The Canonical Kernel Team is abandoning its update cadence in favor of a four-week cycle, and will add an additional update every two weeks for the most urgent fixes.
A move to a four-week cycle with a midpoint update will result in regular upstream stable updates, including security patches, bug fixes, and feature requests coming every four weeks. Critical fixes that can’t wait will arrive on a two-week cadence.
In the past, the Canonical team worked to a three-week kernel update cycle. This, according to Kleber Souza, Linux kernel engineering manager at Canonical, made for reasonable responsiveness but was “prone to interruptions from urgent CVEs, urgent customer requests and regressions found in -updates or during testing.”
The result was that the cycle tended to be extended, and delivering CVE fixes promptly was challenging.
Souza noted that OEM kernels would follow a more flexible schedule in terms of their deadlines for the acceptance of new patches.
Ubuntu is one of the most popular Linux distributions, and the changes will interest engineers charged with maintaining fleets of hardware running the operating system - on-premises or in the cloud - in light of the pace of vulnerability discovery and patching.
Quantifying the public vulnerability market
Read how the reporting of vulnerabilities is contributing to greater, comprehensive security for all.
The move was described by one user on the company’s forums as “ambitious” and comes in the wake of a relatively easy-to-exploit privilege escalation vulnerability disclosed recently.
The vulnerability in the OverlayFS module used in Ubuntu was documented in CVE-2023-2640 and CVE-2023-32629 and was exclusive to the operating system following changes made by the Canonical team in 2018.
CVE-2023-2640 permits an unprivileged user to set privileged extended attributes on mounted files. CVE-2023-32629 is a local privilege escalation vulnerability where permission checks are skipped.
Those changes only became an issue in 2020 when a security vulnerability patched in the Linux kernel did not make it into Ubuntu due to the earlier changes.
One report stated that the vulnerability could affect 40% of Ubuntu cloud workloads. Ubuntu fixed the vulnerabilities on 24 July 2023, and users were instructed to update their kernels.
With the revised cycle schedule, Souza said: “The Canonical Kernel Team is expecting to deliver more predictable updates with quicker turnaround for time-sensitive fixes”.
