Security updates¶

Ubuntu is a fixed-release Linux distribution. As such, Ubuntu releases receive security updates during the support window in the form of backported patches. This means that security updates will not generally introduce new functionality and stability is achieved by maintaining backward compatibility. Please note that some packages in Ubuntu will receive feature updates through the Stable Release Update process, but this is orthogonal to the delivery of security updates.

The level of security support depends on the component in which a package resides (Main, Restricted, Universe or Multiverse). The Ubuntu Security Team is responsible for preparing security updates for supported Ubuntu releases and working with the community to sponsor community-prepared security updates. The following table lists the security maintenance window for Ubuntu releases.

Release type	Main / Restricted	Universe / Multiverse
Interim (standard support)	9 months	Community-supported
LTS (standard support)	5 years	Community-supported
LTS (ESM support - with Ubuntu Pro)	10 years	10 years
LTS (ESM + Legacy support - with Ubuntu Pro)	12 years	FIXME

Delivery¶

Security updates are delivered through special-purpose pockets in the Ubuntu archive. For standard support, the security pocket is used, available from http://security.ubuntu.com/ubuntu with a suite name that follows the RELEASE-security naming convention. For example, the following APT sources configuration in DEB822 format will configure the security pocket on the Main and Universe components for Ubuntu 24.04 LTS Noble Numbat:

Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Security updates available with a Ubuntu Pro subscription are delivered through a different Archive pocket. The configuration is detailed in the ESM section

Vulnerability tracking¶

The Ubuntu Security Team manages information about vulnerabilities in Ubuntu packages through the Ubuntu CVE Tracker (UCT). Vulnerability data is imported from various sources, including the CVE Program, allowing vulnerabilities to be referenced through CVE IDs. UCT contains information about known vulnerabilities, even when security updates are not yet available. Vulnerabilities under an embargo are not included, as this is a public project, but are added to UCT upon public disclosure. You can find more information and associated data processing tools in the project’s Git repository.

Additionally, all vulnerability data available in UCT can be browsed in the CVE reports section of the Ubuntu website.

Ubuntu Security Notices¶

Upon publication of security updates for packages in the Ubuntu Archive, the Ubuntu Security Team publishes Ubuntu Security Notices (USNs) that contain information about the vulnerability and affected packages. You can browse all Ubuntu Security Notices on the website or subscribe to the Ubuntu Security Announce mailing list to receive email notifications whenever Ubuntu Archive security updates are made available.

Vulnerability knowledge base¶

Detailed technical information on high-impact, publicly-disclosed vulnerabilites, including available mitigation steps, is published in the Vulnerability knowledge base section of the Ubuntu website.

Data feeds¶

Information on the available security updates can be obtained in several industry-standard machine-readable formats: OVAL, OSV and VEX. These data feeds facilitate the integration of automated patching tools and vulnerability management scanners by incorporating information on the vulnerabilities that each security update addresses, including by referencing the Common Vulnerabilities and Exposures (CVE) enumeration through CVE IDs. The data feeds are freely available for all supported releases and their use documented in the respective sections, below.