Ubuntu security assurances

The open source software ecosystem is vast, requiring careful consideration in information security risk management. Ubuntu is carefully engineered to provide a solid foundation for any type of deployment, with transparent security processes built on modern best practices.


A critical link in your software supply chain

Assessing the software supply chain is a critical aspect of building a strong security posture. Through its commitment to open source, Ubuntu is built on transparent processes that can be relied upon by all its users and integrated within enterprise risk assessment programs.


Stable security updates

The Ubuntu Security Team fixes vulnerabilities through targeted security updates that maintain backwards compatibility in all LTS releases, with support for up to 12 years.


Learn about Expanded Security Maintenance ›


Vulnerability visibility

Known vulnerabilities that affect Ubuntu packages are tracked in the public Ubuntu CVE Tracker. The information, including available fixes, is distributed through open standard formats (OVAL, OSV and VEX) that can be integrated with any third-party tool that supports these schemas.


Long-term stability

Most open source software suppliers only address vulnerabilities in the latest version, but updating to a cutting-edge release carries a risk of introducing incompatible changes or the removal of relied-upon functionality. Instead, Ubuntu users receive bespoke security updates that only address the security flaws and retain compatibility with the software version originally distributed in the Ubuntu release they have installed.


Regression mitigation

Packages go through comprehensive regression testing before updates are made available, reducing the risk of downtime or the complexities of rolling them back. The unattended-upgrades feature applies updates automatically and is enabled by default on Ubuntu installations.


Rapid fixes

The Ubuntu Security Team collaborates with security researchers, open-source projects and other industry groups to prepare fixes for high-impact vulnerabilities within closed embargoes, in order to deliver security updates at the same time the vulnerabilities are publicly disclosed.


Notification

All security updates are followed by Ubuntu Security Notices (USNs), allowing operational teams to triage and apply them in a timely fashion. For custom integrations, the vulnerability data feeds provide the same information in open standard formats (OVAL, OSV and VEX).


Software assessment

Ubuntu distributes over 36,000 open source software packages. Understanding the risk exposure from such a large catalogue is a daunting task.

The distinction between the Main and Universe repositories is meant to help with this evaluation:


The Main repository

With over 2,300 pieces of software, the Main repository is assembled by hand-picking the most critical packages and evaluating them from a quality, maintainability and security point of view, a process known as a Main Inclusion Review (MIR). This includes security audits, which often reveal vulnerabilities that are subsequently fixed.


The Universe repository

This repository provides a vast, ready-to-use ecosystem of open source software and consists of over 34,000 packages in the latest Ubuntu LTS (Noble Numbat). In addition to community support, selected security updates are also provided by the Ubuntu Security Team as part of Ubuntu Pro Expanded Security Maintenance for applications (ESM-Apps).


Up-to-date cryptography

Cryptography underpins information security, so it is critical to stay up to date with the recommended protocol versions and algorithms. Ubuntu offers the foundation for a strong security posture.


Diverse libraries

Ubuntu distributes a large selection of cryptographic libraries. This facilitates the security maintenance of a wide range of software, whether internally-developed or popular open source projects. Stable security updates reduce incompatibility risks and simplify patch management.


Modern cryptography

The Ubuntu Security Team ensures that recommended algorithms are used in the core functions of the operating system, in addition to deprecating the ones that are no longer considered safe by current best practices.


FIPS certification

Ubuntu Pro delivers drop-in replacements of the most popular cryptographic software packages for use in deployments that require compliance with the FIPS 140 series of standards, in accordance with U.S. government regulations. The necessary validation process is done through an accredited third-party auditor.


Continuous hardening

When vulnerabilities are inevitably discovered, security safeguards reduce the likelihood that threats materialize through exploitation – reducing risk. Ubuntu is regularly updated to integrate the latest security features that have a broad impact on all software running on the distribution.


Binary protection

The Ubuntu Security Team periodically reviews system-wide software compilation settings to include the newest security features, such as memory exploitation protections.


Linux hardening

The Linux kernel fulfills a central role in providing mitigations for a wide-range of vulnerabilities. The Ubuntu-distributed kernel packages have a selection of hand-picked settings enabled that provide a strong balance between usability and security; these are evaluated on a continuous basis.


Security features

From application confinement and mandatory access control (MAC) to integrity protections or data confidentiality features, the Ubuntu distribution offers a wide selection of ready-to-use security controls to enhance the protection of system deployments.


Safe defaults

Security-conscious default settings improve the posture of all Ubuntu users, while reducing the complexity associated with critical installations. These include:

  • No externally-accessible network services on default installations
  • Automatic security updates
  • Various security-sensitive kernel features
  • Restrictive configurations of software packages

Software integrity protection

Ubuntu distributes software through a network of Canonical services and third-party mirrors. The risk of supply chain attacks that compromise these channels is reduced through strong cryptographic integrity protections.

Package management applications automatically verify software signatures, which are generated in confined environments running on Canonical infrastructure.

Ubuntu installation media can similarly be verified, a process that is strongly recommended because it offers integrity protection even when the media in question is retrieved over untrusted connections.