbuntu questions are 1) Erroneously assuming that Ubuntu should bump to the latest instead of patching, 2) Failing to use the CVE number to refer to specific vulnerabilities, and 3) Failing to use the Ubuntu CVE Tracker to check on mitigation status. Master those three. Then you can be truly "aggressive about security updates"... and effective at it. – user535733 Sep 18 '23 at 16:12
  • Ok, thanks to you all ! I will improve myself in both patching AND asking questions. Cheers. – Garry Sep 20 '23 at 06:35

1 Answers1

3

The link you posted refers to CVE-2023-20900, which Ubuntu has already backported into open-vm-tools version 2:11.3.0-2ubuntu0~ubuntu20.04.6 in Ubuntu 20.04.

For more details, see CVE-2023-20900

Archisman Panigrahi
  • 28,338
  • 18
  • 105
  • 212