Hi everyone,
I'm a Infrastructure engineer that is trying to gain Cyber Essentials Plus accreditation for my organisation. As part of that, I'm having to ensure all of the vulnerabilities that are classed as High or above in severity, are patched. One of the vulnerabilities I've got on a couple of ubuntu servers running Exim is this: https://ubuntu.com/security/notices/USN-6169-1 - a GSASL library needs to be updated. This vulnerability affects both 20.04 and 22.04 LTS versions of Ubuntu, as well as a few other ESM versions. No as far as I can tell, the only way to fix this vuln is to update the package to an ESM version of the package, and thus it requires an Ubuntu Pro subscription to update the package.
Why is it that there's an Ubuntu LTS vulnerability that is only patchable by moving to ESM? Surely this goes against the ethos of Ubuntu? Am I missing something here?
Thanks,
Gareth