Trying to understand the function/purpose/effectiveness of LTS
Shamim Shahriar
shamim.shahriar at gmail.com
Sun Apr 26 20:18:09 UTC 2020
Good evening everyone, hope you all are well.
disclaimer: I am not a Linux expert or have too much experience with it.
The last time I had to deal with Linux was back in the 90s using
slackware, redhat and suse (Slackware being the favourite at that time).
But I am well versed with various *nix systems and quite comfortable
doing my research and finding my ways around. Please note, that is why I
came to the list to ask for help in understanding something.
I am trying to understand the function/purpose of the LTS branch. From
what I can gather (and please feel free to correct me if I am mistaken),
the LTS stands for Long Term Support, and each LTS is supported for
subsequent 5 years. This support includes fixing hardware issue for at
least 2 years, and any security/functionality support for at least 5
years. This is counted from the time of the initial release.
This understanding comes, among many others, primarily from
https://wiki.ubuntu.com/LTS
I am slightly confused, and hoping someone might help me understand,
what I am experiencing now.
I have been tasked with looking after a few Ubuntu LTS (16) servers. We
use Nessus for security scanning/testing, and all these servers are
complaining about OpenSSL 1.0.x and TLSv1 and TLSv1.1. However, as I try
to run update and upgrade -- there does not appear to be any update for
OpenSSL or any of the relevant packages (Apache, Nginx, OpenSSH). The
best I could find through google search is manual injection of OpenSSL,
which has the potential to break anything and everything that may rely
on the older version of the libraries. Also, if I have to do manual
injection, that forfeits the purpose of having a LTS (in my opinion).
So, I am slightly confused. If I read and understood the LTS definition
correctly, then there should have been (at least) security patches up
till 2021 (for these servers). I am not trying to be at the bleeding
edge, but any and all software that can be picked up by security
scanners are expected to be patched (OpenSSH, web servers, etc.).
Somehow, these servers are NOT picking up any update relevant to these.
And from what I can tell, they have not been tampered with (to my
understanding), so it is not a configuration issue.
I am genuinely trying to understand, what is the benefit having LTS if
none of the security issues are taken care of.
Would appreciate if someone could please help me understand.
Kind regards
More information about the ubuntu-users
mailing list